Situation Overview

The biggest threat today to the
transmission and distribution
(T&D) business’ cybersecurity
is not necessarily a virus, worm or terrorist.
While these can all be significant
threats, the culprit is often the company
itself. Particularly as utilities open more
doors to their network automation
and control systems – such as by deploying
more intelligent devices – they can
make themselves more vulnerable to any
cybersecurity threat. Although utilities
can mitigate vulnerabilities, these actions
come at an additional cost.

This paper examines recent developments
in cybersecurity for network
automation and control systems. First,
we review how recent cost-cutting
initiatives and new technologies are
creating cybersecurity problems. We
then look at how the North American
Electric Reliability Corporation’s (NERC)
new cybersecurity standards, CIP 002-
009, may help utilities address these
problems but also create additional
costs. Lastly, the report discusses how
utilities can cost-effectively strengthen
their cybersecurity.

Figure 1: Cost-Cutting Efforts and New Technologies That Open More Doors to the NetworkMore Cybersecurity Problems

Today most energy delivery businesses
have moved beyond worrying about
specific cyberattacks, which could be
launched by almost anyone from “kids in
a basement” to a company insider. Instead
many are now concerned about how
cost-cutting efforts and the introduction
of new technologies could increase their
vulnerability to any attack, no matter
where it originates. There are two key
corporate efforts that can raise significant
cyber-security issues:

  • Obtaining greater real-time visibility of
    and access to remote assets; and
  • Implementing more open, standardized
    real-time systems.

Greater Visibility and More A ccess Points

From intelligent grid initiatives for better
visualizing and reacting to real-time
events to cost-cutting efforts, utilities continue
to open more doors to their control
networks (see Figure 1).

Specific efforts that could create cybersecurity
problems include:

  • More points of access to the grid: Many
    utilities are using more intelligent electronic
    devices (IEDs), smart meters and
    sensors to connect with the field better
    – an important part of a fast-reacting
    intelligent network. Furthermore, utilities
    are allowing more remote access
    to their delivery system networks by
    telecommuters and third-party contractors.
    These efforts don’t just open more
    connections to system; they also let in
    remote parties that may not have sufficient
    cybersecurity systems of their
    own in place.
  • More standard communication networks:
    Although IP-enabled SCADA and
    wireless networks offer many benefits,
    they also create problems. On the positive
    side, an IP-enabled SCADA system
    provides a low-cost alternative to a proprietary
    SCADA system. It also allows
    for better deployment of intelligent grid
    technologies through easier integration.
    Intelligent grid efforts are also pushing
    utilities to use more wireless communications
    (e.g., WiFi, WiMAX and GPRS).
    The problem with these communications
    methods is that they spread out
    standard communication channels into
    the service area, creating more ways
    for cyberthreats to enter the system.
  • More integration with corporate networks:
    To support data-sharing and
    decision support and, in some cases,
    to reduce costs, more utilities are integrating
    their control networks with the
    corporate network. This is troublesome
    because it allows even more traffic on
    and accessibility to the corporate network,
    which means a greater possibility
    of cyberthreats entering the network
    automation and control system.
  • Greater reliance on commonly used
    platforms: It is becoming increasingly
    difficult for IT departments to find
    professionals competent on platforms
    such as Unix, the traditional operating
    system for network automation and
    control systems. These platforms have
    substantially longer learning curves and
    require a costlier workforce. As a result,
    many utilities are turning to more commonplace
    platforms instead. Standardizing
    on platforms such as Microsoft
    Windows offers many benefits, but such
    platforms are also common targets for
    cyberattacks.
  • Vendors have not made cybersecurity
    a top priority: Today many utilities rely
    on standardized commercial applications
    rather than pay for expensive
    customized systems. This creates
    vulnerabilities because many network
    automation and control vendors have
    not built adequate cybersecurity measures
    to protect those applications and
    attackers can readily obtain information
    about how to crack them.

New Regulations Will Now Force Utilities to Take Action

Although the initiatives discussed above
create cybersecurity problems, utilities
can address them by implementing some
additional procedures. Aside from the
direct operational benefits that come
from greater cybersecurity, today’s utilities
have an even stronger incentive to
take action. NERC and the Federal Energy
Regulatory Commission (FERC) released
the Critical Infrastructure Protection (CIP)
standards for cybersecurity, which went
into effect on June 1, 2006. Because most
utilities are familiar with CIP 002-009, this
paper focuses on a few key problems these
standards will likely create for utilities.

Defining and Interpreting a Critical Cyber Asset

Today’s CIP standards provide a more
detailed critical cyber asset (CCA) definition
than previous versions. The standards
require utilities first to define their critical
assets and then to identify CCAs that are
essential to their function (see Figure 2).
However, according to the NERC, CCAs
can now also include any cyber asset that
“uses a routable protocol to communicate
outside the electronic security perimeter;
or … uses a routable protocol within a
control center; or … is dial-up accessible.”
For example, modems that contractors
use to access the network automation and
control system connected to an otherwise
noncritical cyber asset could now qualify
as a CCA. This brings us to another problem
with the new CCA definition. Although
the definition is now more specific, there
are still varying interpretations of its
meaning. For example, although one utility
recently identified 300 CCAs, another
comparably sized utility found approximately
three times as many.

This more detailed CCA definition opens
up the possibility that a cyber asset not
essential for a critical asset to function
will be subject to these regulations, simply
because it has a routable protocol or
dial-up modem. As discussed earlier, more
and more utilities are implementing IPenabled
technologies, such as IP-enabled
SCADA. Therefore, more of those assets
may be subject to the regulations, which
wouldn’t be the case if utilities went with
older technologies. Furthermore, even
some older technologies, such as dial-up
modems, may now count as CCAs.
Ultimately, more assets subjected to
these standards means more effort and
cost for utilities to secure those assets.

Future Outlook

Figure 2: Previous CIP Standards vs. Current CIP StandardsSome of the greatest challenges for utilities
stem from the fact that demand for
these cost-cutting and new technology
initiatives are unlikely to go away. As the
need increases for better grid visibility
and improved response times to delivery
system events, utilities will demand even
more intelligent grid technologies – such
as IP-enabled SCADA systems, smart
meters and grid-friendly appliances – that
will allow for more and more access to
delivery assets, i.e., more open networks.

Another challenge on the horizon, as
more and more workers retire, is that utilities
will turn to automation to offset the
loss of staff. We’ll see a greater number
of initiatives such as the use of standardized
applications and more commonly
used platforms and corporate networks as
companies use information technology to
reduce costs and increase efficiency and
also to replace their retiring workforces.

At the same time, the new CIP standards
will continue to evolve, and the
broader NERC reliability standards will
further complicate a utility’s ability to
meet cybersecurity standards. Given the
rapidly changing cybersecurity environment
and the age of CIP 002-009 standards,
these regulations will likely change.
Moreover, CIP 002-009 is just a piece
of the NERC reliability standards. These
extensive standards cover a broad range
of issues, from resource and demand balancing
to personnel performance, training
and qualifications. These broader regulations
will put a squeeze on the resources
utilities can devote to cybersecurity.

Future Adoption Patterns

Although some utilities have complied
with voluntary cybersecurity standards,
the CIP standards will force many more to
reconsider seriously their cybersecurity
system. As a result, utilities will:

  • Have larger cybersecurity budgets.
    Despite the demands of the broader
    NERC reliability standards, CIP 002-009
    means that many utilities will have to
    step up their cybersecurity efforts – and
    spending – to become compliant.
  • Be more aware of cybersecurity costs
    and risks. Now that utilities must comply
    with regulations and deal with the varying
    interpretations of the CCA definition,
    they will take into greater consideration
    the cybersecurity costs associated
    with new projects. But even as utilities
    expand their budgets, they will not be
    able to afford every single cybersecurity
    measure available for their network
    automation and control systems. Instead
    they’ll take a risk management approach
    that weighs the probability and extent
    of risks – events that would cause
    problems for their network automation
    and control systems. They won’t have
    resources to answer every risk, so they’ll
    prioritize their cybersecurity efforts to
    address the most critical risks (e.g., risks
    that may be unlikely to occur but would
    be catastrophic to the system).
  • Demand more third-party assistance.
    Utilities will need more products and
    services – such as vulnerability assessments
    and security software packages
    – as they improve their cybersecurity.
    They’ll turn not only to cybersecurity
    vendors but also to industry-specific
    vendors to strengthen one another’s
    solutions.

Essential Guidance

Popping in a security software program
or setting up a firewall is not adequate to
protect a utility’s network automation and
control system. And new technologies and
cost-cutting efforts will continue to expose
the network automation and control system
to cyberthreats. Therefore utilities
must weigh their cost-reduction and intelligent
grid initiatives against the need for
greater security.

Utilities should not necessarily avoid
newer technologies or cost reductions out
of cybersecurity fear. They will, however,
need to determine up front what changes
to network automation and control systems
will cost in terms of cybersecurity
compliance. A new, more efficient technology
isn’t really less expensive if it requires
additional investments in cybersecurity
measures than an older technology would.
More generally, to protect increasingly
vulnerable network automation and control
systems, utilities need to consider:

  • Ongoing vulnerability assessments.
    Before a utility can secure its network
    automation and control system, it
    needs to understand its system vulnerabilities.
    Determining cybersecurity
    needs requires an initial evaluation and
    then, after developing and implementing
    initial cybersecurity strategies,
    utilities must continue re-evaluating
    their systems.
  • Vigilant monitoring of the network
    automation and control systems.
    Utilities should monitor systems on an
    ongoing basis to establish a baseline
    for normal activities. By knowing its
    baseline, a utility will be better able to
    identify unusual activity.
  • Enterprise effort. With growing connections
    between business units, cybersecurity
    does not just impact network
    automation and control systems. Utilities
    should be working across business
    units to develop a broader, more comprehensive
    approach to cybersecurity
    that addresses both control networks
    and the corporate network itself.
  • Cybersecurity is more than just software.
    Although there are effective
    cybersecurity applications on the market,
    utilities must research additional
    ways of mitigating cyberthreats, from
    knowing their users to improving their
    physical infrastructure.
  • Thinking outside the regulatory box.
    The new CIP standards provide a good
    start for cybersecurity, but they cannot
    adequately address all related issues.
    Utilities should take the time to evaluate
    additional cybersecurity recommendations,
    such as the ISO 17799 Security
    Standard.
  • Effective solutions for today and
    tomorrow. Because many cybersecurity
    measures are narrowly focused, utilities
    should implement solutions that work
    with their existing technologies and can
    also adapt to meet future technological
    needs.