The vulnerabilities posed by the smart grid require CIOs to rethink their teams, models and security systems.
Fund your security program and give these people more financial power. Security should be 15 to 20 percent of your IT budget every year. If you haven't seen an equipment upgrade or product requisition in a few years, something is wrong. Rarely have we seen an adequately funded security team. In many cases such teams have an independent personnel budget, but must requisition equipment via an IT or networking group. This may work well in some cases and even help foster better relationships through those teams. However, even then, you should give your security team a minimum of “line-item” control and decision-making capability to ensure the technologies they deem the best are applied to your environment.
Yesterday's technology--firewalls, intrusion prevention systems, DMZ/perimeter networks, antivirus software--needs help. Antivirus programs are necessary, but don't rely completely on them. If you think updated definitions protect you, look up “shikata ga nai” or “payload encoding” to see how signature-based protections can be bypassed. Many IT solutions, although they are good ideas, will not work properly in a controlled-system environment. This primarily happens because some IT technologies cannot understand the protocols and/or the rule sets, and functions were not designed with resiliency and availability as the most important function. The "help" is your people: Talented, security-minded people are your best defense. (Are you sensing a theme here?) The attack mentioned above leverages a weakness incorporated by the vendor; however, it can be mitigated by blocking and/or closely monitoring access to sensitive devices such as routers.
No Silver Bullets
No product or service you buy is a silver bullet—and some salespeople and companies will say anything to get a sale. I have seen a few data-loss prevention solutions that are easily bypassed using WinZip software or even the formatting capabilities in standard programs. Test the claims a vendor makes to see whether you can exfiltrate data unnoticed from behind the vendor’s device. And finally, build a testing cycle into any product or service purchase that allows for validation of its marketing material.
Test your environment with real scenarios. Don't prescribe the environment to the testing entity, whether you hired an outside firm or have developed an internal penetration-testing or red team. Additionally, make sure you understand the differences between vulnerability assessments, penetration testing and red teaming. Each type of tests has a place, depending on the types of systems you are testing. For example, while red teaming gives you the best perspective on a real-world attack, you may not want to attempt this in a production environment. Make it as real as possible, or you will not know where you actually stand and could be lulled into a false sense of security. When you get your report, implement the recommendations. If there are no recommendations for the discovered vulnerabilities, you’ve hired the wrong people. If you received only the report or a tool output from a test, you’ve also hired the wrong people.
In the case of the smart grid, with great opportunity comes great responsibility. The rewards of managing industrial or building energy costs stand to be substantial, particularly when paired with a security team and system that’s appropriate for the new model a smart grid introduces.
About the Authors
Erich Gunther is an IEEE Smart Grid technical expert and CTO, EnerNex. Slade Griffin is director of energy systems security, EnerNex.