By Slade Griffin and Erich Gunther
The ability to manage your own energy destiny is one of the great opportunities of the digitized and interactive smart grid—the place where energy, communications and IT unite. This unprecedented opportunity to receive and respond to energy information will, however, be available not just to industry, but also to every consumer. Such unparalleled access also presents vulnerabilities that require the enterprise to rethink its teams, models and security systems.
Over the past year-and-a-half there has been much talk about critical infrastructure being vulnerable to hackers. Not a month goes by now without a breach of a major online service provider, security company or even the once “safe” control systems. But now, industrial control, building management and utility energy management systems are more exposed than before, since new technologies are being deployed to enable remote communication with previously isolated equipment. In addition, security researchers have increased their focus on the smart grid and its equipment, and are making its vulnerabilities known.
Some vulnerabilities, for example, are announced through alerts by the Industrial Control Systems Cyber Emergency Response Team (ICS-CERT) and are intended to increase awareness among critical infrastructure owners and operators. A potential attacker could monitor the ICS-CERT alerts and use a search engine to locate a vulnerable target. The amount of information publicly available to an attacker could enable him or her to read about a vulnerability, locate the necessary details to exploit the flaw, and find a target on the Internet without ever running a traditional scanning tool.
We tested this scenario recently when ICS-CERT issued advisory 12-146-01 about weak password cryptology that opened a vulnerability in network equipment used for traffic control systems, railroad communications, power plants, electric substations and military sites. Our test team was able to read the advisory, locate a script to execute the flaw on the Internet, and find several vulnerable devices on the Internet using a simple search string. The amount of time from learning of the vulnerability to being able to exploit a vulnerable platform? Less than 10 minutes. With the script and search now automated, we can repeat this in less than 2 minutes. That’s how easily some attacks can be executed.
“How does this happen?” CIOs everywhere often ask. There isn’t a simple answer. Layers of complexity in each environment dictate the correct way to defend your data and other assets. Yet there are some common threads that could help you bolster your defenses regardless of what you’re defending.
Take a close look at your corporate IT, building services and security teams. The addition of a bidirectional energy system linking corporate IT and building infrastructure management may require hiring a security professional who can bridge the new connection in a secure way. Hire the right people—people who are constantly seeking to learn and who understand that what made you secure yesterday may create a vulnerability tomorrow—these employees can be your most valuable asset. A project manager or policy maker should not be making technical decisions that he or she does not understand, and a technical person who cannot manage a program or personnel should also not be tasked with those duties. To properly staff these positions, it may be necessary to train a leader and/or cross-train personnel as you develop them. In addition, a new system of collaboration between different areas must be instituted. In smart grid and control systems, having a seasoned operator/engineer who understands the function and relevant impacts of adverse events is a valuable member of any security team.