Lessons learned from IEEE ISGT 2015 @ Washington, DC
The internet age has made the world a smaller place. You can communicate with any one in the world at any time, and communicate with the smart things that your home/office has. But are they secure enough? Or are they going to leak your data to the world? Would you feel safe if you knew that your data is not your data anymore? It feels much safer to blog here, given I am going to already show it to the world instead of having to type a confidential document and worry about its security in my web server.
With increase in cyber threats and cyber attacks, the field of cyber-security is gaining tremendous importance. A couple of years ago, installing a home security system was all about securing your home and nothing more. But today you need security for your home security system. Evading cyber attacks is getting tougher by the day since attackers are developing more sophisticated methods to perform their cyber attack. Whatever be the case, your security tools are not secure enough for the long-term.
OK, so why am I talking about cyber-security with a title like this? Because cyber-security in Smart Grid was one of the primary discussion areas @ ISGT 2015. I was new to the whole Smart Grid area a year ago, when I attended my first ISGT 2014 @ DC. A year of working in smart grid related research has helped me understand the basics of it. I am working on my thesis on Building Energy Management Systems (BEMS). It is only appropriate to consider fixing any security holes that BEMS possibly has. This got me interested in what I need to address so that BEMS when integrated with the grid for Demand Response events, remains secure and provides secure communication.
So what did I learn at the conference this year?
Today, with the kind of power systems infrastructure that is around us, the communication with the power grid has to be two-way. This makes the system more reliable, efficient, and the consumer has more control of his electricity demands. A self- healing, resilient system needs to be in place to manage outages and quickly resume power in case of a disaster. With Advanced Metering Infrastructure (AMI) there is an attempt to integrate the system based on development of open standards. Visualization technologies today allow load monitoring and load-growth planning. While this happens at the utility level, there is a still a need to collect information from a variety of sources and display different information to different sets of people. Multi-agent systems can be employed to detect the faults and make the smart grid a self-healing system. The smart grid system is the integration of today’s power grid with distributed computing and communications to deliver real-time information and enable the quick balance of supply and demand. What is more important – the smart grid aims at a ‘greener’ infrastructure slowing the pace of global climate change.
Smart grids have to go a long way before we can make it part of our daily lives. When a system is hosted on the web, it becomes vulnerable to several threats. Our challenge with BEMS today is security. Is it secure enough? What more vulnerabilities still exist? Can we trust the machine that BEMS is running on? I am talking in terms of BEMS, but this applies to the Smart Grid as well. As of today, the Smart Grid hardware is still maturing. The related software tools are lacking cyber security consideration. And vendors who supply tools and technologies for the smart grid are reluctant to step forward to implement cyber security measures. But there is a reason why vendors are reluctant – ‘cost’ ! It is not simple to implement security measures – it has to have detailed planning, hiring new and capable resources to implement these security measures confidentially.
All systems related to Smart Grid should have centralized log implemented to monitor traffic in and out of the system. Intrusion detection systems should be configured and monitored constantly for any intrusion. Direct inbound connections from unauthorized users should be prevented. The BEMS and other related systems should be setup behind a firewall. Security is the one implementation that is not written once and forgotten. It has to be constantly updated. Computers are becoming faster and this gives the attackers more leverage to do any kind of attack and they are coming up with novel attacks everyday. Companies should begin to follow ‘secure by design’ techniques instead of building the system first and then adding security to it. Adding security as an afterthought is hardly going to help in today’s world of cybercrime. Annual vulnerability assessment assumes high priority today.
Security is important at many levels – Infrastructure security (IDS, Firewalls), Energy Management Systems, Application Security (Data Validation, Model based Anomaly detection and prevention). Data Integrity is of prime importance in such mission critical applications. If such an application is hacked from any level, the attacker can make his way into the core of the system and eventually power off the grid. These kind of issues are anticipated as part of the grid development, although individual BEMS kind of systems are still lacking proper security. Recent attacks on Tridium Niagara Framework show how vulnerable a building energy management system can be to cyber attacks. It is important to anticipate problems, and come up with mitigation strategies.
One of the speakers spoke about risk modeling using a game theoretic approach to identifying cyber threats. While vulnerabilities are usually given importance, threats are usually ignored to deal with them as afterthoughts. Using the risk modeling approach makes sure to include threats in the design itself, in the game theoretic approach.
One big learning from this conference for me as a Computer Engineering graduate is how security plays an important role in any web tool that is being used today. Secure by design is becoming the norm of the day in today’s businesses. While computers are getting faster every year, attackers are too. They are developed novel methods to break the systems. So all the web tool developers out there – learn to design a secure product. 🙂