A lack of standards and increasingly aggressive attackers will pose some challenges to electric utilities trying to monitor and secure smart grids, according to a recent report.
Critical infrastructure operators are monitoring and managing automated systems and grids that are becoming more complex, according to a report released Jan. 4 from Pike Research. IT teams looking for more efficient ways to monitor, manage and protect their infrastructure are relying on new technology and tools to integrate security, compliance and change-management processes, the report found.
Many utilities had built out their smart grids and supporting infrastructure over the years without a coherent master plan, according to Pike analysts. Smart grids in the report were defined as infrastructure, such as smart meters and specialized systems operated and managed by electric utilities in order to be more efficient. These environments tend to contain heterogeneous systems that often can't communicate with each other and are difficult to manage. The exponential growth of intelligent devices on the network further adds to the challenge, according to the report.
"However, it is rare that the entire automation system was developed based on a single architecture or framework that identifies the applicable policies to protect, monitor and manage the system," the analysts wrote.
Along with the management challenges as a result of not knowing what components have been deployed and monitoring incompatible systems, the systems are vulnerable to cyber-attackers who systematically probe the control network to find a weak spot, analysts said. While Stuxnet and Night Dragon had specific targets, most cyber-attacks against control systems have been sweeping in nature, looking for or exploiting a fault that may exist in many installations, according to the report.
Industrial control systems professionals are beginning to realize that there are overlaps in the processes, data and technology being used by the security, compliance and operations teams, which can be combined to simplify the environment and improve efficiency, according to Bob Lockhart, a senior analyst at Pike Research and principal author of the report.
While there are new tools that allow administrators to gain real-time visibility into their industrial control systems, that is not enough security. This is because those same products introduce new "operating systems, applications and hardware that have vulnerabilities" into the environment, and can be attacked in ways the original systems could not, the report found. Administrators need to manage and secure these control systems the same way other IT systems are managed on the enterprise network.
"Control system security requires an understanding of the data being transported through the infrastructure," according to the report.
Security is not the same thing as compliance, although compliance functions are often a subset of security functions with reporting capabilities, analysts said.
Depending on the utility's geographic location and industry, there may be regulatory requirements to comply with, such as Sarbanes-Oxley, Payment Card Industry data security standards and North American Electric Reliability Corporation's Critical Infrastructure Protection. Nearly all the regulations compel companies to collect a large amount of data from each of the automation systems, which, for example, requires utilities to invest in event-collection systems, according to the report.