Ricardo Camacho, Technical Product Marketing Manager and Mark Pitchford, Technical Specialist, LDRA
Cybersecurity represents a dark cloud overshadowing the “smart grid” modernization of the existing electrical grid system that enhances customers' and utilities' ability to monitor, control, and predict energy use. The need for a secure enterprise-level architecture in defending against potentially devastating blackouts is widely acknowledged, but the role played by securely coded devices is easier to ignore and yet vitally important.
A lengthy outage can be devastating. On September 8, 2011, a major power outage lasting 15 hours affected 5 million people, due to a mistake by a technician in shutting down a 500-kV line. The effects were felt over an area spreading from San Diego, Calif., north to Orange County, and east into Arizona, and the economic impact was estimated at between $97 million and $118 million.
Natural and operational failures such as this can be mitigated somewhat by planning and making wise decisions in process and infrastructure improvements. But the connectivity of the smart grid shifts the focus from the defense of the world from the frailties of the grid to the defense of the grid from the hostilities of the world. That is less easily tackled.
The Smart Grid Sunny Day
We are all growing familiar with smart devices -- the “Things” in the “Internet of Things (IoT)”. Increasingly it is possible to remotely control heating systems, washing machines, and even coffee makers via the Internet.
Energy companies have long used differential tariffs to incentivize consumers to use their appliances during times of low energy consumption. But rather than being crudely controlled by means of a timer, a washing machine capable of monitoring a smart grid can “decide” on the optimal time to initiate a wash cycle. Extrapolate the principle of this “monitoring smart device” to an industrial plant and add operation and energy measures such as smart meters, renewable energy resources, energy meters, and grid sensors, and it is easy to visualize potential savings for the consumer.
From the perspective of the energy provider, such a mechanism provides a means to smooth the peaks and troughs of energy consumption, respond to demand based on real-time information, and quickly react to changes.
The net result is a smart, green, efficient, and cost-effective energy grid that benefits all. (See Figure 1) The Electric Power Research Institute estimates that the smart grid could save the average consumer hundreds of dollars per year and create $1.8 trillion additional revenue for the US economy.
Cybersecurity clouds on the horizon
An attack on the Ukrainian power grid took place on December 23, 2015, when hackers were able to successfully compromise the information systems of three energy distribution companies. The attackers temporarily disrupted electricity supply to the end consumers by compromising corporate networks, seizing control of SCADA systems, remotely switching substations off, disrupting IT infrastructure components and data, and denying consumers up-to-date information on the blackout.
Although the benefits of the smart grid are manifold, they expose many more “attack vectors” (access points) than for this Ukrainian example, with corresponding new ways to cause disruption. The misleading manipulation of power demand data, for example, could cause electric utilities to adjust production unnecessarily.
Defense in depth
In understanding how best to address the diverse nature of the vulnerabilities in a smart grid, it is useful to borrow an analogy. In the world of clinical practice, Professor James Reason observed that there are so many levels of checks that for a catastrophe to happen, an entire sequence of failures is required. This “Swiss cheese” defense-in-depth level approach (Figure 2) makes similar sense in cybersecurity, ensuring that if aggressors get past a line of defense, others are in waiting.
Click image to enlarge
Figure 2: The "Swiss Cheese" model. A sequence of imperfect defensive layers will only fail when those imperfections coincide.
Approaches and technologies that can contribute to the defense of a smart grid include secure network architectures, data encryption, secure middleware, and domain separation. Monitoring smart devices deserve particular attention because they access data that is critical to smart grid operation.
IoT and cybersecurity
Initiatives such as the NIST cybersecurity network, the US national vulnerability database, and the ICS-CERT (Industrial Control Systems Cyber Response Team) reflect the seriousness of the issue. But much of the available advice is high level, references existing vulnerabilities, or references principles, not detail. So how might a team of software engineers develop a secure application?
In traditional security-focused sectors, the approach to secure software development has tended to be reactive – develop the software, and then use penetration, fuzz, and functional test to expose and repair any weaknesses.
Perhaps a better approach to designing cybersecurity into monitoring smart devices is to mirror the development processes advocated by functional safety standards such as IEC 61508 “Functional safety of electrical/electronic/programmable electronic safety-related systems.”IEC 61508 provides a common framework to develop software that addresses quality, risk, and software safety throughout all aspects of the software development lifecycle,applying best practices and creatinga traceable collection of artefacts that can help to provide a quick response should a breach occur.
Secure code development
Compliance with IEC 61508 practices can be demonstrated most efficiently by applying automated tools.
Best practice in the development of both functionally safe and cybersecure software requires the definition of appropriate requirements at the outset, and from their bidirectional traceability to make sure that they are completely implemented. (Figure 3)
Click image to enlarge
Figure 3: Mapping the capabilities of the LDRA tool suite to the guidelines of IEC 61508
Unit test and dynamic analysis are also equally applicable to both functional safety and cybersecurity. In the latter case it is vital to ensure (for example) that defense mechanisms are effective, and that there is no vulnerability to attack where boundary values are applied.
IEC 61508 also requires the use of coding standards to restrict the use of the specified programming language to a safe subset. In practice, code written to be functionally safe is generally also secure because the same malpractices in programming language application often give rise to both safety and security concerns.
No smart grid is ever going to be absolutely impenetrable. If it is to be protected proportionately to the level of risk involved, multiple levels of security are required so that if one level fails, others are standing guard.
Monitoring smart devices deserve particular attention because they provide access points to data that are critical to the operation of the smart grid. The structured development approach of a functional safety standard such as IEC 61508 can provide the ideal framework to apply a proactive approach to the development of a secure application.
Happily, many of the most appropriate quality assurance techniques for secure coding are well proven in the field of functional safety. These techniques include static analysis to ensure the appropriate application of coding standards, dynamic code coverage analysis to check for any excess “rogue code”, and the tracing of requirements throughout the development process.
The legacy of such a development process includes a structured set of artefacts that provide an ideal reference should a breach of security occur in the field. Given the dynamic nature of the endless battle between hackers and solution providers, optimizing breach response times is not merely a good idea. It is a potential lifesaver.