Feature Article
Grid Modernization and Cyber Security Trends
Erich Gunther, IEEE Smart Grid Expert
Chairman, CTO, and Co-Founder, Enernex,
Slade Griffin, Director of Energy Systems Security, Enernex
Hands-On Hacking
More offerings are beginning to pop up allowing the most technical staff
As the electric grid is modernized through interconnections and the
to learn how to attack and defend both the Information Technology (IT)
ability to interact remotely, the risk of cyber attack increases. Fortunately,
portions of a control system, as well as purpose-built devices like programthe growing availability of cyber security training options to combat these
mable logic controllers and smart meters. These courses teach professionals
attacks is also on the rise. Training now ranges from regulatory compliance
how to find and exploit vulnerabilities within systems and devices, which
and cyber security program development to hands-on hacking. Another
ultimately provides a greater understanding of how to defend them. This
favorable trend is the coming together of utilities, vendors, government and
type of training offers a hands-on look at how to understand security from
private contractors for the purpose of collaboration in organized user group
the bottom up within an organization.
and projects. These are proactive trends to take on cyber security risks,
however, there are ongoing challenges that must be overcome. Although the
Protocol and Architecture Training
proper authority and funding of security programs is starting to improve,
The emergence of new standards and guidelines like IEC 61850,
necessary levels of staffing, funding and training are not yet being met.
OpenADE, OpenADR, ZigBee SEP2.0 and DNP3 have created the need
Over the past several years control systems networks, or operations
for specific training in these
technology, which are critical
areas. Utilities and vendors
for the correct functioning of
wishing to have deeper unpower generation, transmisderstanding of how to implesion, and delivery, are being
ment these architectures and
modernized and labeled
protocols can attend and have
“smart grid.” Most often this
questions answered without
term refers to a technological
having to volunteer staff in
overlay or interconnection
the various working groups.
that provides remote access,
With respect to traincontrol, visualization or
ing, there has also been an
communication to a system
increase in management
that may not have previously
attendance in the classes.
had this type of capability. As
Having managers present
interconnections and the abilin these classes indicates a
ity to interact remotely are
greater level of interest in
added there is a potential to
the subject matter. Many of
increase the risk level of that
the mangers also seem to be
system. Additionally, many
working towards establishing
systems are now using public
budgets and more robust sechannels, such as the cellular
Security should be built-in, and continually monitored and assessed
curity programs within their
network and the Internet to
organizations. This type of
communicate and that also
effort is sorely needed to reverse a trend of underfunding, understaffing and
contributes to the level of risk applied to that system.
undertraining that has remained fairly steady over the past several years.
As a result, cyber security training has been become a priority and is
steadily gaining attention. There are now several training options for personnel or companies needing to improve their understanding of the various
Reassessing Cyber Security’s Role, Funding and Training
layers of security that must be applied to any interconnected system.
There has been a consistent lack of establishing a dedicated staff for
security in both traditional IT and in smart grid. Some organizations are
actually moving their technical teams into more administrative roles, and
Cyber Security Training Options
relying solely on compliance for their security programs. There are few
NERC-CIP – North American Electric Reliability Corporation cases where organizations adequately fund and pursue solid security proCritical Infrastructure Protection
grams. More often individuals or organizations are experiencing some or all
This is compliance-based training to deepen understanding of regulatory
of the following issues:
guidelines that have been established. Courses are offered that provide both
• Understaffing – It is worth it to look closely at the security team and
general overviews on designing and implementing a Critical Infrastructure
seek input from the “boots on the ground” about staffing levels. Too freProtection (CIP) compliance program, as well as deeper dives that focus
quently large organizations dedicate only a single person to cyber security.
on one or two specific CIP regulations and deal with the technical details
This can be a symptom of underfunding.
needed to improve and maintain compliance.
• Underfunding – It is said that IT should be 15 to 20 percent of an
overall organization’s budget and cyber security should be 15 to 20 percent
Cyber Security Program Development
of that amount. This would mean for every one million dollars of budget,
These courses are designed to implement an overarching program to
$200,000 would be allocated to IT, and $40,000 would be allocated to cyber
establish a secure foundation to build out smart grid systems and programs
security. While power systems and IT are not the same thing, this metric
in a secure manner. The National Rural Electrical Cooperative Association
may still work to plan out future projects.
(NRECA) developed a comprehensive set of documents two years ago to
• Undertraining – This is perhaps the toughest issue to overcome. How
address the need for secure programs. As a follow-on offering the NRECA
does someone who isn’t a cyber security expert identify someone to lead
regularly offers one-day classes that discuss how and why to build these
a team? The National Board of Information Security Examiners (NBISE )
programs into daily operations. Most importantly it drives home the idea
is attempting to solve this by putting forth a set of metrics to help identify
that security should be built in to a system or product and that it is a concompetent practitioners at different levels and applications. The ability to
tinual process, as shown in the figure above.
6
www.RemoteMagazine.com
http://www.RemoteMagazine.com
Table of Contents for the Digital Edition of Remote - Summer 2013