A truly digital grid is in reach – but we need the right security. If we have good proactive, pre-emptive measures in place, we can start building smarter grids and break the impasse, write Robert Lagerström and Arshad Saleem

A few years ago, cybersecurity experts and energy executives were speaking different languages. Now, the security of the emerging smart grid is firmly on business leaders’ agendas. That’s progress.

But the technology is still catching up and, at the moment, we’re stuck at an impasse. A truly digital smart grid is within reach, but we can’t safely implement it without robust security. However, the cyber security industry is understandably slow to create the right security solutions without the digital grid there to protect. We’re waiting for the chicken to lay the egg and for the egg to hatch the chicken.

Why? Because we are stuck in a reactive mode of thinking when designing security solutions. What can we do about it? We should be building proactive solutions to complement them. If we have good proactive, pre-emptive security in place, we can start building smarter grids and break the impasse.

Important chickens, vital eggs

The benefits of the smart grid – and the broader Internet of Things (IoT) – are well known. A digitally-connected energy grid supported by smart analytics will allow the energy industry to more intelligently match supply to demand, integrate more renewable energy and roll out clever new services to consumers and businesses. It will mean a leaner and cleaner grid.

The security problems this poses are also starting to become familiar. A lot of the in-field, physical operational technology (OT) is decades old, expensive to replace and designed at a time when ‘cyber’ was a prefix consigned to sci-fi. By networking more and more infrastructure, you create more and more potential doors for hackers, many of them poorly guarded. Few people have an overview of all of these connections, so different teams excitedly press ahead, connecting this or pulling data from that, to create new functionality, only dimly aware of the security implications.

As our energy system becomes more connected, the stakes also get higher. Suddenly, you’re not talking about a substation going down, but a potential grid-wide attack. As the risk escalates, so does the reward for hackers. While before the biggest concern may have been hobbyists, now the potential for ransom or harm has attracted sophisticated organized criminals and even state-sponsored actors. If there’s ever a third world war, it will be fought in cyberspace, and shutting down the power grid will be one of the top strategic targets.

Reactive security

It’s worth thinking about how cyber security traditionally works. The vast majority of current solutions are based on creating tools that protect existing systems. For example, you might install sophisticated firewalls and anti-malware software to try and keep out the cyber criminals and to find and fix problems quickly when they do get in. Then, when the hackers up their game and create new malware, the security companies rush to update their systems and patch new holes. It’s a constant race. It’s reactive.

You can see the chicken and egg problem: the very premise of these solutions is that they’re built to protect systems already there. But utilities are reluctant to build those systems before the security is in place. We advocate something complimentary, but different.

If you were an engineer designing a bridge, you would build it digitally first in a computer-aided design (CAD) tool. You can then test it for different variables and adjust the design accordingly. For example, you could stress test it against certain wind speeds, or a particular number of trucks driving over it, and then change the building material. Of course you’d need to run real life tests once you’d built it too – but this stage provides a degree of confidence without which you’d never dare to dig the foundations.

Exactly the same approach can apply to cyber security. Using intricate attack trees (picture a flow diagram mapping out ways of attacking), it’s possible to model a digital system and stress test it against potential threats. It’s truly creating security by design.

Others have tried this before. However, efforts have typically failed for two related reasons. Firstly, they have relied on someone with knowledge of the system manually building it within the software. With networks as complicated as this, it’s hugely difficult to find someone with that whole-system overview, and very easy to miss things. Then, similarly, it would be up to the user to dream up and try out the attacks in the model. Again, this is hardly systematic and prone to human error.

By contrast, there are new CAD-based systems that can plug into an existing system – either already live or still in the design phase – and automatically map out the entire network, combing it with algorithmic precision and not relying on a knowledgeable but fallible architect to sketch it out in the programme. Then, the stress test is carried out using attack trees populated with mathematical probabilities. Probabilistic calculations look at the whole system and identify the shortest and most likely attack paths. Engineers can then design a fix and re-test. This approach means energy companies can confidently install smart grid systems, cracking the chicken-egg conundrum. However, it’s important to note that this is not a replacement for reactive cyber security as it’s not a system to fight intruders. Instead, the two types of security should be seen as symbiotic, feeding into one another.

Fighting fires

So, the technology is there; the will to invest in security is there – that’s everything in place, right?

Actually, there’s one more structural barrier to how cyber security is addressed in energy organizations. It’s great to see dedicated budgets and teams emerge to take cyber security seriously, as we have over the last few years. However, as with any team, resources are limited. There’s a finite amount of time and money to spend. This is a problem – not necessarily because the budgets are too low – but because their attention is entirely tied up with reacting to threats. With firefighting. In these circumstances, it’s extremely difficult for cyber security teams to carve out time to strategically invest proactive systems.

What’s needed are separate departments – or teams within one cyber security department – with their own budgets completely focussed on reactive and proactive cybersecurity respectively. Obviously they will need to work closely together, but this will ensure that utilities can fireproof as well as firefight. It’s already difficult for energy companies to find and invest in cyber security, especially with top talent so scarce. However, the smart grid is a big project, and its security a big priority. At least, though, there’s a way out of that infuriating chicken-and-egg conundrum of which needs to come first: proactive smart grid cyber security design.

Robert Lagerström is the founder of cyber security startup foreseeti. Arshad Saleem is smart grid thematic field leader at InnoEnergy.

The foreseeti and InnoEnergy story

The company foreseeti and its flagship product securiCAD – a cyber risk analysis tool – were both born from research conducted at the Swedish Royal Institute of Technology. Three of the company’s five founders were professors in the electrical engineering department and had been focusing on security.

As part of this research, they built a tool that would later become securiCAD. One of their industry research partners, ABB, mentioned how impressed they were with the tool, and suggested it be commercialized.

foreseeti teamed with InnoEnergy, a publicly-funded but commercially-minded European organization that looks to help the next generation of energy innovations in Europe that will contribute to a cleaner, more secure grid. InnoEnergy doesn’t just offer funding, but also professional support in commercializing an idea, building a business network and bringing it to market.

With InnoEnergy’s support, foreseeti was able to bring securiCAD to market in January this year. In the same month, InnoEnergy and a group of entrepreneurs invested around $1 million to scale the business. foreseeti was also shortlisted by NyTeknik & Affärsvärlden as one of Sweden’s 33 hottest tech startups.

The company has since worked with two utilities looking to model the security risks of their smart meter architectures ahead of implementation. One included highly granular and detailed data, where the other was sparse. Both were analyzed in securiCAD, revealing vulnerabilities within the proposed systems and the consequences of different types of attack. This enabled the companies to select the optimal system, identify priority areas to migrate to the new system, and develop smart metering security architecture recommendations for future installations.