“Retro” ideas for the smart grid spark controversy
- August 1, 2019
- Posted by: Kerry Tomlinson, Archer News
- Categories: Archer News, Cyberattack, Hacking, Industrial Control System Security, Posts with image, Power Grid
Does the future of the smart grid include using smart ideas from the past — or is high tech the only way forward?
We look at the fight over how to keep cyber attackers out of the power grid.
Saved by Lower Tech?
In the space-themed series Battlestar Galactica, the warship survives a Cylon cyber assault because it did not get a high-tech upgrade.
The Cylons had cracked all the latest technology — but not the systems running Galactica.
It was saved by lower tech — an idea cybersecurity expert Mike Assante and some of his colleagues thought could also work for some parts of the national power grid.
(Assante passed away on July 5.)
Now a bill in the U.S. House and Senate — the Securing Energy Infrastructure Act — is looking at what some call a “retro” strategy to protect the grid from cyberattack.
Headlines call it drastic, dumber tech, a dumb-down of the grid.
Let’s take a closer look.
What It Does
The bill would start a program to look at ways to protect parts of the grid, including using analog and non-digital control systems, as well as physical controls.
The bill’s sponsors point to the 2015 Ukraine blackout, when cyber attackers hacked the grid and shut off power for nearly a quarter million people in the dead of winter.
But Ukraine could still run on manual power system controls, instead of automation, and crews got the lights back on.
The sponsors say the U.S. should look at similar ways to protect its highly-automated grid from cyber attackers, too — as threats may be building.
For some, this sounds like going back in time — moving away from the automatic, digital, connected controls that help run the grid, back perhaps to running things by hand.
“In reality, such a retro approach is a poor way to address cybersecurity risk and shouldn’t be considered as a realistic control,” Nigel Stanley, TUV Rheinland’s chief technology officer, told Archer News.
Most industrial control systems have some form of manual over-ride or redundancy in the event of failure, Stanley said.
It could be costly in terms of manpower — and the ability to find qualified staff — if the system fails, he added.
He’s not the only one with concerns.
“…(A)t no time do we advocate that you should return to pencils, paper and calculators because you are afraid of the big bad cyber threat,” said Cris Thomas of Tenable in FedScoop.
Let’s look at the bill even closer.
The act says it would develop a national “cyber-informed engineering” strategy to protect the grid.
We spoke to an expert on cyber-informed engineering to learn more.
Marty Edwards is an industrial automation security expert and the director of strategic initiatives for the International Society of Automation.
“Critical national infrastructure, such as water delivery, electricity delivery, transportation, subways, trains, even your own automobile, are all controlled by computers now,” he said in an interview with Archer News. “All of it.”
But some of these critical systems are using equipment not designed with security in mind, he said.
“Now, we’ve taken these sensitive systems connected them to our business environments, which of course is accessible by the Internet,” Edwards explained. “And that means adversaries have access to critical national infrastructure like our power grids and our water systems.”
Safety Systems Under Attack
Edwards pointed to the Triton/Trisis attack at a petrochemical plant in Saudi Arabia in 2017.
Cyber invaders used the malware to attack the safety systems — the same systems used to prevent explosions and accidents at the plant.
“This was the first time that we saw attackers manipulating cyber controls that could have fatal consequences,” Edwards told the audience in a presentation at the 2019 RSA cybersecurity conference in San Francisco.
Edwards said cyber-informed engineering does not encourage automatically ripping out new technology and replacing it with old-school, retro stuff.
Instead, it encourages analyzing, testing, evaluating — especially the most critical parts, like safety systems that keep people alive, according to Edwards.
“We need to be looking at the safety functions, finding out where they can fail, how they can fail, and designing better systems,” he said.
For example, the solution to a cybersecurity problem might indeed be new, cutting-edge technology.
Or it could be that new school technology with an old school back-up.
Or maybe a non-digital system to keep attackers out.
Cyber-informed engineering helps find the safest way to protect people and critical infrastructure — without assuming the latest technology is the always the answer, he said.
“I think that we’ve overused technology and shiny things right because it’s shiny and new and we want it. We’re programmed into that as consumers, right?” Edwards said.
“But when you’re talking about critical national infrastructure or you’re talking about something that could potentially kill thousands of people if there was a significant failure, you need to be paying extremely careful attention to what technology you use,” he added.
Going to Manual?
One issue causing controversy or confusion is whether the bill would force organizations to replace their high-tech equipment and use manual controls run by humans.
Indeed, one of the bill’s sponsors, Sen. Angus King (I-Maine), said in a press release, “Specifically, it will examine ways to replace automated systems with low-tech redundancies, like manual procedures controlled by human operators.”
The bill itself, however, talks about exploration of ideas, not replacement.
It also mentions physical controls as one of the possible solutions, though not a required function for any or all parts of grid systems.
We asked King’s office for clarification about the press release, but received no answer to our calls and emails.
In addition, one news article said the “retro” strategy would be mandatory.
We checked with another bill sponsor, Sen. Jim Risch (R-Idaho).
“There is nothing mandatory in the bill,” said Marty Boughton, Risch’s press secretary.
“The bill will provide money for the Department of Energy and our national labs to explore ways to improve cybersecurity of our critical energy infrastructure, particularly simplifying and isolating connections to the most critical functions, but it doesn’t place any additional requirements on industry and doesn’t direct private industry to implement any specific solutions,” Boughton told Archer News.
The Senate passed the bill in June.
The House passed the measure as an amendment in July.
The act would set up two-year pilot program to study the issues and create a report on the results.