Share Share this | Facebook Twitter YouTube LinkedIn Flipboard

IEEE: The expertise to make smart grid a reality

What the Power Industry Has to Learn about Cyber Vulnerability Disclosure

Although advanced metering infrastructures enable more dynamic generation, distribution and consumption, smart meters, wireless repeaters and routers must operate in physically unprotected environments and communicate with potentially hostile consumer systems. What is more, expanded bandwidth requirements tempt system designers to rely on non-dedicated and often un-trusted networks because of their lower costs. A combination of expanded cyber dependencies and greater public exposure will increase potential impacts from software vulnerabilities discovered within these systems. Thus, software vulnerability management is more problematic than ever.

Software vulnerabilities continue to be a major limitation in the design of secure cyberspaces. Vulnerabilities often result from incorrect memory management, poorly designed authentication mechanisms, and incorrect assumptions about user inputs. While engineers have gone to great lengths to develop more secure software, systems remain insecure—hence Microsoft's monthly Patch Tuesday, for example, and the government-sponsored National Vulnerability Database, which indexes thousands of new vulnerabilities every year.

Vulnerabilities can typically be categorized as issues resulting from either the software design or implementation processes. Design issues generally arise from inaccurate understanding of system security requirements, leading to insufficient authentication mechanisms, weak encryption ciphers or limited software configurability. Implementation vulnerabilities are typically the result of software programming mistakes, such as inappropriate memory allocation, errors implementing encryption mechanisms, or missing user input validation. Within this domain both implementation and design issues are very common because of inadequate focus on security in the development process; however, design inadequacies have become increasingly worrisome, as many currently deployed software platforms possess insufficient security mechanisms, such as authentication, encryption and auditing.

In fact, the wide prevalence of these design issues has led ISC-CERT, the DHS-sponsored organization that handles public vulnerability disclosure, to modify their disclosure policy to exclude these design layer issues. Although this decision may seem alarming, it reflects the added difficulty of mitigating these design layer vulnerabilities, which generally cannot be addressed through a simple software patch. While the decision by ISC-CERT could negatively impact consumer's security awareness, it may also help limit the public release of vulnerabilities which do not have complete or sufficient mitigations.

Resulting policy and ethical concerns will be just as troublesome. Software vulnerabilities are often first discovered by security researchers unaffiliated with the vendor. Whenever a new vulnerability is detected, the researcher must decide how the sensitive information is best disclosed. One option is "full disclosure", that is, the unrestricted release of complete vulnerability details through public mailing lists or web sites. Another option is to limit disclosure to only the vendor and a computer emergency response team, such as ISC CERT, thereby giving the vendor a reasonable time frame to create a fix or patch before the vulnerability is publicly disclosed. This method is typically referred to as "responsible disclosure" because it reduces the time when the vulnerability is publicly known but cannot be appropriately mitigated. Unfortunately, many researchers feel that vendors abuse the responsible disclosure process by not prioritizing the release of timely fixes.

Many traditional IT vendors maintain formal vulnerability management and disclosure policies, acknowledging their willingness to work with researchers, and their responsibility to release fixes in a timely fashion. For example, Microsoft has the Coordinated Vulnerability Disclosure (CVD) practice to document its handling of occurrences. Google acknowledges and provides a financial reward to researchers who initially disclose the vulnerability information privately to ensure they can release an appropriate fix before the information is publicly released.

But many power industry vendors have limited experience dealing with the vulnerability disclosure process. So software vulnerability problems often produce disagreements between vendors and researchers as to the severity of vulnerabilities and appropriate mitigation efforts. Additional difficulties arise for utilities during the deployment of updates or patches because systems are so spread out geographically, network bandwidth is limited, or testing environments and procedures are inadequate.

The vulnerability disclosure problem is critical to ensuring the overall security of the electricity grid and will require greater cooperation, accountability and consideration of all involved parties. Security researchers should analyze potential negative impact of vulnerability information and utilize responsible disclosures whenever possible. Vendors must embrace a stronger focus on security, work openly with security researchers and accept responsibility for making timely mitigations.

Although little can be done to directly control how researchers disclose vulnerability information, vendors can encourage adoption of responsible disclosure practices by acknowledging and cooperating with researchers. As vendors develop formal disclosure policies, researchers may gain confidence in vendors' commitment to addressing security concerns.

Regulatory agencies such as the North American Electric Reliability Council (NERC) can provide additional assistance. NERC already enforces cyber security requirements for utilities through the Critical Infrastructure Protection (CIP) standards, which state requirements and time frames for utilities to install vendor patches. While utilities fall under these requirements and must perform timely vulnerability patching, software vendors lack any requirements stating when or if they decide to release a patch. Instead vendor mitigation decisions are primarily driven by consumer demand for timely mitigation. Yet in contrast to traditional IT software platforms, in electric power smaller customer bases and heavy vendor lock-in often limit consumer influence. These issues can be addressed by formalizing vendor software support and interoperability requirements for all system acquisitions.

Software vulnerabilities, whether they affect a few isolated control centers or millions of publicly exposed smart meters, should be expected occurrences in the development of a smarter grid. Because information about vulnerabilities is so sensitive, methods of disclosure and resultant impacts must be well understood through the power industry. Although intelligent attackers will eventually discover such information, better practices by researchers, vendors, utilities and regulatory agencies can help ensure that problems are remedied before potential cyber adversaries mount their attacks.

Contributor

  • Manimaran GovindarasuManimaran Govindarasu a senior member of IEEE, is Mehl Professor in the Department of Electrical and Computer Engineering at Iowa State University.

    Read more

  • Adam HahnAdam Hahn, an IEEE member, is an information security engineer at the MITRE Corporation.

    Read more

  • Manimaran GovindarasuManimaran Govindarasu, a senior member of IEEE, is Mehl Professor in the Department of Electrical and Computer Engineering at Iowa State University.

    Read more

  • Adam HahnAdam Hahn, an IEEE member, is an information security engineer at the MITRE Corporation.

    Read more

About the Smart Grid Newsletter

A monthly publication, the IEEE Smart Grid Newsletter features practical and timely technical information and forward-looking commentary on smart grid developments and deployments around the world. Designed to foster greater understanding and collaboration between diverse stakeholders, the newsletter brings together experts, thought-leaders, and decision-makers to exchange information and discuss issues affecting the evolution of the smart grid.

Contributors

Georges SimardGeorges Simard, an IEEE senior member, is a power engineer consultant. He worked in distribution network development for more than 30 years...
Read More

 

George Larry ClarkGeorge Larry Clark, an IEEE senior member, is principal engineer, power delivery, with Alabama Power Company, where he supports distribution SCADA...
Read More

 

Robert UluskiRobert Uluski, an IEEE member, is technical executive at the Electric Power Research Institute (EPRI), where he leads R&D activities in advanced...
Read More

 

Harry StepheyHarry Stephey is an IEEE member and has over 40 years of experience in engineering management, product development and project management.
Read More

 

Nirmal-Kumar C. NairNirmal-Kumar C. Nair, a senior member of IEEE, is currently a senior lecturer in the Department of Electrical and Computer Engineering...
Read More

 

Momen BahadornejadMomen Bahadornejad, a member of IEEE, works as a research associate at the Department of Electrical & Computer Engineering...
Read More

 

Manimaran GovindarasuManimaran Govindarasu is a professor in the Department of Electrical and Computer Engineering at Iowa State University...
Read More

 

Adam HahnAdam Hahn, a student member of IEEE, is a doctoral student in the Department of Electrical and Computer Engineering...
Read More

 

Contributors

Hao LiangHao Liang, a student member of IEEE, is a Ph.D. candidate in the department of electrical and computer engineering at the University of Waterloo.
Read More

Weihua ZhuangWeihua Zhuang, an IEEE fellow, has been a professor at the department of electrical and computer engineering, University of Waterloo, Canada, since 1993.
Read More

Xuemin (Sherman) Shen Xuemin (Sherman) Shen is a professor and University Research Chair in the department of electrical and computer engineering, University of Waterloo, Canada.
Read More

Kerry CheungKerry Cheung is an Oak Ridge Institute for Science and Education Fellow. He has an M.S. and Ph.D. in electrical engineering from the Massachusetts Institute of Technology (MIT).
Read More

William ParksWilliam Parks serves as the Principal Technical Advisor to the Assistant Secretary for the U.S. Department of Energy in the Office of Electricity Delivery and Energy Reliability (OE).
Read More

Anjan BoseAnjan Bose is a Senior Advisor to the Under Secretary of Energy at DOE. He is on leave from Washington State University where he is Regents Professor.
Read More

Xi FangXi Fang (IEEE Student Member) received his B.S and M.E from Beijing University of Posts and Telecommunications, Beijing, in 2005 and 2008, respectively.
Read More

Satyajayant MisraSatyajayant Misra, an IEEE member, is an assistant professor in computer science at New Mexico State University. He serves on the editorial boards for several IEEE journals.
Read More

Guoliang XueGuoliang Xue, an IEEE fellow, is a professor of computer science at Arizona State University. He is an associate editor of two IEEE publications.

Read More

Dejun YangDejun Yang (IEEE Student Member) received his B.S. from Peking University, Beijing, in 2007. He is a Ph.D. candidate at Arizona State University.
Read More

RobertsBrad Roberts, a senior life member of IEEE, is the Power Quality Systems Director in the power quality products division at S&C Electric Company.
Read More