Interview with Manimaran Govindarasu
In this interview, Manimaran Govindarasu discusses the importance of cybersecurity in today’s utility business environment. He also discusses policy and technical innovations needed in the industry to help utilities best protect the security of their Smart Grids.
Question: How do you characterize cybersecurity in the Smart Grid environment?
I want to say, first, that I view the future Smart Grid as a "cyber-physical" system, one that includes both cyber and physical infrastructure. This goes beyond the conventional view of the power grid as a physical system.
The physical system includes innovations that enable the integration of renewables and other technologies needed for Smart Grid. The cyber system includes the automation technologies, sensors, communication protocols, security features and control algorithms that are superimposed on the physical system to monitor and control the whole grid.
Cybersecurity itself is a fairly new concern to utilities. It was not considered part of grid planning or design until very recently. It is necessary now, however, because cyberspace is becoming an increasingly hostile environment. Cyber threats and sophisticated, targeted attacks are increasing in frequency.
Question: What are the key Smart Grid cybersecurity concerns?
The consumer and bulk power sides of a utility system each have unique cybersecurity concerns and their solutions must be tailored accordingly.
On the consumer side, cybersecurity focuses on the secure deployment of Advanced Metering Infrastructure (AMI). Utilities must offer AMI services in a way that guarantees the privacy of consumer data because an AMI security breach is very likely to have a substantial adverse impact on a utility's business and consumers’ trust in Smart Grids.
A cyber incident that occurs in the bulk power system, if not adequately mitigated, could potentially create a cascading outage and cascading blackouts. Cybersecurity of the bulk power system is complicated because it involves securing all the sensors, communications, and other cyber technologies used throughout the grid that collect real-time information and automate control decisions. The IT technologies used for substations and field devices today are not adequate to implement the latest and greatest security features and utilities must determine how to retrofit those legacy systems with security technologies. This is a huge challenge and an important one.
Question: What are some of the specific issues utilities need to address to mitigate cybersecurity risks?
As I mentioned, utilities must replace legacy components in the bulk power system, but this can't be accomplished overnight. This is a significant issue.
Secondly, the industry needs cybersecurity standards. Today, every major utility must comply with the North American Electric Reliability Council's Critical Infrastructure Protection (CIP) standard, which provides a framework for identifying and protecting critical power grid generation and transmission infrastructure, but this is a high-level approach based on risk assessment. Also, the National Institute of Standards and Technology has developed Guidelines for Smart Grid Cyber Security (NISTIR 7628), but these are yet to be translated into implementable standards. Essentially, cybersecurity guidelines/standards are being developed by different bodies but there needs to be greater coordination. The standards development process needs to be accelerated.
Third, utilities need a high level of assurance that the software they use in the power grid is secure. Today, much of the software being deployed for computation, sensing or communications is vulnerable to malware and cyber attacks. These vulnerabilities must be addressed.
Fourth, real-time sharing of information pertaining to cyber incidents, cyber alerts, and mitigating high-risk threats is critically important. Utilities need to establish policies and standards defining trust relationships: who is allowed to share information with whom. And they must have ways to allow "dynamic" trust policies if certain contingencies justify unplanned information sharing. Once policies and standards are defined, they must be implemented in information protocols and then the technology solutions must be deployed. Utilities also need to develop and deploy a seamless information flow architecture to facilitate flow of information from field devices to a control center or a coordinated national team and the flow of information downstream from these levels to individual utilities.
Fifth, education and work force development are big issues. In the power industry, knowledge about cybersecurity is not adequate. Many universities are teaching courses and trying to involve students in cybersecurity projects for Smart Grid but it will take time to really create a critical mass of experts who understand both cybersecurity and power systems. Currently, experts tend to understand one or the other. We need to bridge this gap.
Question: How can utilities estimate the likelihood and nature of cyber attacks so they can prepare for them and respond accordingly?
Utilities need to have comprehensive risk assessment, risk management and risk mitigation frameworks in place to deal with cyber attacks for a given infrastructure. The risk modeling used for these purposes can also, potentially, drive the development of compliance requirements.
Traditionally, risk is characterized as the probability that a vulnerability will be exploited times the impact of that event. In a Smart Grid, the impact can mean damage or a change in the operation of the grid's physical system, such as a power outage, violation of system stability properties, or damage to costly equipment. Other impacts include exploitation of consumers' energy consumption information, manipulation of the energy market, or the compromise of critical system functions.
The industry has developed quantitative and qualitative risk assessment techniques and risk mitigation methodologies based on the definition of risk that considers vulnerability times impact, but we also need to take into account the very first component—the threat—in our modeling. We need to consider whether a threat will come from a company insider, a hacker group, a terrorist group or a hostile nation. And we still need to understand how to mathematically or quantitatively model threats. Today, these disciplines are considered more art than science.
We also need a comprehensive risk assessment framework that includes threat modeling, vulnerability analysis and impact evaluation. We need to be able to prioritize the risk as a single composite metric that indicates whether it is severe, moderate, or low and if mitigation is needed. The risk management framework also needs to consider the likelihood of coordinated threats and provide techniques for mitigating those threats as well. The NERC's cybersecurity task force considers coordinated cyber attacks as High Impact, Low Frequency (HILF) events. An HILF event might occur, for example, if a hacker gains access to substation devices and compromises multiple substations in a single, coordinated attack vector.
Vendors must develop secure devices, software, protocols, and automation systems that are compliant to standards. These will significantly reduce the existence of vulnerabilities in power grid cyber components and their associated exploitation and risks.
Question: Where does responsibility lie, within a utility and within the vendor community, for ensuring that cyber-physical systems are secure?
The risk management practices I just described carry much of this responsibility, but government has to define and enforce security compliance requirements. For example, the NERC's CIP standard is important. CIP requires utilities to define the critical cyber assets, within their own control, whose information is used for real-time control of the power grid. The utility must also define the electronic security perimeter encompassing those assets. There are also guidelines and requirements for security management control, training of personnel, incident reporting, among other things.
But the key is identifying the critical cyber assets, ensuring that they fall into the electronic security perimeter, and routinely accessing and updating of all those things in accordance with security management control policies. Furthermore, a utility's cyber-critical assets can change. For example, utilities are now using Phasor Measurement Units (PMU)—critical sensors deployed in the bulk power system—for monitoring the grid, but utilities are not yet using PMU data for real-time control applications. In the future, when PMU data is used for real-time control, it will become a critical cyber asset and subject to management control and other requirements.
Vendors must employ secure development processes and industry standards and develop products whose security properties can be verified. The products must also satisfy the applicable compliance requirements, interoperate with legacy components, and allow upgrading with new features to adapt to evolving security requirements.
Question: What Smart Grid technology innovations are needed to address cybersecurity issues?
The North American power grid is designed to be resilient against randomly occurring faults that are caused by natural events. It is currently inadequate to deal with malicious attacks and multiple, coordinated events, yet these can have a huge impact on the grid. From now on, when we address grid resiliency, we have to recognize that a paradigm shift has taken place and we must focus our efforts to go beyond the traditional concept of a fault-resilient power grid to the newer concept of an attack-resilient power grid.
The problem is that for a power grid to tolerate multiple faults or multiple simultaneous events, it must be built with much more redundancy than it otherwise requires. This is very, very expensive. How are we going to transform the legacy grid to a grid that is attack resilient without spending too much to introduce the needed redundancies? One has to systematically look at different components of the system and conduct a lot of planning studies and reliability analyses to design the grid to be attack resilient. This is a major innovation that the bulk power system needs.
Question: What is the most important message about Smart Grid that needs to be communicated now?
In my view, Smart Grid security is not a revolutionary concept, it is evolutionary. We should not pursue it as if it is a target to achieve but, rather, as a journey. It starts with industry, government and academia coming together on policy innovation and standards development, followed by universities and R&D organizations inventing technologies. Then, industry must develop and deploy the technologies.
The technologies must be able to adapt to future needs. And the system should have the capability, during any attack, to degrade services gracefully in a way that maintains functionality and avoids collapse.
Manimaran Govindarasu is a founding member and chair of the Cyber Security Task Force of the IEEE Power and Energy Systems Society's Computer and Analytical Methods (CAMS) subcommittee. He is a professor in the Department of Electrical and Computer Engineering at Iowa State University.