The need to secure the electric grid against cyberattacks has attracted attention at both the corporate and policy level. But no one actually knows what “secure” really means, and making that determination may prove challenging.
Decision-makers at energy companies and on Capitol Hill have been alerted to the danger of a cyber attack on the electric grid. While those concerns may be valid, calls to “secure the grid” assume a level of knowledge of the state of grid security that even experts in the field may not possess, said IBM Energy Security Lead Andy Bochman at the Advanced Energy Conference in New York this week.
“They begin to hear statements that the grid is not secure enough,” Bochman said. “That begs the question: how would you know? how do you know how secure it is now?”
“What is the desirable state of security that it must have for you to begin relaxing and working on other topics? No one knows the answer to those questions, including people who should,” said Bochman.
A key problem is a lack of benchmarks, or metrics, that could help to establish whether a device or system is secure. And there are several roadblocks to establishing such metrics.
One of those is the risk that setting security standards would give actors who wanted to attack the grid, rather than safeguard it, a road map to security systems in place. “By having things standardized and publicized, the good guys and the bad guys know all the details of the protocol,” said Jefferey Katz, Chief Technology Officer Energy and Utilities industry for IBM.
And standards would have to apply not only to a utility, but to equipment manufacturers, as well, Katz added. He noted that a security rating system is a possibility – analogous to an energy effiency rating on a dishwasher, perhaps – to give users a guarantee that a device meets a particular level. “But the point is, what is that level?” Katz said.
The rapid pace of technology development is another obstacle to setting security standards. “As computing technology advances, what was unhackable – it would take 700-800 years to decrypt something – what happens ten years from now when that’s down to two to three weeks?” Katz said.
Concerns about the pace of technological development take on another dimension when security standards are considered at the policy level, where a suite of federal agencies with a stake in electric grid cybersecurity, from the North American Electric Reliability Corporation (NERC) to the Federal Bureau of Investigation (FBI), must collaborate on new regulations.
“It takes a longer time to get all the organizations together than it does to change the technology,” said New York University Professor of Planning and Public Administration Rae Zimmerman.
