Interview with Klaus Kursawe

Smart grid requires smart auditors

17 december 2015
In dit artikel:

Klaus Kursawe is director Research and Development of European Network for Cyber Security. He started his career in the field of security at IBM Zurich, where he received his PhD for research into secure distributed systems. After obtaining his PhD, Klaus started working at the University of Leuven. After two years of research primarily in the area of trusted computing and secure embedded systems, he went back to the business sector and started working for Philips research in Eindhoven. There he became Head of the cluster for Trusted Systems and Services. In this context he worked on wireless security, and that was when he had his first encounter with smart grid technology through the ZigBee standardization activities.

He stayed in the smart energy and critical infrastructure domain and, for example, was contributor to the NISTIR 7681 as well as several European expert groups.

At the Radboud University in the city of Nijmegen, he researched and lectured for two years in the field of security in organizations and ‘smart grid topics’. When this subject became ‘hot’, he was already well established as an expert in this field. Meanwhile, an opportunity arose to set up the European Network for Cyber Security/National Cyber Security Centre (ENCS/NCSC). While working at the university he was already a member of the team that developed the initial business plan. It was therefore a small step for him to make a move and start building up the ENCS research and development team. To date Klaus is both CEO and Chief Scientist, and he is still undecided about which is first.

How familiar are you with IT audit and what kind of development areas do you see?

‘First off: I never performed an audit myself. The only IT audits I encountered were mostly related to ISO 27001 in the domain of SCADA1 systems. I am aware that such a technical domain is difficult to audit, but IT auditors should prepare themselves to the extent that they recognize that this area is in many ways structurally different from IT security, and should make sure they at least understand the effects of the different use case. Also, they should be careful not to blindly follow a rule-based audit design. Why? Let me explain this by giving you two examples. ISO 27001 certification requires policies to enforce strong password protection. In the grid context, we have seen systems where this was implemented by the server providing the client with the very same cleartext password it later required for access control. This is obviously not useful at all, but satisfied the ISO 27001 requirements on a system where password management – and especially frequently changing passwords – is very difficult to implement in a meaningful way. This is due, for example, to the wide distribution of systems, the lack of standardized interfaces to integrate key management, and no I/O interfaces on devices. In the end, this leads to a successful certification as well as the illusion of security. The challenge for auditors is to understand the special requirements that apply to specific situations and the need to develop guidelines that actually work for those systems.’

‘I have seen a similar example in the USA, where the North American Electric Reliability Corporation / Critical Infrastructure Protection (NERC/CIP) regulation is in place, which is pretty strict. An extensive set of guidelines to secure the grid needs to be followed. This regulation focuses on power plants and grids. The difficulty here is that the price of realizing adequate security can motivate operators to perform an “exercise in avoidance”. An example can clarify this. Some power plants don’t need external power at start-up (“black-start capability”), which is important if the grid needs to be recovered from a complete shutdown. By contrast, most power plants are actually like a car: they need some external power source to get started. The few power plants that do not need external power are, by their nature, more critical than the others. That’s why NERC/CIP enforced stricter regulation on them, with more specific and higher security requirements. Consequently, some operators of these plants removed the black-start capability, thus avoiding the plant to be classified as critical. This is an example of a regulation that, in theory, is very good security-wise, but in practice has the adverse effect of operators trying to avoid implementing the necessary measures instead of striving to comply with regulations.’

‘A big issue in the energy industry is to arrive at a generally accepted standard. I believe that the auditing community faces the challenge to find standards that don’t have negative side effects. It is easily possible to overwhelm the industry with these standards, as is happening in Germany with the requirement to certify smart meter gateways according to Common Criteria Level EAL 4+, significantly delaying a potential rollout. Auditors should tread carefully and my advice should be to introduce such standards at a pace the industry can handle – and perhaps even tolerate suboptimal security during a couple of years. This may be a controversial statement because, in a sense, it is reasoning against security by design, but we should realize that the industry can’t mature overnight.’

No rule-based approach for IT audits on energy grids

figuur 1 - interview

 

What are smart meters and what is a smart grid? How are these two related?

‘Please take a look at the diagram (figure 1) from the early NIST work on Smart Grids that I often use in my presentations to explain the complexity of the Smart Grid.2 The picture shows the logical reference model, which is a real spaghetti diagram: but this is what a smart grid is!’.

‘This was an attempt to put every component of the smart grid in one single graph. It logically explains what a smart grid is. In practice, different users use a different subset of the logical reference model and this represents our smart grid. The relation between smart meters and smart grid is the little device labeled “Submeter” in the lower right corner of the diagram, which represents the smart meters in the households. So, while smart meters do get a lot of attention due to the European guidelines that require 80 percent of European households to have one by 2020, as well as the large scale and visibility of the rollout, the smart grid itself is much bigger, more complex, and there is not even a clear agreement on what components it consists of in the end.’

What are the main technologies that enable the use of smart meters and smart grid?

‘As becomes clear from my answer to your previous question: smart metering and smart grid are very broad concepts. The question what the main technologies are is rather difficult to answer. The closer you get to substation automation, the more individualism you’ll find among utilities. When working with distributed energy resources, there is no longer a central point to switch off power, because on the other side of the line power keeps being fed in. That requires some smartness built into equipment, because it is necessary to tell the other side of the line to stop feeding power into the line. For example: if an engineer performs maintenance in a non-distributed situation, the power is cut at the substation by pulling a physical switch. The line can then be repaired safely. However, if the grid is also fed by solar energy (distributed resources) the unfortunate engineer gets into trouble … ’

‘Another example is line usage optimization related to the concept of power quality. From the smart grid point of view, coal power is very clean, while renewable energy is “dirty energy”. Dirty here means that renewable energy reduces line capacity. This is a result of fluctuations in power supply from renewable resources as well as electrical effects (“blind power”) that stem from the way this energy is generated. The more renewable energy, the bigger the effects that reduce the line capacity. Line capacity is even dependent on weather conditions. Some sort of intelligence is needed to “clean up” the energy supplied by renewable sources. This also requires careful and intelligent management. One other issue on a higher level related to power quality, is that measuring equipment out in the field monitoring power quality can trigger actions to regulate power quality. The correct operation of these units depends on “knowledge” of the exact time, which they receive via GPS. Therefore, grid stability depends to some extend on GPS availability. This is an example of how interdependencies occur with other systems which the grid has no control over.
Needs like these make it clear that communication is the primary technological need. The cheapest way to communicate is by some form of communication over the network of power lines (power line communication, or PLC), a technology that is readily available. There are some protocols that deal with PLC. The downside of PLC is that it provides relatively low bandwidth for communication. Problems may occur if there are too many meters communicating at the same time.’

‘Remotely operated circuit breakers to switch off segments of the grid was an EU technological requirement, but for security reasons this requirement is abandoned in some countries. A remotely operated circuit breaker can do real harm. Switching off ten thousand households at the same time for example, poses a big problem for both these households and the smart grid.’

‘In some long-term plans the smart meter will become the gateway to the “smart home”, where it can switch devices on and off. For example: at 9.00 a.m., when everybody switches on their computers, the smart meter switches off the fridge or the climate control to prevent peaks. In-home displays enable households to see how much energy they use. This will eventually lead to dynamic pricing of energy for the smart home. Electrical vehicles are another major issue in the context of smart grids. Fast-charging a Tesla can use as much as sixty times the energy used by the average household. Charging multiple Teslas simultaneously causes problems for the grid that have to be managed.’

Smart meter becomes gateway to the smart home

What opportunities and threats are associated with smart meters and smart grids?

‘Smart meters and smart grids are not a matter of opportunity. The shift towards renewable energy and other changes in the industry are happening right now and it’s not possible to roll back this trend, nor do we want to do so. The only way to manage these changes is via automation. The reasoning “We don’t know how to secure things yet, stop the smart meter roll out!” is not a long-term option. That is, unless we want to roll back numerous other changes that are simply happening, which we also consider desirable, or are willing to deploy huge lengths of additional electricity wires. Smart meters and smart grids are a necessity rather than an opportunity, though they do of course also enable new economic models, more locality of energy generation and distribution and more efficiency in the grid.’

‘Let me sum up some typical threats. For enemy-state armies, power supply would be a primary target, with the potential to disrupt a country through outages. People may try to manipulate electronic devices in order to steal energy. High frequency data received from smart meters can tell much about the people who are using those, resulting in possible infringements of privacy rights. Hacktivism is another issue: for some reasons such as engagement in nuclear power, some energy companies tend to attract quite some opposition. As an example of another threat, an accident occurred in Southern Germany and Austria when an employee merely tried to test a new component. The cause of the accident was some misconfiguration or the technician making a typo. This led to every component in the whole network getting asked to give its status, resulting in all components sending their status in an endless loop. The components totally flooded the on-site communication network and seriously disrupted communication. This was not even a malicious hacker attack but just misconfigured IT. Still another threat is posed by insiders, disgruntled employees. These are always a common threat. Opinions on cyber terrorism are divided, as terrorists currently focus mainly on physical attacks, but of course, we can all be proven wrong on this point tomorrow. And, as a final example, rogue meter software. For some components the sector is dependent on just a few suppliers, resulting in a large installed base of specific devices. If, for instance, a malicious person alters the software update of smart meters, a “kill switch” that suddenly kills a hundred thousand devices over Europe may be introduced. It’s well possible that somebody already has a strategic asset implemented and only has to press a button to infect thousands of systems.’

‘Although there are measures implemented in the grid to avoid the spreading of any issues that may occur, there is no “air-gap”. For instance, grid operators have taken (some) measures to divide the grid into segments. In a sufficient number of cases however, there was nonetheless a cascading effect when an error occurred. And on a wider scale, in essence, the whole of Europe is one grid. There are cases in the past of a tree falling on the wrong power line in Switzerland, which led to a power cut off in northern Italy. If an attacker comes at the right place, on the right time, issues may spread pretty quickly.’

‘Researchers are investigating questions such as: “Now that I got access to your network, can I cause substantial damage rather than just committing vandalism?” Their conclusion is: “yes it can be done, but you really have to understand what you are doing”. Substantial damage would be possible, and of course physical damage is the worst-case scenario. An interesting example is the Aurora project. It was Idaho National Labs that demonstrated the possibility to blow up an electrical generator remotely by hacking its control software. In the YouTube video below you can actually see the generator exploding.3 A very similar technique was later used in Stuxnet.’

 

Which body of rules and norms controls the use of smart meters and smart grid?

‘This is highly country dependent and there also seem to be a multitude of different bodies of rules. Each country has its own regulations. Germany has a common criteria profile, which is prescribed by law. These criteria are not yet mandatory in 2015, but in the future, every smart meter communication gateway needs to comply with this common criteria profile. The British have their Consumer Product Assurance (CPA). They have a different certification scheme that smart meters need to be certified against. And also the French have their own scheme. These three big countries all have some form of security certification for smart meters incorporated in their legislation. There have been attempts to harmonize all these regulations in Europe. For example, ENISA4 tried to accomplish this by presenting their set of recommendations. However, the trouble is that all countries have their own national issues. Therefore, nobody wanted to accept a requirement that they didn’t already comply with. Countries that rolled out smart meters ten years ago, argue that requirements should be devised in such a way that everything they have introduced over the past ten years remains compliant. They have a considerable legacy and don’t want to find themselves in a position in which they are suddenly non-compliant with EU-law.’

‘On the EU level there are minimal functional requirements. ENISA has issued minimal security recommendations, which are not obligatory at all. However, the EU will issue a new directive shortly, which also specifically targets the energy sector. It states that if security is not state of the art, companies and individuals can be severely punished. Guidelines for the anticipated sanctions go up to five percent of the worldwide annual revenue, or even include jail. As a directive, it’s now up to the member states to turn this into law that will define what it actually implies.Working groups like M490 and M442 provided input to EU standardization groups to have a European standard for smart meters and smart grids respectively. The standardization groups are now starting with the preparation of the standards. By the time these standards are finalized, it is too late in fact, because every household will then already be equipped with smart meters.’

‘Countries essentially write their own security requirements for (smart) energy meters. In the Netherlands this is done by Netbeheer Nederland, the association of the Dutch Distribution System Operators (DSO’s). There is a metering law that provides certification requirements for measurement units and specifically the calibration of energy meters. There are also a couple of other laws in the energy sector. For example, the law I mentioned before, that required a remotely operated circuit breaker and which was withdrawn later on. Energy is a highly regulated industry, which makes it a challenge for auditors. Raising security levels has an impact on energy prices. However, companies in the sector do not have the freedom to change their pricing as a consequence of investments in security. They can’t say: “Energy prices need to be ten cents higher because of a security measure”, because their prices are regulated by the government. The sector needs permission from the regulator appointed by the government in order to do so. Therefore, to some extent it’s a government agency that decides how much funding the sector has available for security measures.’

‘One other interesting point is that power companies cannot really go bankrupt. Unlike a “Diginotar”, these organizations cannot disappear. If a big cyber incident happens at a DSO, some party still has to deliver the energy. Therefore, the very people from the affected company will still be needed. While the CEO can be fired, the power company will survive. This makes the whole security business model in this sector interestingly different from the models of other private companies.
Also, privacy regulation is important for smart meter data. Under the current EU law, companies that violate people’s privacy can be fined to pay up to five percent of their annual worldwide turnover. So, that could get really expensive.
And as a final point regarding regulations, specific parts of the grid, such as nuclear power plants, have their own regulation they need to comply with.’

What are the main challenges for security and IT audit and how can we deal with them?

‘There are a lot of challenges for auditors to be met. First, let’s consider standards. Most of the standards you normally audit against don’t fit very well. ISO 27001/2 is a nice standard for IT systems, but it needs to be adapted substantially in order to be useful for control systems. The energy industry really wants to be audited, but they need to be audited against something that fits their business and systems. Such standards don’t really appear to exist today, though some work on this is ongoing, such as DIN 27019 and ISA99/IEC 62443. We ourselves have developed a procurement guideline5 as a minimum guideline to avoid the worst security sins.’

‘Another challenge is defining use cases. Right now, the area of smart meters and smart grids is highly experimental, and therefore nobody can really tell what the smart grid use cases will be. In the absence of use cases for a security audit, a threat model can’t be developed. That makes it very hard to figure out what the objectives of your audits should be.
Legacy is also an issue. Long-term legacy is a topic the IT-community isn’t used to deal with. Looking back, any security technology we used fifteen years ago was already phased-out long time ago, or is broken or both. Statements such as “the system is secure for the next fifteen years” are impossible.’

‘Auditors have to be aware of some inherent features. SCADA systems are inherently difficult to audit. For many such systems it’s even difficult to find out what the current status of the network is. A smart grid is a widely distributed network with half a million substations and millions of meters. Determining what devices are actually out there, what software versions they run, what is actually connected to what is an enormous challenge, even for the network owner. Something that adds to this complexity is that a large number of SCADA devices are extremely fragile. For instance, if an NMAP-scan6 is run on a SCADA network, devices will die.’

‘Configuration management is a challenge in itself. So, obviously, to audit it is a challenge too. For instance, if a configuration is not clearly described, what exactly are you auditing? Physically mapping the configuration is impossible, because the grid is widely distributed. Automatic mapping is too precarious, because some of the devices are just too fragile. Mapping a SCADA network is actually a research topic now. Some devices “talk” very, very scarcely. As a result, listening in on the network for a week and finding out what components out there had actually talked, may not necessarily get you anywhere.’

‘Auditors have to consider safety versus security. Security sometimes stands in the way of safety and maintainability. In some cases, it’s not practical to deploy the security one would like to. It’s a tradeoff, and sometimes a painful one indeed. We are heavily pushing for everything to be encrypted, but this will highly complicate debugging. Other provisions, such as firewalls, are a must for security, but for the safety guy the firewall is a safety hazard because it literally can catch fire. If you really need to include a firewall, it should be designed to run twenty years non-stop in varying temperatures, next to high voltage lines, without physically catching fire. These firewalls are not standard equipment on stock at vendors yet. So in their normal implementation firewalls definitely are a potential point of failure for safety.’

Smart grids are real spaghetti diagrams

To sum things up …?

‘The grid is regarded as the most complex “machine” in existence. Due to this complexity, auditing such an environment is a big endeavor with a lot of challenges yet to overcome.’

Noten

SCADA: Supervisory control and data acquisition. SCADA systems are used for monitoring and control of equipment and production processes in industries such as energy, telecommunications, water and waste control, and transportation.

2 See for example https://www.ncsc.nl/binaries/content/documents/ncsc-en/conference/conference-2013/speakers/klaus-kursawe/1/Klaus%2BKursawe.pdf. Retrieved 31 October 2015.

3 http://youtu.be/fJyWngDco3g. Retrieved 31 October 2015.

4 The European Union Agency for Network and Information Security, see: www.enisa.europa.eu.

5 http://oesterreichsenergie.at/branche/stromnetze/sicherheitsanforderungen-fuer-smart-meter.html.
Retrieved 31 October 2015.

6 Nmap (Network Mapper) is a widely used security scanner.

Ing. J.C.L. Kramer RE en Drs. H.A.J. (Henri) Raaphorst RE

Hans Kramer heeft gedurende 13 jaar de functie van zowel in- als extern IT-Auditor uitgeoefend. Sinds oktober 2012 is Hans Manager Datacentre High Availability Infrastructure & Application Operations met als belangrijkste klant de afdeling Asset Optimisation & Trade van energieleverancier Vattenfall. Henri Raaphorst is Hoofd IT-Audit bij het ministerie van Defensie. Zijn leidende thema voor het werk is ‘Bouwen aan vertrouwen’. Vertrouwen binnen zijn team, in de relatie met de klant/collega’s en vertrouwen in de IV/ICT, die van toenemend belang is voor de taken van de Nederlandse Krijgsmacht.