How Vulnerable Is Your Network?
Electric utilities and broadband networks provide essential services to the communities and regions they serve. Yet, as these core industries, vital to our nation’s infrastructure, progressively continue to overlap into each other’s arenas, new vulnerabilities and security hazards are introduced from the intermingling of systems with divergent structures and missions. These vulnerabilities can result in a variety of critical threats to the safety of our communities, and may take the form of:
- Ransomware attacks
- Hacking that creates disruption or damage to the grid
- Spoofing information that would allow for misrepresentation, such as false SWAT attacks
- Distributed Denial of Service (DDOS) attacks
- Physical damage that can knock out your grid and broadband network
- And much more
As electric utilities increasingly open themselves up to ISP services and attempt to co-mingle internal communications or use those fiber pathways to manage tasks, such as distributional automation, the risks continue to multiply.
When worlds collide—utility electric and broadband
In our hyper-connected world, cybersecurity threats continue to rise—and threats to our critical infrastructure can present great risks to the continued health and safety of our communities. As individual industries, electric utilities and broadband service providers have, for the most part, carved out and implemented the essential requirements for maintaining secure networks through the use of federal regulations, such as NERC-CIP.
Even so, we’ve seen numerous examples of isolated failures to our electric grid, as well as a variety of ransomware attacks that help erode trust and create potentially fatal disruption. Each failure demonstrates our vulnerability and reminds us to be ever-vigilant with regards to the security of our systems.
The challenges become even more compounded as electric utilities take on the additional task of providing internet services for their customers, either by themselves or by partnering with existing broadband service providers who seek to expand their reach through existing grid infrastructure. Once a secure electric grid starts sharing the network and equipment resources with a broadband network, the risk of becoming compromised increases—and an electric security expert, well-versed in the ways of keeping a traditional electric network secure, is often not the expert you need when it comes to the security of a hybrid system.
According to Sean Middleton, Director of Strategy and Operations at Finley, “Co-mingling a smart grid network with a broadband network introduces a variety of potential vulnerabilities that don’t exist when these entities are kept separate. That’s why it’s important to examine your strategy and recognize potential pitfalls in advance of taking action.”
Creating separation and building bridges
Superficially, similarities may seem to exist with regards to security within the broadband and electric utility ecosystems. For instance, broadband companies need to be able to isolate users within their one-to-many structure in order to keep the data of individual users safe. Likewise, utility companies need to isolate their grid from outside interference. In an abstract sense, the missions might appear to be similar.
However, unique challenges arise when utilities and ISPs share the same network system. For the safety of the grid, the one-to-many relationships of broadband need to be effectively walled off not just from each other, but also from the internal communications that are necessary to run the electric grid.
Physical vs. Virtual Separation
Some choose physical separation of lines (by reserving some strands of the fiber network for the utility and separate strands for the telecom side)—but often, companies decide instead to handle this separation programmatically by using encoded packets. In these instances, the primary question becomes which protocols are in place that allow all the packets to communicate effectively while keeping bad actors from accessing and corrupting the good information.
If the separation is to be achieved programmatically, there are many additional questions that need to be asked, such as, what kind of encryptions, if any, are going to be utilized? Will you tag packets, i.e., VLAN tagging? Will you employ encrypted-level transmissions? If communication is happening in a public space, how will you keep packets from being intercepted? Ensuring that your solution is utilizing the correct protocols, finding a way to manage it, and planning for growth as assets are added are all open issues that are important to address.
The ability to monitor your entire network is vitally important. Even if you’ve created a strong system and put it in place—if you don’t have the ability to recognize a cybersecurity issue when it arises, you’re still working at a disadvantage. In short, if your system were compromised by hackers or if another critical issue arose, how would you know it—and how long would it take you to find out?
“When you create physical separation by separating strands, you’ve already started by creating an inherently elevated level of security for yourself,” says Middleton. “And when you enhance that with security in the virtual sense, you’re typically in a much better position.”
Unfortunately, there isn’t a one-size-fits-all solution. There are a variety of factors that may keep physical separation on your network unfeasible, which simply means you need to opt for the strongest virtual solution you can.
Perhaps the most important takeaways regarding the creation of a secure network are: a)considerate and thoughtful security planning are crucial to the strength and safety of your network, and b) good security isn’t something you can do on the cheap—you may be able to get by for a while by cutting corners, but saving money in this way can come at enormous cost down the line.
The physical security of your network
While the information and integrity of your internal communication systems represent a critical asset to be protected, additional security risks occur from the exposure of your network’s physical assets. Those risks can take a variety of forms, such as the placement of a critical junction for the network in an exposed location that hasn’t been sufficiently hardened. If you haven’t put the appropriate effort to designing with security in mind, everything from a farmer with a shredder to a teenager shooting at birds with a shotgun has the potential to knock out your network.
As an important caveat, it’s important to acknowledge that even after you’ve spent considerable energy anticipating every conventional threat to your network, opportunities to be blindsided will always exist. For instance, the materials used to construct your assets may have additional value that can mark them as a target. One example may be as basic as copper wire—copper is a precious metal that has value well beyond its use within your system.
There have been numerous instances where vandals or thieves, seeking to steal copper wire, have gained access to locations or substations where critical telecom assets were located. In these instances, they’re often completely unaware of copper’s important role in your system— they’re just there in order to steal a precious commodity they can resell. And by simply prying a padlock off the door to a substation, they now have the ability to render enormous damage to your network.
By now, it should go without saying: a padlock on the door is probably not the optimal security measure you need to protect your entire network. You need to take the time and spend the money to harden your assets.
Network security requires the right kind of decision-making
The choices you make are important to the security of your network. “Every time you choose a less expensive security option simply because of the cost, you’re running the risk of poor decision-making that could have a devastating impact on your network,” says Middleton. “This fact shouldn’t suggest that every issue requires the most expensive solution available— it simply means the decisions you make should strategically focus on good design, security, and strong cybersecurity as priorities.” Take the time to plan carefully as you build and upgrade your network. Consult outside experts, rather than relying on internal knowledge that may not be up-to-date or address your specific needs. And be willing to spend the money to ensure your network is as strong as you can practically afford to make it.
Your business is important to the strength of communities you serve and to the people you care about. You need to do everything you can to protect it.
For more information please contact Andy Heins at 417-682-5531.