4SICS: The ICS security challenges faced by a grid operator

News by Roi Perez

Erwin Kooi, information security architect spoke at 4SICS 2016 and shared his thoughts on digitising Alliander's electricity service, while making sure it stays secure.


SCMagazineUK.com was rick-rolled today as Erwin Kooi, ?information security architect at Alliander, a dutch electricity supplier took to the stage at 4SICS 2016. Kooi's aim for the talk was to share some of Alliander's challenges in both upgrading to a smarter grid - which includes smart meters –- and keeping it secure from harm.

Kooi began by speaking of one of the first instances of electricity supply by the Amstel Hotel in Amsterdam, which in the 1800s began supplying electricity to the houses around it. He showed examples of the size of mechanical equipment, which is used for the transfer of electricity. It quickly became evident why they are looking to upgrade and digitise their network.

But it goes without saying – digitising and upgrading systems of this nature introduce a number of security vulnerabilities, alongside various other company changes. This is because SCADA systems are introduced in order to control electrical substations over the air.

Kooi said that they started this process with the idea that, “grid stability is #1”.  He told a story about a helicopter accident which took out the power supply from a certain area, and luckily the area was only using three percent of its substations ability due to the use of green energy in the area. This meant the area was OK during the 48-hour blackout, and Kooi described his company's work into grid stability.

Kooi explained that a smarter grid has allowed them to expand monitoring and control lower voltages, decentralise control of parts of the grid, move electricity around more quickly to allow for smart car charging, energy storage (for balancing, as above with the green energy), flexibly switch street lights on and off, and become a data driven grid operator.

It was at this point that Kooi turned to security – he said that despite somewhat common thought – we aren't “all going to die” from ICS hacking.

Kooi recognised that current grids definitely have their own common security vulnerabilities, or in his own words, “themes”.

These include default passwords, service backdoors, “open” wireless connections, and a distinct lack of hygienic internet connections. Kooi said that these issues are compounded by the fact that electricity grids – up til now – are yet to be secure by design and largely underestimate the motivation of attackers.

Kooi said, “Than are more than enough chiefs writing policy, not enough indians to implement and run it,” adding, “there are more than enough people telling me what's wrong.”

So how do we achieve security and resilience? Kooi likened this to an escalator, “if you put power (resources/money) into it, you will go up a level.”

The first issue highlighted by Kooi is the human aspect of security. He said, “humans are paid to open emails, and respond to them. Don't tell them off for doing so.”

Kooi insisted that awareness is hard, but as soon as you call it “awareness training” you have lost. For this reasons he suggested IT security needs to become a trusted business partner for other employees of the company. Employees need to know who to report risk to, employees should be getting security advisories if using IT at home, and remember to reward employees which have prevented an attack.

Suggesting a more human approach to security – Kooi suggested “don't ban the use of USB sticks – rather encrypt them in case of loss which humans are likely to do”. And Kooi even said they are building a new customer centre to make sure that the security and customer service teams are in the same place, and can then quickly share information.

Kooi then went on to speak of the importance of partnering with people within the industry, and that you have trusted partners for, “when you get that scary 3am call.” Kooi said Alliander are currently in partnership with IRB, a high-level .nl crisis organisation, and the NL/EU Energy ISAC which share high level information in their specialism.

Kooi then encouraged keeping up with the latest research – he mentioned almost too many research papers to write – but suggested coupling this with monitoring of threat intelligence to see which vulnerabilities an organisation is most likely to be infected by.

According to Kooi, the use of threat intelligence will also help with detecting and measuring what their systems are doing, and likewise with correlation of security events, saying that, “at Alliander use a SIEM so we have great visibility of what is happening in our systems. If four events happen at the same time, we should have the visibility to understand if they are related.”

Failing all of this, drawing some laughter from the crowd, Kooi said he has a generator in his house for when things do go wrong.

Find this article useful?

Get more great articles like this in your inbox every lunchtime

Video and interviews