Smart grids need to look to bug bounty programmes to safeguard citizens
Smart grids need to look to bug bounty programmes to safeguard citizens
Almost as old as the internet itself, bug bounty programmes can be traced back to Netscape in 1996, whereby the company's engineers offered to financially reward Netscape fans who publicly posted repairs and recommendations to fix problems within Netscape's browser. Since then, they've been adopted across the technology industry, as companies turn to these forms of external auditing to better secure their products and services.
This directly affects their brand in the eyes of shareholders and customers, which helps to explain why – for example – Facebook paid out US$880,000 (£640,000) in 2017 in response to 12,000 submissions from researchers. To date, the company has paid a total of £4.7 million to bug bounty hunters. In addition to Facebook, the likes of Google and Apple (the latter only since 2016, however) and even the Pentagon have got involved with bug bounty life. Looking at these names, it's clear that tech companies are leading the way.
However, it's not that just these companies, who are cyber-fluent by nature; other types of businesses, such as General Motors, are edging in too. As the energy sector becomes increasingly targeted by cyber-attackers, it seems curious that smart grids and wider critical infrastructure haven't adopted similar bug bounty programmes. Considering the prevalence of highly advanced technological systems and high stakes, it's reasonable to wonder why the industry hasn't employed an approach with such a strong track record.
Undoubtedly, ethical hackers bring a fresh set of eyes to potential security vulnerabilities, thanks to the access to cyber security talent that excels far beyond any in-house team. This can help shape and direct future product improvements, but also proves a necessary investment that can help thwart costly breaches and other hacks that might put a business in jeopardy. Meanwhile, for would-be ‘white hat' hackers and security researchers, bug bounties are an excellent way to get recognition and remuneration for their skills without putting on a black hat. So why hasn't the energy sector got involved?

It might seem like there's a fundamental difference in how smart grid cyber-security and the complementary research community functions. Broadly, however, this is not the case. The smart grid cyber-security space is replete with talented and inquisitive people, as seen in the wider cyber-security space, and there are no defining aspects of the smart grid that should stop bug bounty programmes. Indeed, when it comes to the energy sector, good cyber-security hygiene is most important; nobody wants their personal data leaked in a Facebook breach, but a grid hack could prove genuinely catastrophic.

In terms of why the smart grid has not caught up with the rest of the security space, answers may lie in the smart grid's infancy. A lot of the technology is there, but not yet all of it. Roll-outs have mainly been experimental and exploratory, rather than comprehensive. As such, it follows that the stakes are perhaps not yet perceived to be high enough; the smart grid is currently not viewed as truly critical infrastructure.

Other issues include expense. Global tech giants can have more cash reserves than many countries; Apple certainly does, and Google isn't far behind. General Motors is an industrial powerhouse, and the Pentagon is one of the most advanced, well-funded defence organisations in the world.

There's certainly money in the smart grid, but it's a time of transition for the energy sector; moreover, research and development budgets are expensive. Against this backdrop, it's understandable that companies would be reluctant to part with their cash and add to the cost base. It's a common objection – even the original Netscape bug bounty faced opposition from the VP of engineering, who believed it was a waste of time and resources.

So, while a mixture of maturity and funding affect take-up, neither should be an insurmountable barrier. Citizens can't afford to wait until the smart grid is grown-up and omnipresent for it to be secured – it has to be now. Regarding cost, bug bounties can actually be very economical ways to discover vulnerabilities. There's no need to pay a salary or for any unused discoveries – only for results. On top of this, pay-outs can range from one hundred dollar to one hundred thousand dollars, so there's a bounty to suit any budget.

As ENCS knows from its research and work with the industry, collaboration is key to smart grid cyber-security. The safety of critical infrastructure goes far beyond matters of competitive advantage between companies. As a society, we can't afford to let businesses invest resources in silos, re-inventing the wheel instead of making cohesive progress. Ultimately, there's no reason why this spirit of collaboration can't extend to bug bounty programmes to spread the cost.

Companies that have good bug bounty programmes have benefited immensely, so it's time to share these benefits with smart grids. For now, the main issue seems to be that smart grid systems are still young, and the pay-outs desired might be a tad too high for such a programme. A better first step is to implement an industry-wide vulnerability sharing programme to iron out as many early problems as possible, enabling the sector mature. Once that's done, critical infrastructure bug bounty programmes will have their time to shine, and the small army of ethical hackers will be amply rewarded. 

Michael John, director of operations at the European Network for Cyber Security (ENCS)

*Note: The views expressed in this blog are those of the author and do not necessarily reflect the views of SC Media UK or Haymarket Media