Cybereye By William Jackson
January 28, 2015
View original article:

The administration has produced guidelines for protecting the nation’s critical infrastructure—a voluntary risk-based framework that tells system owners and operators what they should do to manage cybersecurity risks. Research from Waverley Labs and the University of North Carolina at Charlotte has developed a risk assessment model for the smart grid that could tell them how to do it.

A collaboration between commercial and academic labs has produced a computer model that could help owners and operators of smart energy grids manage the risk from cyberattacks. The model is intended to support the Obama administration’s Framework for Improving Critical Infrastructure Cybersecurity by assessing the impact of hypothetical attacks against system components so that risks can be identified and prioritized.

The framework is a set of industry standards and best practices put together by the National Institute of Standards and Technology with input from industry, including the electric power sector. The guidelines tell operators of critical infrastructure what to do, “but they don’t say how to do it,” said Waverley Labs founder Juanita Koilpillai. “We’re saying here’s how you do it.”

The University of North Carolina at Charlotte provided the research infrastructure for the project in its Energy Production and Infrastructure Center (EPIC). A prototype tool is undergoing evaluation in a number of settings, including one federal agency, and Waverley Labs hopes to develop a commercial product. The timeline for a product will depend on the results of evaluations and market surveys.

Whether or not this model is commercialized, some method of prioritizing and managing risk in the Smart Grid is essential to risk-based cybersecurity.

The power industry’s emerging Smart Grid enables more efficient power production and use by accommodating renewable energy sources and by using equipment that can be remotely accessed and controlled and allowing two-way communication. But along with efficiencies, the Smart Grid also introduces risk by combining three different technical domains—communications, IT and electric power transmission—and exposing it all to the Internet. Few organizations have adequate expertise in all three areas, said Dr. Madhav Manjrekar, an associate professor at UNCC.

There is greater cooperation today between the industry’s technical and business sides, but there still are gaps in training and expertise that need to be bridged. The typical power engineer trained 20 years ago doesn’t have a background in cybersecurity, said EPIC director Dr. Johan Enslin.

The first step in securing any infrastructure is to understand it, and this includes identifying those elements that are critical, understanding the threat posed by attacks—either cyber or physical—and prioritizing deployment of limited cybersecurity resources. This can be a daunting task, and the Waverley-UNCC work aims to help with the process. A real high voltage distribution network between Winnipeg and Minnesota that has incorporated Smart Grid technology was modeled, and the model was then run on the EPIC network with “what-if” simulations to determine the impact of different types of attacks on different segments and elements of the network.

The goal was to answer the question, “if something would happen, what would be the potential result,” Manjrekar said. “If this happens, it is a frustration. But if that happens, it affects the whole line.” Scenarios have been identified and cataloged according to impact to enable security controls to be placed where they are most effective.

“This is a very timely exercise,” Manjrekar said. With the upgrading of power grids and increasing Internet connectivity, concerns about cyberattacks against the infrastructure are growing. Anything that can help industry apply the standards and best practices contained in the critical infrastructure framework in an effective way is welcome.