The energy sector has been adopting technology with shorter lifespans than the typical electrical infrastructure lifespans of decades. This is a rapidly changing technology landscape that is affecting all engineering disciplines responsible for that infrastructure plus its associated technologies, impacting both physical and cybersecurity practices. Because of these shortening lifecycles, the energy sector needs tools to help identify and define emerging technologies, explore the various applications and use cases supported by those technologies, and assess the impact these emerging technologies may have on cybersecurity. A generalized framework for emerging technology assessment is needed that can be applied at all levels of industry (e.g., engineering, security, industry forums, and regulatory entities).
Industrial Control System (ICS) Attack Framework
Evaluating Emerging Technologies
Emerging technologies provide grid planners, operators, and engineers with use cases that can lower costs, increase performance, improve reliability, and offer many other possible benefits. The electric power system is a tightly coupled network of elements such as generating facilities, substations, load distribution stations, control centers, and communications networks. In addition, each entity has corporate IT networks, suppliers, vendors, equipment manufacturers, contractors, consultants, and other systems in place for the power system to function effectively. The introduction of emerging technologies may bring benefits; however, an evaluation framework is needed for entities to assess the potential security risks associated with adopting the new technology. There are some existing frameworks related to the evaluation of emerging technology, such as the National Institute of Standards and Technology (NIST) System, Component, and Operationally-Relevant Evaluations (SCORE). However, there appears to be a gap in the electricity sector regarding how utilities and the electricity ecosystem can evaluate emerging technologies being introduced within this space.
This section presents such a framework that may be used by any entity (utilities, generator owners, independent system operators, regulators, and industry committees) to evaluate potential risks of emerging technologies. The goal is that the use of this type of framework can help entities effectively and uniformly assess these risks and weigh them against the possible benefits.
The evaluation framework presented here, named the ICS Attack Framework for Evaluating Emerging Technologies, focuses on including cyber risk in the process and can help a mature program make decisions about necessary responses based upon the outcome of the evaluation. The evaluation process includes the following steps:
- Intended Application
- Cybersecurity Risk Evaluation and Considerations
- Scale of Deployment and Adoption
- Attack Vector Diversity
- Evaluation Outcome
Ownership is one of the biggest challenges regarding risk management of emerging technologies. Many of the technologies span boundaries within an organization, subsectors of the electricity sector, and even jurisdictional boundaries. Shared ownership presents challenges regarding standardization, establishing clear processes and procedures, and securing these technologies from end to end. Ownership is shared among the technology developers, implementing customers, and regulatory bodies. All play key roles in ensuring a strong security posture for the power system. Therefore, these boundary-spanning emerging risks cannot be overlooked or ignored. The maturation of the ICS Attack Framework presented here, and the accountability of implementing such a framework more generally, is essential for the electricity industry.
Evaluation Process
The ICS Attack Framework is intended to be adaptable to any organization, industry group, regulatory body, or other functional entity looking to assess the security impacts of an emerging technology. Each of the steps within the evaluation framework include a noncomprehensive list of questions posed to initiate conversation or ideas within an organization. The lists of questions are not intended to be exhaustive in any way; rather, they should evoke discussions and coordination within an organization or across organizations to address each step in the evaluation process.
Intended Application
The first step in evaluating an emerging technology is determining the intended application(s) of that technology. Clearly defining how the technology will be used operationally will help identify the level of cyber requirements that should be imposed on it. Emerging technologies can be used in vastly different ways and will differ by entity based on their level of risk tolerance, by areas of the energy sector based on their ability to fund new projects and explore efficiency improvements, and many other factors. For example, cloud computing technology can be used to store cyber-system information in the cloud or to execute core system operational functions within the real-time environment. Clearly identifying the intended application of any new technology is a critical first step in this framework.
Cybersecurity Risk Evaluation and Considerations
Once the intended application and its supporting technologies are well understood and the extent of micro and macro systems involved has been well defined, the cyber risks can be evaluated.
Evaluation of the potential cyber risks associated with an emerging technology should address the complete lifecycle, starting with the supply chain. Supply chain compromise at the application or technology level can be due to a number of factors, such as rogue developers, third-party code libraries, insufficient security testing processes, or compromised update patch repositories. Audits are emerging as a common form of evaluating the security of supply chains.
Scale of Deployment and/or Adoption
With a clear picture of the intended application, the micro and macro systems involved, and the potential cyber risks identified, the ICS Attack Framework then looks at the scale of deployment and/or adoption. Understanding the scale of deployment and/or adoption helps determine the magnitude of the impact that a compromised or exploited emerging technology could present to the micro and macro system. A large-scale deployment and/or adoption increases the impact and appeal of an attack. The analysis of the potential domino effect is critical to understanding the role that an emerging technology might have on the bulk electric system. At the micro level, the consequences of an exploit might seem small; for example, the loss of a single load or loss of visibility of a single asset. However, the simultaneous impact could cause wide-area frequency instability, large scale equipment damage, etc.
Attack Vector Diversity
The last phase involves considering how diverse the attack vector is for a specific emerging technology. The likelihood of an attack is subjectively related to the ease of execution and the appeal, whereas the attack vector diversity relates to the difficulty of executing an attack that realizes the impact at broad scale. This becomes an analysis of whether a majority of deployments of an emerging technology share a common mode of failure. This could be due to the limited number of manufacturers, use of a common communication protocol, standardization on component code base, etc. When an emerging technology has a very limited diversity in deployment architectures or designs, the micro-level analysis may not identify a major risk, whereas the macro-level potential impact on the bulk electric system is greatly increased. Common examples include technology such as smart appliances, electric vehicles, and distributed energy resources, where limited numbers of manufacturers, standardized protocols, and remote connectivity or control could require regulation to mitigate risk.
Framework Evaluatiuon Outcomes
The outcome of this evaluation provides visibility into the scale of potential system impact, the threat vectors that are possible, and the evaluation criteria that will measure the performance and value that emerging technologies might provide. The goal is to incorporate security controls in the form of embedded functionality at the component level or to incorporate compensating security controls at the system level in the simplest and most economical fashion.
Emerging technologies are essential to making the bulk electric system safer, more reliable, and more economical. Innovation must be encouraged, and the ICS Attack Framework allows critical infrastructure operators to better understand cybersecurity risks and responsibly integrate system improvements. Regulation should only be required when ownership of risk mitigation cannot be balanced between suppliers and consumers.
The research performed through this process on any emerging technology will guide the next phase, which is component- and system-level testing. Evaluating emerging technology in a nonproduction (lab) and production environment provides the metrics and tests participant feedback to advance the evaluation.
- What are the potential impacts that the emerging technology will have on an organization?
- What are the compensating security controls that could be put in place to mitigate any security risks associated with adopting the emerging technology?
- Are there any standards, requirements, or regulatory considerations that need to be met to secure adoption of the technology?
- What types of testing or certification are needed to ensure secure adoption of the technology?
Author
William Edwards, CISSP, PE
Senior Engineering Manager, Infrastructure Defense
William Edwards, CISSP, PE, received his BSEE from the Georgia Institute of Technology in 2011. He joined Schweitzer Engineering Laboratories, Inc. (SEL) in 2011, where he is presently the head of SEL Cyber Services team within Infrastructure Defense. Prior to joining SEL, William worked for Concurrent Computer Corporation, where he ensured quality for video-on-demand solutions. William is a member of the IEEE, a Certified Information Systems Security Professional (CISSP), and a registered professional engineer in Alabama, Arkansas, Georgia, Puerto Rico, and Tennessee.