With the recent 2012 Utility Cybersecurity Survey INFOgraphic commissioned by ViaSat still at the front of Smart Grid Insights member’s minds, Zpryme decided to reach out to an energy industry thought leader to expand on the focal ’13 security topic. Ernie Hayden, Managing Principal, Industrial Controls Systems Cybersecurity for Verizon was recently interviewed by Zpryme about his position on security and the Smart Grid. In it, Mr. Hayden discusses cybersecurity big data, policy, and overall vulnerabilities posed by the Smart Grid.
Q&A WITH VERIZON [Ernie Hayden, Managing Principal, Industrial Controls Systems Cybersecurity]
[ZP] With “big data” becoming one of the focal points for 2013, what immediate security concerns should utilities have regarding data breaches?
[VERIZON] A) There are several concerns. First, does the loss of data violate any state data breach laws that require notification to the affected customers? Secondly, does the data include smart meter data that could violate the State of California data breach ruling for smart meters? Thirdly, could this data breach be viewed as a privacy violation or “problem?” Lastly, what will be the impact on the utility’s stock price and reputation. B) Other concerns to be raised are 1) how did this happen? 2) was it an insider or outside attacker? 3) was it caused by an error? 4) what is the root cause? 5) What do we need to do to prevent further breaches or damage?
[ZP] Beyond utilities, what’s another industry in the smart grid ecosystem that should be cognizant of security and why?
[VERIZON] A) You may see the “smart grid” concept moving to water utilities, gas utilities, oil and gas companies. All would need to be concerned with security of their systems and data since they are all considered “critical infrastructure.” B) Other entities who would be concerned about security of their “smart grid” systems are those operating microgrids such as jails, military bases, industrial parks, large facilities/campuses, universities.
[ZP] Are cybersecurity smart grid policies where they should be?
[VERIZON] A) Not yet but they are getting closer. For instance NIST has come out with NISTIR 7628 which is an excellent start. They are augmenting this document with smart meter test and certification guidelines shortly. However, the challenge is that these are merely “guidelines” and as such they can ignored or followed with the same consequence – i.e., no consequence. B) We need to get some stronger, enforceable standards in place for the smart grid – maybe deciding that NISTIR 7628 should be used and audited. C) We also need consistency in privacy of the data/signals with the smart grid that make sense. Hence, some federal laws in that regard may be helpful.
[ZP] With a defined cyber security strategy becoming a reality for utilities, what’s the first recommended step to assess critical infrastructure?
[VERIZON] Probably the first thing to do is to define, itemize and inventory your critical assets. You need to know what these assets are, where they are located and whether or not they are immediately secure. These assets include the physical assets themselves as well as software, documentation, files, etc.
ZP] How is Verizon changing the way the energy industry views security and the smart grid?
[VERIZON] With my “Four Layers of Smart Grid Security” speeches Verizon is attempting to get the energy industry to realize that security of the smart grid is more than just cyber. It includes physical security, privacy and storage of the data. It is more “holistic” than just focusing on the cyber side.
About Verizon Industrial Control Systems (ICS) Security Practice:
Verizon has set up a new practice focused on Industrial Control Systems (ICS) security. ICS systems are used in many process industries and critical infrastructure such as electric, gas and water utilities. The ICS are also used by oil and gas companies, refineries, transportation systems, etc. Different types of ICS include Supervisory Control and Data Acquisition (SCADA), Energy Management Systems (EMS), and Distributed Control Systems (DCS). Verizon decided to enter this arena because ICS security is not the same as IT security and as such a new focus in this area is appropriate. Verizon’s offering in this space includes ICS security incident response as well as system security assessments, architecture security reviews, and ICS security training. The practice is led by Mr. Seán McGurk who set up and ran the ICS-CERT when he was a director at the Department of Homeland Security. Ernie Hayden is supporting this effort as a member of Seán’s team. Visit verizonbusiness.com to learn more.