Energy Security Is A Growing Concern

Unless you've been down a mine shaft these past few years, it should be clear that the security threats landscape has been changing "“ and not always for the better.

Taking a leaf out of the Department for Homeland Security and US-CERT, the European Network and Information Security Agency (ENISA) has recently issued guidance on the security of energy critical national infrastructures (CNIs) of European Union countries. Amidst all of the advice, however, one issue that has been missing is that enterprise key management should form the central backbone of any energy sector security strategy. This need has become increasingly important as a business imperative in order to ensure that organisations maintain control over trust. 

While ENISA has made reference to encryption, cryptographic controls and managing authentication in its advice, our observations suggest that the agency has not adequately addressed the specifics on key and certificate management. Real-life examples exist today of systems having unauthorised access gained through the use of digital credentials, in the form of SSL certificates, that were either out-dated or created using algorithms that are known to be weak. These weak credentials create a risk that secure communications can be intercepted and altered or that unauthorised individuals may gain direct access to critical systems. A hacktivist or cyber-terrorist could intercept a secure communication between a power plant and an electrical distribution system, and ensure that too much power is delivered across a transmission line thereby damaging the line. Alternatively the same entity may gain direct access to a computer system within the power plant and insert malware that would directly control the industrial control systems and thereby shut down or physically damage the plant.

The bottom line when it comes to defending country-based Critical National Infrastructures (CNI) "“ such as the energy grid - is that you cannot control - and document for audit and compliance - the use of encryption and strong authentication without effective key and certificate management.

ENISA is advising that smart grids need to build security in from the ground upwards, using encryption and strong authentication tools such as digital certificates to secure data and access. While this is sound advice, I believe based on conversations with our enterprise public and private sector customers that the only way for smart grid providers to effectively control and document these critical trust and security instruments is to deploy effective key and certificate management as an integral feature of their security architecture. This is especially true in the UK, based on the CNI architectures we have encountered "“ and I strongly suspect that the Information Commissioner's Office (ICO) will take the same view.

To ensure secure and trusted communications, certificates and keys validated by third-party CAs will play a critical role. Very much in the same way that ecommerce and other web-based transactions and communication systems are protected by certificates and keys, they can also effectively protect Internet communications that support interoperable system communications, thus hardening them against threats and attacks. While the strategy of using certificates is well proven and a security best practice, recent history has shown that if not properly managed a dark side to certificates can emerge. Lessons from the last two years demonstrate that certificates can be falsified, compromised, destroyed or stolen"”leading to devastating attacks and data breaches. 

Nevertheless, those certificate failures cannot be blamed on the certificates themselves. The problem actually stems from the lack of proper management of the security and trust instruments. Improper certificate and key management that leads to security compromises is exemplified by some "worst practices" use cases. With the UK data regulator now hitting its stride on best practices and guidance "“ as shown by the recent maximum fine of £250,000 against Sony for its PlayStation Network breach back in 2011 "“ it is clear that the ICO will be looking to CNI security strategists to secure the UK's energy, communications and allied infrastructure networks.

We know that UK energy companies have progressively been deploying the end-user building blocks in the country's smart grid for several years now, as mandated by the Energy Act of 2008. The UK has been loosely following the smart meter blueprint laid down by Sweden, which "“ as you might expect with its high-tech reputation - was first out of the gate with smart metering pilot studies way back in 2001, moving up to a commercial rollout that started in 2009, and which is continuing to this day. The rollout of smart meters in Sweden has accelerated in the last 18 months or so, following the Swedish government's mandate on energy suppliers to provide monthly meter readings for customers.

Coupled with the fact that Swedish energy suppliers can no longer send bills based on estimated readings - and the time allowed to correct billing errors has been reduced from 13 to just two months - it's no small wonder that the energy companies there are keen to complete their smart meter rollouts in as short a timeframe as possible. Let's hope that the smart meter rollout in the UK achieves similar successes on the deployment front "“ and lays the foundations for a robust and secure critical national infrastructure energy grid. The next few years will, we think, set the pace for how the UK defends its CNI "“ installing the best security is a logical step towards this goal.

© 2013 Angel Business Communications. 

Permission required.