We recently got to spend a few enlightening days with SCADA (supervisory control and data acquisition) owners and engineers from across the country at the Subnet User conference. For those that are not familiar with Subnet, they are a Microsoft partner and Smart Energy Reference Architecture (SERA) advisory council member that specializes in making Utility substations more intelligent through their unified grid intelligence solutions. Subnet has enjoyed tremendous success as of late as 9 of the 12 largest North American utilities listed by Fortune Magazine have implemented SUBNET’s NERC CIP technology
The hot discussion topics at the conference were the product enhancements that enable Subnet to remain an industry leader of substation security through access control and, security in general. Security as a topic always comes up when discussing SCADA as threats such as malware, hacking, access control continue to grow making it hard to know what a Utility can do given then need to keep operational SCADA functioning with limited budgets.
Compounding the security problem is the rapidly increasing amount of SCADA data as well as the increasing number of systems from which the data is being sent. While there are no silver bullets, especially to making legacy systems secure another key topic of discussion, there are some best practices emerging from the conference that offer hope.
Ameen Hamdon, President of Subnet opened the conference with a focus on security. Of particular interest was his point that the impact of growing connections of Intelligent Electronic Devices (IED's) become a point of vulnerability that must be managed.
Their PowerSYSTEM Center solution enables IED Management, Password and Configuration Management that provides the potential to virtualize substation software. This solution eliminates the tiered complexities of older systems while gaining redundant/high availability architecture for the substation. Security, scalability, and the ability to better manage cyber assets are all accomplished.
· Michael Howard, Microsoft Cyber Security Architect for Microsoft provided a compelling argument for developing a robust solution beyond the firewalls that we so often rely on. Michael outlined how cyber threats are increasingly coming from software solutions being added to Utility operations in order to manage our more intelligent devices on the grid. Referring to Ameen’s keynote, Michael discussed how the interfaces between the software and platform can create vulnerabilities that are not apparent when testing the operating systems and software solutions separately.
In our view there are two immediate actions that Utilities can do to increase security in spite of this challenge:
1) Implement vulnerability testing starting with your most essential system. The testing needs to include testing from the point of view of the business. Many systems that are critical to a Utility might not be essential to grid reliability. Michael point out that there is a significant potential liability to ignoring cyber risks to the business. Vulnerability testing is an uncommon skill set in Utilities today but is of growing importance. A good place to start learning about vulnerability testing is through Microsoft’s Software Development Lifecycle.
2) Make sure that the developers of your software solutions follow Subnet’s lead and have in-depth knowledge of the platforms that they are developing on and have tested the interfaces. This is another reason why Subnet was able install their NERC CIP technology in 9 of the 12 largest North American Utilities listed by Fortune Magazine.
One of the major take aways from the conference is that, while it’s impossible to identify and eliminate all vulnerabilities, there are some very bright minds in our industry working to make today’s Utility operational systems more secure while still meeting the challenges discussed. – Jerry Thomas and Jon C. Arnold