With the advent and implementation of smart grid infrastructure across power utilities, there has been a paradigm shift in the efficiencies of the grid. The use of digital communication technology has led to high-speed communication enablement across various components as well as better data analysis and real-time control. This has proven to be advantageous not only to retail customers but also to large industry and power utilities that are able to better manage grid assets and investments.
However, digitalization comes with its own set of vulnerabilities. High-speed data transfer, while providing for real-time data analysis and control, also opens itself up to exploitation by hackers and other malcontent actors. Attacks on the grid not only cause revenue loss for the utilities and have a significant detrimental financial impact on communities but also impact national security at large.
Risks and Challenges
Worldwide, power utilities face infrastructural challenges, with legacy systems, which limit efforts to expand coverage and services. Along with extreme weather events and distributed energy resources, grids have had to become more resilient and agile.
Along with the advent of the Internet of Things (IoT), the need for robust and reliable telecommunications within the grid has become paramount. While public telecommunication networks have the flexibility to move to newer applications and packet-switched technologies, infrastructure such as electrical utilities, due to their critical nature, have been bound by stringent requirements, ensuring the reliability of service.
One of the more significant challenges for utilities has been cyberattacks. In the year 2020, according to analytics firm Netscout, which maintains a real-time Cyber Threat Horizon tracker, there were close to 1,800 “distributed denial of service” (DDOS) attacks against utilities worldwide, in a span of 3 months. In the U.S., the FBI warned about hacker groups targeting the energy sector. While most utilities acknowledge the critical need for effective cybersecurity, implementation is still an uphill task. And given the prevalent climate, the pandemic, economic uncertainty, and adverse geopolitical events, it would be natural to assume that there would be an increase in cyberattacks.
While the risks of cyberattacks can be at several levels of the communication system of utilities, Wide Area Networks (WANs) have proven to be significantly more vulnerable with access to information at various points in the system and also a greater likelihood of being undetected.
There are three primary means of attack that electrical systems are prone to:
- Confidentiality. Data security is compromised by phishing, and the leak of sensitive information such as financial data of consumers.
- Integrity. Tampering, Replay, and False data injection are some of the methods in which data is compromised to cause loss of function, overloading, and trips.
- Availability. DDOS is one of the basic methods use to make WAN systems unavailable, others include Jamming, Wormhole, and Buffer Overflow.
While it is possible to reboot systems to recover from certain cyberattacks, systems can be overwhelmed and physical damage to critical hardware is a possibility. Hence, safeguarding against cyberattacks with appropriate and future-ready technologies is of critical importance for power utilities worldwide.
Encryption and Packet-Based Technologies
In order to guard against growing threats and ensure stable and reliable power, there has been an increasing reliance on encryption technology to face the challenges in safeguarding the grid. Critical infrastructure such as power grids, railways, and air-traffic control requires encryption that offers long-term protection and greater security.
With the increase in system integration and network connectivity, combined with the digitalization of power grids, the concept of shifting critical operational communication protocols toward packet-switched wide area networks is gaining larger credence.
However, the use of packet technology through WAN brings new challenges for power utilities. Mission-critical performance parameters such as jitter, wander, symmetry, and latency need to be guaranteed by the newer technology under any network condition while keeping the changing cybersecurity requirements under consideration.
Attackers can shut down a grid by targeting applications that rely on accurate time-of-day information; hence, cybersecurity needs to cover application data from remote terminal units (RTU) and protection relays to network protocols like IEC61860 GOOSE.
Security for power grids needs to ensure high availability and bandwidth in varied operational environments. Hence the need to guarantee confidentiality and authenticity of data transmission in operational packet-based networks is critical and can be achieved by using encryption and relevant authentication protocols.
However, many applications and end devices in power grids currently do not support data encryption, and therefore, additional technologies need to be utilized to provide such functionality. One of these is the IPsec network protocol, which encrypts packets of data, providing for secure communication by sharing security attributes and rejecting unauthorized packets. Internet key exchange (IKE) and mutual authentication protocols are used during the session. The drawback of IPsec is that it significantly affects network performance and this downgrade affects real-time applications such as tele-protection, which is extremely sensitive to delay.
Since delays and jitter affect data quality, companies layer cybersecurity systems to focus on non-mission-critical data. An effective solution is to separate the packet engine for packet handling from the encryption engine used for encryption and authentication operations, leading to wire-like deterministic encryption and authenticated packet transmission, even through complex meshed networks. This deterministic network behavior is critical for power grids to stave off cyberattacks and manage outages.
Since many utilities design their cybersecurity systems only on the basis of the latest attacks, they lack the ability to guard against future attacks. In the instance of encryption-based systems, they face threats from powerful quantum computers that have the ability to crack public key cryptography with great speed, thus rendering current approaches obsolete. Hence, solutions like quantum-safe security are becoming increasingly important. They provide a hardware-based and extremely secure way to protect data transfer on operational technology (OT) networks without impacting the performance of the network.
Key Management and Quantum Technology
Key management involves the generation of keys for network encryption, assigning them, the exchange between hosts, and finally, revocation of keys at the end of the transmission. However, with the rapid progress of quantum technology, the chances of compromising the security and strength of the public key cryptographic protocols increase exponentially.
The lynchpin of encryption and data protection is the encryption key and the strength of this is based on true randomness. Using a physical Quantum Random Number Generator (QRNG) as the source of high-quality cryptographic key generation, along with encryption with ultra-low latency for real-time applications will provide encryption and authentication, and meet the long-term quantum-safe protection requirements.
Platforms with an extra-long lifecycle and end-to-end deterministic network with deploy-and-forget encryption on 1 or 10G MPLS-TP IPsec, which is integrated into the network management system, will provide for a highly secure and trustworthy, best-of-class system. This will provide an effective foil against the quantum computing threat.
It is increasingly evident that power grids must evolve rapidly to meet the challenging scenario of distributed resources and cybersecurity. As utilities adopt packet-based communication systems allowing for compatibility with legacy systems and integration with IoT technology, it is imperative to secure the power grid and make it future-proof.
Systems that have been designed from the ground up to ensure uncompromising real-time performance and quantum-safe security are the way forward. These rely on physical QRNG and form the basis for cryptographic key generation.
This secure key generation and crypto agility for the requirement to update hardware and software in the long term is what is termed “quantum-safe.” Systems that do not compromise on critical parameters such as latency, jitter, asymmetric delay, and are designed meticulously to avoid adverse effects on resiliency (OAM protocol), network timing, and synchronization precision (PTP IEEE1588v2 protocol) will form the backbone of quantum cybersecurity for wide-area communication networks, thereby securing the safety of operational networks.
—Rouven Floeter is Global Product Manager Cybersecurity and Quantum-Safe Solutions at Hitachi Energy.