The Race to Outpace Hackers vs. Smart Infrastructure
BY STEWART KANTOR, FULL SPECTRUM INC.
The number of new internet enabled devices (or things) is mind boggling. The chipsets for wireless and wired internet enabled devices are a dime a dozen (literally no more than a dime for 12 chips). The question isn't whether something can be connected to the internet but whether it should be and, if it is, what type of vulnerability it poses to us either individually or collectively. Many of the connectivity decisions are no longer being made by us individually but by our service and product providers. These providers impact every interaction including entertainment, safety, electricity, payment, banking, health, transportation and so on. Every day there seems to be a new instance of a major cyber breach that has varying consequences. We enter each new day with the hope that the latest hack will happen to someone or something else and that we have recently backed up our information or the people we have entrusted are backing us up.
One such service provider of critical importance is the electric utility industry. With the rapid adoption of highly-advanced automation in critical infrastructure applications, particularly with the U.S. power grid, comes a series of new threats. Automation in the utility industry is being driven by the need to both increase efficiencies and to adapt to new forms of energy sources at the grid edge. Each new point of automation, however, is a potential source of cyber insecurity. How the industry handles this new automation is critical to all of our security.
Today's Threat Environment
Our electrical infrastructure is becoming increasingly exposed to cyberterrorism and cybervandalism because of increased automation. Cyberattacks on the industrial internet are an increasing concern to industry professionals, some of whom have expressed concern their current operational strategies will not adequately defend against these threats. An article written by Ray Lapena and published in Tripwire's State of Security e-newsletter on March 13, 2017 titled "More than 90% of IT Pros Expect More Attacks, Risk, and Vulnerability with IIoT in 2017," revealed some survey results on ICS Security. The article said 96 percent of survey respondents, all of whom were IT professionals, said they expected to see an increase in security attacks on the industrial internet of things (IIoT) and more than half of those respondents said they are not prepared for these malicious attempts.
These threats have become increasingly apparent through a few high-profile hacks over the last year. In December, the Ukrainian power grid was directly impacted by a major cyberattack and it was revealed that the country's power grid had been attacked the prior year. These intrusions showed the vulnerability of the electric grid infrastructure to outside parties or other nations looking to debilitate another's critical infrastructure. Localized threats also are a concern, as it's not just computer networks that are at risk but the radio frequencies that they rely upon. In April, bizarre events unfolded in Dallas as a hacker set off the city's outdoor warning system using a single radio and frequency.
The increase in prominent hacker events has bolstered action from both cybersecurity experts and governing bodies. The Massachusetts Institute of Technology (MIT) Center for International Studies and MIT Internet Policy Research Initiative released a report in early 2017 pleading for action from new administration which failed to meet deadlines for the construction of a cybersecurity executive order. The paper tackles vulnerabilities to the nation's critical infrastructure on a sector by sector basis and reveals just how poor existing defense strategies are.
With an already weary public concerned about cyberattacks on their most critical data, there is new anxiety that network insecurities within our critical infrastructure are risking personal health and safety. A poll from Protect Our Power reveals that nearly 70 percent of the industry participants indicated they are aware of physical and cyber threats to the grid, with 61 percent believing the grid is at risk and only 9 percent of Americans believing that the U.S. government is doing all it can to protect the grid. Even more concerning is the American concern over how they would fare after an attack, with 65 percent claiming they are unprepared for an extended power outage.
The Hacker's "In" On Security
To take over any Internet of Things (IoT) technology, hackers most often will find access to the source from which all technologies are controlled-the wired or wireless network. The increasing adoption of commercial wireless networks given their ubiquity, ease of access and low cost, has forced the decline of the more historically robust and secure copper landline network. The copper landline network was designed to survive a multitude of natural and man-made disasters. We have now traded the robustness of the legacy centralized battery powered landline network for the convenience of electricity dependent wireless technology at every network device. Most cellular operators keep minimal backup power at their tower sites.
While many may claim to offer solutions that create a "private" network, few actually have a network that can be completely separated from the public internet, both digitally and physically. Network providers, on a base level, can provide some digital separation through VPNs, but these are still shared networks with access from almost any point in the world and with publicly accessible internet addresses. For example, denial of service attacks over a shared infrastructure lead to lack of network access. This alone can lead to a disaster for a utility. Even a small delay in data traffic in a utility network can wreak havoc in the control system.
Creating A New Industrial Internet
In the wake of automation adoption and cybersecurity demands, utilities now need to upgrade their networks to keep pace with best practices. Although public wireless networks seem like a viable option, for most critical utility functions, they pose too much quality and security risk.
Private wireless networks using licensed radio frequencies is one solution that is considered a best practice for utility networks. To create the network, utilities can either deploy their own network or partner with a private network provider that has strict rules in terms of access and connectivity to the public networks. These networks rely on state of the art software defined radios (SDRs) that use a variety of licensed industrial radio spectrum. These technologies are capable of changing frequencies over a wide range quickly to adapt to changing needs including interference and even intentional jamming. Selection of technologies and in-depth insight on developing these new networks has been clearly laid out for the industry within a new standard.
The electric utility industry, through its leading research arm, the Electric Power Research Institute (EPRI), is driving a new IEEE standard known as 802.16s, or GridMAN, for actively defending against and preventing disorder caused by these types of hacker attacks. This new standard expands the existing 802.16 standard, which originally only allowed for channel bandwidth of 1.25 MHz and greater to narrower-band communications of 100kHz and 1.25 MHz in channel size. This expansion of channel sizes has opened numerous new radio frequencies, and new technologies for either a completely utility-owned and operated network to new services dedicated just to mission critical traffic.
An attack on the power grid has the potential to be one of the greatest threats to the safety of individuals throughout the nation, particularly when focused on densely populated areas with a heavy reliance on continued power for almost all daily activities. This is precisely why utilities should be upholding their responsibility to ensure that the increased efficiencies gained from network connectivity are executed in a secure and reliable manner.
Stewart Kantor is the CEO and a co-founder of Full Spectrum Inc, a wireless telecommunications company that designs, develops and manufactures private broadband wireless internet technology and provides network services for mission critical industries. He has more than 20 years' experience in the wireless industry including senior-level positions in marketing, finance and product development at AT&T Wireless, BellSouth International and Nokia Siemens Networks. Since 2004, Mr. Kantor has focused exclusively on the development of private wireless data network technology and services for mission critical industries including electric utilities, oil and gas, defense, and transportation.