CRITICAL Software's Blog

Strengthening the Safety Net

Posted by Matt Brake on 06/02/17 11:01

As smart technology continues to develop and the impact of its evolution is felt across the energy sector, people are inevitably considering the potential risks and opportunities of what is to come. It is all too easy to raise the risks without evidence or ideas for mitigation or solution. Avoiding this scenario is important and we must accept that an appropriate level of investment is required to make sure things are done correctly and securely.

To make things more secure, all smart and IoT infrastructure programmes must engage with suitable agencies, like GCHQ, MI5 and the NCA (National Crime Agency). What’s great is that these agencies are keen to offer support and those in the industry should not be nervous about asking for their help. New projects can really benefit from expert advice on many levels and if related projects are already in place, ‘checking in’ will ensure no harm is done to existing structures (for example, opening up a gateway into the CNI (Critical National Infrastructure) where previously it was securely guarded). In addition, sharing knowledge with these agencies means they have an accurate picture of the CNI as a whole and are able to conduct an accurate threat assessment.

Considering where smart energy networks might be vulnerable is vital. Energy networks are by definition widespread with key points of control and management. These are the points at which hostile infiltration of some sort would likely be attempted and therefore must be strongly protected.

As new smart technology is implemented, it should include security measures, like software or hardware sensors, that can detect unusual behaviour on the network. Normal network management behaviour will have a specific ‘fingerprint’ and can be easily recognised by a system set up to flag anything outside the norm. This method is somewhat similar to how banks track ‘normal’ and ‘abnormal’ transactions to help them monitor accounts and identify fraudulent activity. The application of these security systems also allows the flagging of non-hostile risks that might have negative implications. These instances are usually caused by genuine users of the system, often new users, making mistakes.

Strengthening the Safety Net

Applying this type of protection to smart networks will increase users’ confidence and also increase safety. The ‘big data’ nature of smart systems gives us the opportunity to leverage all that information to make big improvements, further strengthening the safety net that supports the whole structure.

The energy sector can learn from other industries that have already had to deal with the influx of ‘big data’ and also look to utilise knowledge gained at government level. Government departments are used to dealing with huge volumes of data and using it to find useful management information and critical cyber security threat leads.

Cyber forensics can be difficult and the threats out there are ever-changing, often faster than companies can organise their defences. Interestingly, legal responsibilities for data loss on a smart grid is still a bit of a grey area. If personal consumer details are picked up from a smart meter network for instance, it can be difficult to tell if the information was taken from that network or if the weak point was elsewhere in the CNI.

By not attaching a smart network to the internet, a good initial level of security is achieved but at the cost of some benefits. By no means unfamiliar, this is the perpetual IT security problem: we want all the functional benefits without any of the security risks! As functionality and flexibility is increased on one side of the scales, the security or safety usually drops on the other. It’s almost impossible to provide amazing functionality at zero risk and low cost. It is a balance.

Success requires doing things right and that takes investment in quality resources and also time. We know that smart grids will grow. These systems, whether planned or grown organically, will need controls developed to protect them and their users. We will be able to develop some of those controls now, but some will need to follow later and we need to be prepared for that.

The value of the opportunities presented by smart technology far outweighs the risk involved. To take full advantage of these benefits, we should be prepared and committed to welcome increased security and safety measures as normal and mandatory, not as something only necessary for the most critical of systems. Then we will maximise these opportunities and benefit from a more controlled, safe proliferation of the technology.

To learn more about our work with smart technology, visit our dedicated page.

Topics: Internet of Things