Building a smart grid: digital chickens and cyber-secure eggs
I’m an optimist. A few years ago, cyber security experts and energy executives were speaking different languages. Now, the security of the emerging smart grid is firmly on business leaders’ agendas. That’s progress.
But the technology is still catching up and, at the moment, we’re stuck at an impasse. A truly digital, smart grid is within reach, but we can’t safely implement it without robust security. However, the cyber security industry is understandably slow to create the right security solutions without the digital grid there to protect. We’re waiting for the chicken to lay the egg and for the egg to hatch the chicken.
So, the questions are: why? And what can we do about it? My answers are: because we are stuck in a reactive mode of thinking when designing security solutions. And that we should be building proactive solutions to complement them. If we have good proactive, pre-emptive security in place, we can start building smarter grids and break the impasse.
Very important chickens and vital eggs
The benefits of the smart grid – and the broader internet of things (IoT) – are well known. A digitally connected energy grid supported by smart analytics will allow the energy industry to more intelligently match supply to demand, integrate more renewable energy and roll out clever new services to consumers and businesses. It will mean a leaner and cleaner grid.
The security problems this poses are also starting to become familiar. A lot of the in-field, physical operational technology (OT) is decades old, expensive to replace and designed at a time when ‘cyber’ was a prefix consigned to sci-fi. By networking more and more infrastructure, you create more and more potential doors for hackers, many of them poorly guarded. Few people have an overview of all of these connections, so different teams excitedly press ahead, connecting this or pulling data from that, to create new functionality, only dimly aware of the security implications.
As our energy system becomes more connected, the stakes also get higher. Suddenly, you’re not talking about a substation going down, but a potential grid-wide attack. As the risk escalates, so does the reward for hackers. This has meant that the hacker profile has changed. Whilst before the biggest concern may have been hobbyists, now the potential for ransom or harm has attracted sophisticated organised criminals and even state-sponsored actors. If there’s ever a third world war, my money's on it being fought in cyberspace, and shutting down the power grid will be one of the top strategic targets.
In short, you get a big plate of IT and OT spaghetti, all tangled up and with the potential to create a big mess.
It’s worth thinking about how cyber security traditionally works. The vast majority of current solutions are based on creating tools that protect existing systems. For example, you might install sophisticated firewalls and anti-malware software to try and keep out the cyber criminals and to find and fix problems quickly when they do get in. Then, when the hackers up their game and create new malware, the security companies rush to update their systems and patch new holes. It’s a constant race. It’s reactive.
You can see the chicken and egg problem: the very premise of these solutions is that they’re built to protect systems already there. But utilities are reluctant to build those systems before the security is in place.
Getting proactive and pre-emptive
We advocate something complimentary but different.
If you were an engineer designing a bridge, you would build it digitally first in a CAD tool. You can then test it for different variables and adjust the design accordingly. For example, you could stress test it against certain wind speeds, or a particular number of trucks driving over it and then change the building material. Of course, you’d need to run real life tests once you’d built it too – but this stage provides a degree of confidence without which you’d never dare to dig the foundations.
Exactly the same approach can apply to cyber security. Using intricate attack trees (picture a flow diagram mapping out ways of attacking), it’s possible to model a digital system and stress test it against potential threats. It’s truly creating security by design.
Others have tried this before. However, efforts have typically failed for two related reasons. Firstly, they have relied on someone with knowledge of the system manually building it within the software. With networks as complicated as this, it’s hugely difficult to find someone with that whole-system overview, and very easy to miss things.
Then, similarly, it would be up to the user to dream up and try out the attacks in the model. Again, this is hardly systematic and prone to human error.
By contrast, there are new CAD based systems that can plug into an existing system – either already live or still in the design phase – and automatically map out the entire network, combing it with algorithmic precision and not relying on a knowledgeable but fallible architect to sketch it out in the programme.
Then, the stress test is carried out using attack trees populated with mathematical probabilities. Probabilistic calculations look at the whole system and identify the shortest and most likely attack paths. Engineers can then design a fix and re-test. These calculations are based on decades of combined experience from the Swedish Royal Institute of Technology’s (KTH) electrical engineering faculty.
This approach means energy companies can confidently install smart grid systems, cracking the chicken-egg conundrum. However, it’s important to note that this is not a replacement for reactive cyber security as it’s not a system to fight intruders. Instead, the two types of security should be seen as symbiotic, feeding into one another.
How can you fireproof when you’re busy fighting fires?
So, the technology is there; the will to invest in security is there – that’s everything in place, right?
Actually, there’s one more structural barrier to how cyber security is addressed in energy organisations.
It’s great to see dedicated budgets and teams emerge to take cyber security seriously, as we have over the last few years. However, as with any team, resources are limited. There’s a finite amount of time and money to spend.
This is a problem – not necessarily because the budgets are too low – but because their attention is entirely tied up with reacting to threats. With firefighting.
Someone spots a vulnerability that needs to be patched. Then there’s a malware alert to deal with. Then there’s a new virus going around that they need to ensure they’re protected against – it’s never ending.
In these circumstances, it’s extremely difficult for cyber security teams to carve out time to strategically invest proactive systems. When there’s always another fire to fight, how do you make time for fireproofing?
What’s needed are separate departments – or teams within one cyber security department – with their own budgets completely focussed on reactive and proactive cybersecurity respectively. Obviously they will need to work closely together, but this will ensure that utilities can fireproof as well as firefight.
It’s a fairly big ask – it’s already difficult for energy companies to find and invest in cyber security, especially with top talent so scarce. However, the smart grid is a big project, and its security a big priority. At least though, there’s a way out of that infuriating conundrum of which needs to come first – the chicken or the egg: proactive smart grid cyber security design.
UK must stop blundering into high carbon choices warns CCC
The UK Government must end a year of climate contradictions and stop blundering on high carbon choices, according to the Climate Change Committee as it released 200 policy recommendations in a progress to Parliament update.
While the rigour of the Climate Change Act helped bring COP26 to the UK, it is not enough for Ministers to point to the Glasgow summit and hope that this will carry the day with the public, the Committee warns. Leadership is required, detail on the steps the UK will take in the coming years, clarity on tax changes and public spending commitments, as well as active engagement with people and businesses across the country.
"It it is hard to discern any comprehensive strategy in the climate plans we have seen in the last 12 months. There are gaps and ambiguities. Climate resilience remains a second-order issue, if it is considered at all. We continue to blunder into high-carbon choices. Our Planning system and other fundamental structures have not been recast to meet our legal and international climate commitments," the update states. "Our message to Government is simple: act quickly – be bold and decisive."
The UK’s record to date is strong in parts, but it has fallen behind on adapting to the changing climate and not yet provided a coherent plan to reduce emissions in the critical decade ahead, according to the Committee.
- Statutory framework for climate The UK has a strong climate framework under the Climate Change Act (2008), with legally-binding emissions targets, a process to integrate climate risks into policy, and a central role for independent evidence-based advice and monitoring. This model has inspired similarclimate legislation across the world.
- Emissions targets The UK has adopted ambitious territorial emissions targets aligned to the Paris Agreement: the Sixth Carbon Budget requires an emissions reduction of 63% from 2019 to 2035, on the way to Net Zero by 2050. These are comprehensive targets covering all greenhouse gases and all sectors, including international aviation and shipping.
- Emissions reduction The UK has a leading record in reducing its own emissions: down by 40% from 1990 to 2019, the largest reduction in the G20, while growing the economy (GDP increased by 78% from 1990 to 2019). The rate of reductions since 2012 (of around 20 MtCO2e annually) is comparable to that needed in the future.
- Climate Risk and Adaptation The UK has undertaken three comprehensive assessments of the climate risks it faces, and the Government has published plans for adapting to those risks. There have been some actions in response, notably in tackling flooding and water scarcity, but overall progress in planning and delivering adaptation is not keeping up with increasing risk. The UK is less prepared for the changing climate now than it was when the previous risk assessment was published five years ago.
- Climate finance The UK has been a strong contributor to international climate finance, having recently doubled its commitment to £11.6 billion in aggregate over 2021/22 to 2025/26. This spend is split between support for cutting emissions and support for adaptation, which is important given significant underfunding of adaptation globally. However, recent cuts to the UK’s overseas aid are undermining these commitments.
In a separate comment, it said the Prime Minister’s Ten-Point Plan was an important statement of ambition, but it has yet to be backed with firm policies.
Baroness Brown, Chair of the Adaptation Committee said: “The UK is leading in diagnosis but lagging in policy and action. This cannot be put off further. We cannot deliver Net Zero without serious action on adaptation. We need action now, followed by a National Adaptation Programme that must be more ambitious; more comprehensive; and better focussed on implementation than its predecessors, to improve national resilience to climate change.”
Priority recommendations for 2021 include setting out capacity and usage requirements for Energy from Waste consistent with plans to improve recycling and waste prevention, and issue guidance to align local authority waste contracts and planning policy to these targets; develop (with DIT) the option of applying either border carbon tariffs or minimum standards to imports of selected embedded-emission-intense industrial and agricultural products and fuels; and implement a public engagement programme about national adaptation objectives, acceptable levels of risk, desired resilience standards, how to address inequalities, and responsibilities across society.
Drax Group CEO Will Gardiner said the report is another reminder that if the UK is to meet its ambitious climate targets there is an urgent need to scale up bioenergy with carbon capture and storage (BECCS).
"As the world’s leading generator and supplier of sustainable bioenergy there is no better place to deliver BECCS at scale than at Drax in the UK. We are ready to invest in and deliver this world-leading green technology, which would support clean growth in the north of England, create tens of thousands of jobs and put the UK at the forefront of combatting climate change."
Drax Group is kickstarting the planning process to build a new underground pumped hydro storage power station – more than doubling the electricity generating capacity at its iconic Cruachan facility in Scotland. The 600MW power station will be located inside Ben Cruachan – Argyll’s highest mountain – and increase the site’s total capacity to 1.04GW (click here).
Lockdown measures led to a record decrease in UK emissions in 2020 of 13% from the previous year. The largest falls were in aviation (-60%), shipping (-24%) and surface transport (-18%). While some of this change could persist (e.g. business travellers accounted for 15-25% of UK air passengers before the pandemic), much is already rebounding with HGV and van travel back to pre-pandemic levels, while car use, which at one point was down by two-thirds, only 20% below pre-pandemic levels.