DNV GL is the independent expert in risk management and quality assurance, operating in more than 100 countries. DNV GL advances safety and sustainable performance, sets industry benchmarks, and inspires and invents solutions.

Post

The dark side of the cloud – How energy efficiency programs can make the IoT more secure

Posted to DNV GL

image credit: © Michael Borgers | Dreamstime.com

This item is part of the Special Issue - 04/2020 - Cybersecurity, click here for more

In a time before social distancing,  my 2020 was shaping up to be a very social year. In mid-February, I had the pleasure of representing DNV GL at the AESP National Conference in Anaheim, and the Indoor Ag Energy Solutions conference in San Diego the following week. One theme that held constant across both events was the power of operationalizing data collected at the grid’s-edge. The vision alluded to by many speakers was of a fully decarbonized, transactive energy grid that balances supply and demand in real-time. While this is a worthy and aspirational goal, I left SoCal with the feeling that the DSM community missed a huge opportunity to address a silent problem with this vision… cybersecurity.

First, I want to acknowledge that cybersecurity is not easy to talk (or write) about. Much of what gives connected technology its mass appeal is the ease of use. Cybersecurity complicates things. A feature, like 2FA, frustrates the user experience but is essential given that billions of usernames and passwords have already been compromised. Which makes yesterday the best time talk cyber-security. In 2017, we estimated that there were ~27B connected devices on earth. We expect about a 100x increase in devices by 2030[1]. Palo Alto Networks recently found: “A full 98% of all IoT device traffic is unencrypted, exposing personal and confidential data on networks.”[2] It’s these same IoT devices that enable the futuristic grid visioned by thought leaders at large conferences across the globe.

One of the major trends occurring in Industry 4.0 is the Information Technology / Operational Technology Convergence – simply creating and connecting physical/cyber systems. For example, is an internet-enabled lighting system a physical building system supplying illumination (OT), or is it a cloud-enabled analytics platform that uses a disparate sensor network to report on non-lighting variables (IT)? Answer: It’s both! The driving force behind the IT/OT convergence is digitalization, and the quest for new revenue streams from the leveraging of digital technologies to create value. Digitalization is reshaping the competitive landscape and cost-structure of every industry on earth – including the utility sector.

C&I customers are digitalizing for competitive reasons, and utility managers would be wise to capitalize on those market forces by creating programs that help their building stocks become fully grid-integrated. Grid integrated buildings help a utility optimize operations and provide flexibility for scaling renewable supply. Capturing that grid-integrated value in a way that does not expose C&I customers to massive vulnerabilities is the next hurdle to building out the truly Smart Grid. As referenced above, the current state of our connected technology lacks basic protection such as AES 128 encryption. Let’s explore one probable nightmare scenario for the Commercial Smart Building and then talk about some simple steps programs can take to begin mitigating these risks.

Siegeware – when criminals lock you out of your building 

At the enterprise level, businesses are abandoning legacy proprietary systems in favor of edge and cloud architectures. At the facility level, buildings often have a variety of installed legacy automation systems and applications that run on closed networks and proprietary protocols. The application space for C&I buildings are complex; BAS, EMS, lighting controls, video surveillance, elevator control systems, etc. -every system, as well as the individual components, pose their own unique risk. Modernizing a facility means stacking the known risk from legacy systems on top of new risks associated with ubiquitous connectivity and remote control from IoT systems —making the hard job of securing these networks even more difficult. Siegeware is when criminals exploit these vulnerabilities to gain control over essential building systems, like HVAC or lighting, locking the building’s owner out of systems until they pay a ransom. In February 2019 cybersecurity expert, Stephan Cobb found 35,000 BAS systems connected to the public internet globally and estimated that 30,000 of those systems were located in the US[3]. Many of these systems rely on default usernames and passwords.

Here is an example of a real-world Siegeware attack perpetrated by IMB’s ethical hacking team, known as the X-Force. They gained entry through an unsecured BAS and: “found several areas of concern in the BAS architecture that could allow a malicious attacker not only to take control of the individual building system but also to then gain access to a central server, operated by the system operator, which could extend control to several other geographically dispersed buildings.[4]. ” While a utility program may never be able to fully prevent cybercrime, it can begin taking some common-sense steps to proactively protect customers when promoting internet-enabled technology.

Three ways Programs can promote cybersecurity 

  1. Educate your Trade Allies & Customers: The first step to improving cybersecurity is merely talking about it. Many organizations acknowledge the inherent dangers of working around electricity or natural gas by starting every meeting with a safety message. Reserving time at kickoff events, or technical training to speak about cybersecurity is a no-cost way to promote best practices such as separating enterprise and facility networks. For utilities actively creating Integrated EE/DR programs, I suggest taking training to the next level and proactively approaching large customers about the importance of cybersecurity. For example, earlier this year, I hosted a webinar for the engineering team at a Big Three automaker, where I provided best practices for selecting a cyber secure wireless lighting system.
  2. Modifying Existing Program Designs: Many existing program designs naturally lend themselves to being modified to enhance cybersecurity. For example, most New Construction programs require a Design Charrette – an intensive workshop of stakeholders focused on addressing particular design issues. Program specifications can be modified to integrate the owners’ IT team into the Charrette. IoT devices require networking and internet connectivity, necessitating the need to integrate software and hardware professionals into the larger design team. All IoT devices need a local network to move data in and out of the equipment, and some devices will require a gateway for internet connectivity. System Architects should be included in the Charrette to develop the fundamental organizational structure and set the system’s governing rules, baking cybersecurity into the building’s construction documents. 
  3. Coordinate with Technical Working Groups: Many smart people are working to make internet-enabled devices more secure. For example, I am a member of the ANSI C137 subcommittee tasked with developing cybersecurity standards for Network Lighting Controls. Utility program managers should also consider joining technical working groups hosted by organizations like the DOE. These groups provide insight into the technical issues and consumer adoption challenges of making devices more secure. Program managers can leverage these insights to modify existing Qualified Product Lists (QPL) to ensure that incentivized devices met a utility-defined level of cybersecurity. For example, I previously helped a large utility design an autonomous demand response pilot that directly installed commercial smart thermostats. When selecting a vendor, we considered variables such as whether the gateway could sit outside the customer’s firewall, the device’s communication protocol, and its level of data encryption. Our team then marketed this technical due diligence to the customer to help scale enrollment. 

In closing, the value-add of internet-enabled devices makes them attractive to both C&I consumers and the utilities that power these devices. While it’s important to socialize the positive aspects of connected technology, we cannot afford to neglect the risks these devices impose. Cybersecurity presents many challenges, and no panacea exists to solve those challenges. To realize the promises of Industry 4.0, we will need multiple solutions that encompass educating end-users, cross-training IT and Design-Build professionals, mainlining simple solutions like encryption, and working with device manufacturers through the standards process to incorporate hardware like Trusted Platform Modules into connected devices.

[1] https://www.martechadvisor.com/articles/iot/by-2030-each-person-will-own-15-connected-devices-heres-what-that-means-for-your-business-and-content/#:~:text=In%202017%2C%2027%20billion%20devices,to%20%24561%20billion%20by%202022.

[2] https://threatpost.com/half-iot-devices-vulnerable-severe-attacks/153609/

[3] https://www.welivesecurity.com/2019/02/20/siegeware-when-criminals-take-over-your-smart-building/

[4] https://regmedia.co.uk/2016/02/10/567584334543.pdf

DNV GL
DNV GL is the independent expert in risk management and quality assurance, operating in more than 100 countries. DNV GL advances safety and sustainable performance, sets industry benchmarks, and inspires and invents solutions.

Discussions

Matt Chester's picture
Matt Chester on Apr 29, 2020

Educate your Trade Allies & Customers

Great point Wesley-- it's not a zero sum game, and all stakeholders in the industry should do their due diligence and make sure others are aware of best practices as well. Especially when you start to talk about actors on the grid, it's important for the industry as a whole to be resistant to the possible threats!

Wesley Whited's picture

Thank Wesley for the Post!

Energy Central contributors share their experience and insights for the benefit of other Members (like you). Please show them your appreciation by leaving a comment, 'liking' this post, or following this Member.

Get Published - Build a Following

The Energy Central Power Industry Network is based on one core idea - power industry professionals helping each other and advancing the industry by sharing and learning from each other.

If you have an experience or insight to share or have learned something from a conference or seminar, your peers and colleagues on Energy Central want to hear about it. It's also easy to share a link to an article you've liked or an industry resource that you think would be helpful.

                 Learn more about posting on Energy Central »