Senior decision-makers come together to connect around strategies and business trends affecting utilities.


It's OK for some things to be hard

Caleb Christopher's picture
Technical Sales Engineer Spearpoint Associates

At Spearpoint Associates, I bring value to clients by being a cybersecurity consultant and and project management specialist for smart city / smart grid applications.

  • Member since 2020
  • 4 items added with 1,996 views
  • Apr 24, 2020

This item is part of the Cybersecurity for Utilities - Spring 2020 SPECIAL ISSUE, click here for more

Let me start with the best part in case you don’t have time to read on: There is business value in difficulty. If you can add extreme difficulty for an attacker and only minor inconvenience to yourself, that’s a good thing. Utilities should focus on leveraging network architecture to add attacker difficulty while maximizing uptime and controlling costs.

I can practically hear peoples’ eyes rolling when talking about basic cyber hygiene. They tire of the inconveniences they experience throughout any given day: changing passwords too often, two-factor authentication codes, VPNs, screen locks, etc.

I get it. Sometimes it gets to me too, but my perspective reminds me it’s worth it.

Your access to Member Features is limited.

I’d like to alter your paradigm by highlighting the value of difficulty.

Let’s start with a story

Imagine yourself in this situation: It’s raining. You get home with a double-armload of groceries to carry in. Hurrying to the door, you forgot to get out your key, so you dig for it. You find it while juggling the groceries. Just as you’re getting your key, a glass jar and several other items crash to the ground. Soaked, you finally get the key and unlock the door. You sop inside, frustrated with the whole process.


Now an alternate story

Imagine this: It’s raining and you get home with the same groceries. But this time, getting inside is no sweat since you left the door unlocked to make it easy to get in and out. You hurry inside, barely wet, and put away your groceries, patting yourself on the back for how convenient you’ve made your life.


What if...

If you got home to find your front door open, what would you feel in the pit of your stomach? Imagine that feeling and spend a moment going through the scenario: Would you call the police? Go inside? Stay out? What would you feel and what would you do?


Either way...

Let’s face it, we keep our homes and cars locked even though it might cause us to get stuck in the rain or locked out if we lose our keys. Using a key is acceptable because we see the value of the difficulty of bypassing locks, despite the extra effort required. If a slight inconvenience to you adds significant difficulty for an attacker, the appropriate course of action should be apparent.



For Utilities

What else does new technology have access to? If you add AMI or other IoT devices, are they properly segmented? Can you do micro-segmentation to isolate them from one another?


How to measure security value

As you’ve gathered from above, the added difficulty for an attacker minus the added difficulty for you equals the value of a given security measure. Oversimplified: an attacker’s difficulty (10) minus your difficulty (2) equals security value (8). Budgetary prudence also applies... obviously, posting armed guards around my garden is a mismatch. So strike a balance between security value and monetary value/cost, but you get the idea by now.


Where you can start

Get help: A 3rd party security/risk assessment will uncover key issues and provide essential guidance. One of the first things they should recommend is to enable 2-factor authentication on every account and connection possible.

Additionally, it’s common to discover security, compliance, and even reliability issues with existing network architecture.

I don’t know who said it, but one of my favorite quotes about IoT (Internet of Things) is this: In “IoT”, the “S” stands for “security.”

If your network has “smart” anything on it, you need a 3rd party network architecture review to ensure you’ve added sufficient difficulty for attackers.


In my work, what I have come to find is AMI, IoT, and smart-whatevers mostly don’t create new problems — they highlight existing problems, or reveal existing security architecture inadequacy. We’ve been able to identify and address underlying issues by running an assessment, then leveraging SD-WAN as a master solution.


Matt Chester's picture
Matt Chester on Apr 24, 2020

In my work, what I have come to find is AMI, IoT, and smart-whatevers mostly don’t create new problems — they highlight existing problems, or reveal existing security architecture inadequacy

This is an outstanding perspective that wary customers should understand-- the fact that data privacy and cybersecurity is so important to the customers is undoubtedly a win, but cyber professionals should be able to leverage these concerns to show that most actors on the grid should actually already be doing more

Do you think some of the challenges comes from IoT devices being more 'visible' representations of cyberrisk, whereas they've already normalized the existing risks because they're connected to thinks that they can't see or no longer register?

Caleb Christopher's picture
Caleb Christopher on Apr 24, 2020

I think the challenges in IoT and AMI are mainly the result of already-inadequate security architecture...

Utilities put this stuff on their networks and only then find out their network wasn't designed to accommodate this level of risk.

With regard to "normalization of existing risks," I doubt they've even been addressed (so how can they be normalized?). An example for perspective: People didn't normalize the risk of cyberbullying until after they gave ubiquitous internet access to their kids... They simply hadn't designed to that risk because they didn't realize they would need to at some point.

The same is true of utility networks. They're largely designed like computer communications networks, where internal devices are trusted and are supposed to be able to communicate with one another. They now need to be designed to securely facilitate communication only between need-to-know devices that have a risk of going rogue at any time if compromised.

Under existing network architectures, utilities are having to build completely separate/duplicate/air-gapped networks to facilitate the communication of IoT and AMI. The cost is high.

SD-WAN can eliminate the need for expensive duplicate network infrastructure by virtualizing the connection into secure segments with access policies based on templates, device characteristics, location characteristics, etc. That's why we've been deploying SD-WAN for Utilities.

Matt Chester's picture
Matt Chester on Apr 24, 2020

Really insightful-- appreciate the response, Caleb!

Caleb Christopher's picture
Thank Caleb for the Post!
Energy Central contributors share their experience and insights for the benefit of other Members (like you). Please show them your appreciation by leaving a comment, 'liking' this post, or following this Member.
More posts from this member

Get Published - Build a Following

The Energy Central Power Industry Network is based on one core idea - power industry professionals helping each other and advancing the industry by sharing and learning from each other.

If you have an experience or insight to share or have learned something from a conference or seminar, your peers and colleagues on Energy Central want to hear about it. It's also easy to share a link to an article you've liked or an industry resource that you think would be helpful.

                 Learn more about posting on Energy Central »