Service Based Security

A classic case of power shift from an autocracy to a democracy; the story of the Utility transformation may be just that. Ever since de-regulation, reliable power delivery now exists beyond the physical boundaries of power plants, substations, network operating houses, leaving more vulnerable ends open; hence, there's a surge to find ways safeguard assets while providing the new age services. But the most important point to gauge here is not the kinds of security threats that could exist in the future, instead, the future utility assets/specialized services that would be available in a specific geography/demography; services that are synonymous to a utility. Any meandering thoughts on utility service branding?

Essentially, the typical services of any power utility are to an extent generic in nature; however, in the world of specialized services, where the core services of a utility may be redefined, there will be a need to identify and guard the core. For e.g., in populous cities, like Tokyo, Sao Paulo, Delhi or New York, where both proactive and reactive management of utilities assets, say smart meters need to be super indexed, a service addressing this would be a core service. Or say, in traffic congested cities like Brussels, Los Angeles, London or Paris, where, with a hoard of electric vehicles on the roads, one of the core services that future utilities would need to provide must be the charging point management of these vehicles.

Some of the utilities may also hold these customers' social conversations, despite of not being in their closed social circle. So, not only the end points of these services but also the related end to end data management services, evidently need to be secured. Most importantly, the responsibility for security of the communication plane would need to be clearly defined between the service providers and utilities.

With promising Big Data analyzers, soon, algorithms will be employed for a more controlled phase distribution. Consequentially, in terms of OT landscape, the asset security has to call for concrete SCADA and PMU security sooner than later.

The below areas might seem as probable specialized service areas and one or more of these components will, in future, serve as the core of the utility services:

1. Small commercial and Industrial units' SMART services
2. PHEV charging & parking
3. Utility social portals
4. Regulatory Analytics
5. Retail portals using SMART services/transactions, for e.g. renewable energy certificates or smart energy pool certificates etc.

This protocol may be implemented with security frameworks already at disposal, like the AICAAA that uses the following checkpoints:

1. Access Control
2. Authentication
3. Confidentiality
4. Integrity
5. Availability
6. Accountability

However, a crucial factor for success would still have to be a thought through disaster recovery and healing module, should a security failure occur. And, this module can be planned and established with ease according to the criticality of the specialized services. Since the specialized services would use dedicated or partitioned infrastructure and tools, it's needless to speak that this approach will guard a single layer from being wholly affected by an attack.

What is your take on service based security?