If the number of devices talking to your network was about to increase from 50 to 850,000, you might be a little daunted. One person facing precisely this nightmare is Ian Appleby, corporate IT security manager for NSW energy distributor, Endeavour Energy. He sums up his greatest challenge in three words: New emerging technologies.
“From a pure IT perspective, there are tablets, smart devices and PDAs. Then on the energy side of the network there’s smart grid devices, wireless-enabled reclosers on top of power poles, mesh radio connected smart meters. It’s the speed of some of these technologies that are hitting us,” says Appleby.
The move towards smart grids will bring sweeping changes to security management for energy distributors. Besides the potential for Stuxnet-like malware to target industrial control (SCADA) systems, smart grid operators will be faced with a host of other, perhaps less dramatic but no less important threats. For example, the ‘points of access’ into Endeavour’s network will rise from 50 to 850,000 after it fits households with smart meters and retrofits sub-stations.
“That’s going to pose a greater risk, which means we have to get the security framework around the devices correct before we deploy,” explains Appleby.
Traditionally, Endeavour would physically control access to its premises by way of security tokens. “Now people have easy physical access to our devices in the field because they’re on the side of the house,” says Appleby. Meanwhile, Appleby is facing increasing pressure from corporate network users who demand the enterprise technology meets consumer technology experiences.
“The speed that some of the new technologies are heading now makes it difficult to meet everyone’s expectations and apply due diligence across the security aspects of all the different devices,” says Appleby.
The acceleration has unhinged itself from more methodical corporate processes, employed for control. “Now, people come up and ask us to set up all these new corporate applications that work on an Apple device while they’re sitting in meeting rooms.”
But, asks Appleby, “How do you secure this variety of devices in the first place and do the benefits outweigh the risk?” Endeavour will meet some of those demands via a dual trial of Apple’s iPhone, iPad and Research In Motion’s BlackBerry. Android is yet to be tested, says Appleby.
“So yes, people can have better technologies, but only when we’ve worked out a way to secure them and control their access and control security through a central console.”
Technically adept engineers on the “network side of the business” present an entirely different challenge. Appleby’s expertise in corporate IT network security may lend itself to design considerations for the security of the smart grid, but it hasn’t always meant a free seat at the table.
“I have to work strongly and do some convincing to implement security on the engineering side of the business.” But he adds that “they [network engineers]have been doing a good job here.”
He insists the same principles behind corporate network security still apply in the engineering environment and should be considered prior to Endeavour’s smart grid deployment.
“We’re looking at segregated data paths, defence in depth. For example, in the smart meter, you’re looking at protecting the meter, the in-home device, the various communications channels and uses, then your backhaul cables and points of presence, right back in with both active and passive measures,” he explains.
“You go back to the very basics of IT security and the ability to switch out the network and time based security. Time of detection, time of lock down and response determines the amount of damage that can be done to your network.”
Adding value to the business: Seeing and hearing.An oft-forgotten element of a successful security strategy is communications. If the executive level is unable to understand the value of security in business terms, how can it determine where and how to take action?
Endeavour Energy has achieved positive results by moving away from incident-led security management towards a risk management or “business approach”,according to Appleby.
“It’s about delivering a reliable network. One of the key aspects in security is availability, and if you’re experiencing a security incident across your network — a virus — it’s affecting your availability,” he says.
Endeavour has also implemented a reporting structure designed to mitigate potential conflicts of interest between security responsibilities and business system deployments.
“You still need IT security doing hands on work within the IT department, but from a governance perspective security management should have a more direct reporting structure that does not report to the part of the business responsible for deploying all the IT systems,” says Appleby.
“We’re trying to automate a lot of the auditing and reporting systems,” says Appleby. “So you can detect a variety of activity that by itself wouldn’t look out of place, but when taken into context with other access levels and access to the other systems, would show as anomalous traffic.”
That technology may prove useful when the organisation faces change.
Follow CSO Australia on Twitter: @CSO_Australia