Is the Power Grid a Huge Cybersecurity Risk?

hi besides vancouver hope everyone is enjoying the talk so far let's talk about the power grid and the cyber security risk my name is vivek bonada and here's my contact info today's agenda will go through the basics of all the industrial control systems the power grid and operational technology the threats and the impacts risks and finally answer the question after discussing great resilience first up let's talk about industrial control systems so these control systems existed for several hundreds of years way before electronics that became popular in the 20th century in the past these systems were pneumatic or hydraulic meaning they were operated by air or oil or some kind of fluid but of course now modern-day control

systems are all electronics based you'll hear these terms scada plc and dcs and many more these are all similar in that they control some equipment in the industrial controls world but they do it slightly differently scada stands for supervisory control and data acquisition this is plc programmable logic controller dcs is distributed control system i put these in the appendix so that you don't have to remember that said the final element from the control systems perspective there'll always be something mechanical something moving some components that are changing something like a valve that controls the flow in a pipe or a turbine that spins at a certain speed so that's how you get this term cyber physical because essentially you're

you're affecting something physical in a process or equipment from the control system digital electronic signal now there are many vendors of ics um equipment so rockwell automation makes the bradley plc's for example honeywell has their dcs line ge the company i work for has many systems for turbine controls and grid delays for example these industrial control systems are used in many many industries most of them are critical infrastructure power generation obviously oil and gas mining even healthcare and building management systems they're all very similar in using plcs for example specific to power generation transmission and distribution this example shows a power plant with a typical step up transformer that changes the voltage from a lower voltage

here to a higher voltage here transmits it so that it's more efficient and then where people are now we then do the opposite we step down the voltage to what we need here in our houses which is 110 volts ac so the good thing about this is it kind of shows how power is balanced from generation through transmission to distribution because uh there is no storage in a typical grid uh whatever power is produced needs to be consumed so that balance has to exit exist on a millisecond basis now here you see you see the generation mix so canada we have about 652 hours slightly older graphic but still representative we have a diverse mix we have a

significant amount of hydro we also have some nuclear bc actually has about 85 hydro and you know a lot less nuclear compared to ontario for example um this mix is quite different from what you see in the us the u.s obviously is a much bigger grid you know the billion kilowatt hours equivalent to this uh five times so their mix has a significantly more coal and natural gas and of course they have the others as well but the key thing to remember is the canadian grids and the us grids are connected so you can think of this as if canada has three grids you got the west the east and then quebec and similarly the mainland u.s has the

west the east and texas but there are more shown here because obviously alaska and hawaii will have their own um more importantly this mainland um is um can divide into these coordinating consoles that kind of control the amount of power within the zone okay and it's not all one grid because for example it's um possible to transmit power from one end of this western interconnection to the other but not necessarily the same amount or even any significant amount from the west to the east because these two bits are not in sync so they're not synchronized to each other so there are some connections so you can export some power but that's a dc line for example not ac

because they're not synced um the general reliability issues um i highlighted cyber threats on both the structural and operational but the grid is much more complex it's got a lot of other issues as well that you all need to be aware of in general structural you see increased demand a lot more electric vehicles people are excited to buy more and more electric vehicles um that increases demand at the same time we're seeing a lot of coal plants retirement um both because of carbon pricing and climate change regulations so you can imagine when supply is lower and demand increases that causes some challenges similarly we have increased renewables uh wind and solar that bring their own

uh unique challenges with you know being intermittent uh 100 percent available like nuclear for example um and then some other more technical issues like reactive power support that is more challenging with these renewables we also have you know different types of markets you know bc for example we have a monopoly here bc hydro crown corporation that doesn't need to compete whereas in alberta a little more deregulated market um whereas in individual companies have to make their own decisions on investments um what type of generation they need to invest in and so the incentives are different we have cyber threats of course structurally we'll talk about that more now operationally you know whenever there is an extreme weather

situation especially unpredictable weather for example the most recent texas you know valentine's day issues when the extreme weather caused a lot of issues supply was significantly reduced at the same time demand was soaring so they had rolling brownouts and a lot of economic contraction and several people also died because of this so this is pretty serious you know whenever power is not reliable of course wildfires cause the same kind of effect where unpredictable weather causes issues both on the supply and demand side and then sometimes equipment failure and the most famous one happens to be this 2003 northeast um outage where for several days people lost power in fact many of the regulation that we

have currently stems from this time period when they advise more information sharing across different regional operators so that these kind of cascading failures can be avoided there's also this threat of uh you know draft theft um these ac transmission lines are made out of copper and of course we have operational threats uh cyber security-wise let's uh discuss a little bit more about operational technology so this is um very uh popular for understanding industrial control systems it's called the purdue reference model and it's a hierarchical model now it goes from zero to five and at the very base level level zero you have field devices the sensors like pressure and temperature sensing uh equipment that's called level zero

and then they all talk to the controllers at level one these controllers are typically uh risk reduced instructions at computing type devices and they are essentially the heart of the industrial control system they then interface to a human machine interface they communicate to an operator essentially and they display values here the operator can then make adjustments or take any action start stop pump for example that's dubbed level two historically this is what was called industrial control systems and of course uh this could be just one site and if you have multiple sites and they're controlled by a common human machine interface at a one level for example at a central control home and that will be termed level two and

uh there are other devices at level 2 as well that are kind of common across multiple lands and this term ot is introduced because this equipment looks very similar to it equipment right so hardware wise it might be the exact hardware i used in the it site as well however you know software that you install on these hmis or engineering workstation is different and it's meant for ics purposes and uh some of the protocols you use are also different so that's why this term ot is more applicable as in it's it-like but not exactly i.t then you know jumping up to level three which is essentially a dmz where you're trying to terminate any connections from the internet here

and then have maybe a remote access jump server um back into ot so that you know ot devices don't talk directly to the internet again this is a theoretical model not everything is exactly this way in every site we see bypasses a lot of direct connections to the internet mistakes that we know shouldn't happen but still continue to happen and level four and five this is classic it that you're all very familiar with one thing to note is that ot and ics are used interchangeably the way i showed it here is not exactly how everyone understands it most people would call ot everything from level two and three to zero or at the same time

they might just use ics for for the so it's used interchangeably but this is kind of helpful to understand you know what strictly industrial control system and what's more like ite and so you can call it ot there's also this other term iiot uh industrial internet of things a very similar concept to iot as in you know most them cloud connect devices a lot of new services that have popped up in the past few years uh very useful for some of the new digital transformation initiatives where instead of having to go through traditional architectures you kind of get some device that you know quickly gets information to the cloud and that helps you maybe you know bid into the market

uh differently or compare your asset to some other assets and get some information on how well you're running your um your equipment so that's another uh aspect that's uh changed our risk profile in the past few years now i see srot it is different from it in many ways so number one you know in the it world we use the cia triad because you know we're all interested in protecting data from unauthorized disclosure you know losing integrity or availability but in the ot world an alternative triad srp is more applicable safety reliability and productivity safety obviously you know because we're talking about cyber physical systems that could impact uh life and limb safety is paramount

we have a lot more experience dealing with safety than we have with security cyber security so we have backup systems we have special safety functions and safety devices so that's number one in this world similarly hardware is developed with reliability in mind now operating at extreme temperatures for example or operating for 25 30 years uh and then operating reliably you know without fail those are key considerations productivity as well you know how to maximize the assets again it's not exactly in line with cia but a different triad some of the features that are interesting you know flat networks are much more common a lot less segmentation compared to it um similarly this software and protocols

used at level zero and one were built primarily for functionality you know there many of them are 30 plus years old not changing because you know it works but they are insecure by design you know while they were being designed security was never the forefront even the more modern more recent versions improvements of the protocols have some security built in but they're not as secure as they should be and then no authentication historically for lower level devices so you know a transmitter is a transmitter so you replace it with another one it'll work just fine um there is no authentication usually um iot devices i mentioned you know bring on additional risk now they bring some features but you

know always come with additional risk that you need to manage now even though ics or ot uses many i.t like devices it solutions do not always apply to the ot world for example the human machine interfaces if you want to have the operator log in every time and authenticate you know just to prove that it's that person um what if he is logged out he or she would not be able to adjust you know whatever parameter and it might be a safety issue um so the traditional authentication models do not work now these hmis are typically always open never locked out you know always open screen that i can walk up and touch you know if i happen to be in the

control room similarly you know usb access if you're talking about data loss prevention or data lay prevention and want to block usb access but these plcs probably do not have any other way to update logic but you know use the um usb so that's something different and also when we use firewalls you know worst case if you suspect something we can't use you know drop all packets uh you know when you suspect a malicious uh traffic or packet because that might have unintended safety consequences maybe some packet that is intended for a safety function is missed or dropped and that will cause uh problems so we can't use the traditional firewalls the way we use an

i.t and then this is one of the more interesting things for me that uh patching is very different than ot so one passing at the lower level the level one devices might not be available at all um many of them don't have memory to get any patches and some maybe the vendors are not around anymore or maybe they end of life they already should end of life years ago but the as it functions so it continues to work but can be patched in many other cases even hmis that you can patch and you fully patch do not reduce risk so unlike in it where we typically consider a fully patched system to have the lowest risk

in this case because the protocols themselves are insecure it doesn't matter if a an operator issues a command or if a malicious attacker is able to somehow compromise and issue a command uh that will still execute on a fully packed system so what are you gaining by installing the patch right so we typically don't if the risk is not being reduced now let's talk about the threats and impacts so we've all heard of stuxnet and we've had five distinct and major ics attacks in the past decade or so started with stuxnet but we have a lot we have had a lot more of the other types so for example the insecure more taxes or traditional ransomware or

destructive malware these are examples by the dozens right but we've only had so far five major um ics specific attacks these are hard to execute because you need to have really good knowledge on the control system the plant design uh how they operate um so it takes a significant amount of time to come up with an attack plan in this bucket because um you need to understand the physics of the the plan and you probably need to infiltrate the supply chain to to get some of the um malware on the systems on the other hand uh 40 like for it like assets using ics you know wt or even direct i.t assets that we use you

know in the enterprise that as we saw in that you know level four or five um if you're able to compromise that dmz or somehow you know got through level three level two you're essentially seeing it attacks propagating into ot or you know i.t equipment used in ot has the same vulnerabilities of being taken advantage of so these examples in old small florida most recent example uh insecure more taxes and just this past week in our dark side run somewhere as a service on this column pipeline we're still waiting on more information but we've had more examples before i mean this is not new right destructive malware uh not petya huge impact 10 billion dollars

mercs had um significant losses both revenue loss and uh actual recovery disaster recovery um expenses now granted not all of these threats and impacts happen in power plants because the ics systems are pretty similar across all these industries these are good lessons for power plants just as well now specific to power plants and and risks we as a society are heavily dependent on electricity a total blackout which is essentially no power is an extremely low likelihood scenario because of how the grid is structured and regional operators and all the other reliability functionality that we have however you know we can um imagine a scenario where a smaller region might be attacked or you know are forced to

have loss of power but as we saw in texas especially if something um was happening in in the um bad weather situation or something like that and someone takes advantage of it by using some other attack um vector at the time we can imagine how things are very difficult things are going to be very difficult for that region right and if they were have you know having brown outs which are essentially you know rolling power cuts like you you know move from place to place because you only have certain amount of power to distribute and if hospitals in the area don't have enough backup power then they're affected right so dependency and electricity impacts other sectors as well and then

co-dependency is you know if you need natural gas to produce an extra you know marginal one megawatt-hour power but you know the natural gas compressor station needs electricity so that's what happened in texas for example where you know because of bad weather conditions the natural gas pipes were frozen they couldn't supply enough gas to the power plants and because the power plants were not on and not able to supply power the compressor stations that could boost the existing natural gas pressure couldn't do their job so that kind of co-dependency is also something of a high risk and another scenario you can think of is you know if you have um some actor you know attacking the traffic signaling system

or some kind of emergency services or telecom networks in the same area while maybe browners are happening essentially can cause chaos and a lot of panic so it doesn't need a total blackout the whole grid in canada or bc to be shut down for in a significant amount of chaos and panic to ensure uh specific two resources you know we have skills gap you know we always talk about that in the it world but it's even more acute because we have very few people that understand otnit um therefore you know our management most times can't evaluate business risk properly uh they just will not you know there's no one properly able to articulate what the impacts are you know doing

something or not doing something similarly uh you know funding forty security remains very um you know low because um most um power companies underestimate the likelihood of uh you know one of these scenarios happening now we are showing up our defenses um it's not all doom and gloom lots of interesting things lots of exciting things happening in the ics world we're seeing a lot of cool developments you know these days you can put level one devices uh on the domain um you have a lot more in a firmware that's a code signed by the manufacturer um so this doesn't obviously stop attacks like uh you know solar winds but you know this is a much better situation

than what we had before similarly in the ot side um we're doing a lot more segmentation and isolating networks so that we can apply proper security controls to whatever is the most risky we're also taking taking a lot of asset inventory and enabling proper access and authorization controls especially at level three and above and then at level two and below uh whitelisting is actually a lot easier in ot than in it because the equipment is pretty uh well understood all the different scenarios are all um not going to change year over year the applications don't need to change so we can incorporate by testing pretty um pretty easily and in a robust manner and we now

have both intuitive detection and intrusion prevention available on industrial protocols several industrial specific firewalls are available with these features so we're starting to see more and more of their um their use and then of course we have secure remote access solutions um you know whatever you hear um in an operator and logging in from remote um that's the norm but um any any time um you know someone is actually planning a solution you know we have solutions field similarly all the external facing endpoints especially level three and above uh you know they're just like i.t systems they you know there's really no need to worry about them causing any planned outage or you know not being able to

take them down on a sunday you can so they're being patched and hardened um you know like any other it asset similarly we're seeing a lot more um you know thin clients and virtualization technology uh again makes the whole network more robust and manageable and in terms of uh scenario planning a lot of table top exercises you know great x conductor by nerd happens every year and lots of operators show up law enforcement um you know helps planning helps for you know understanding different situations and uh like any other uh scenario planning you know this is on a massive scale and a 500 plus clients for example you know red team blue team kind of deal

and you know really helpful for lessons learned incorporating into in any upgrades and and changes in the security posture we also have industrial control system specific kind of frameworks iec 62443 um it's now increasingly being used um we've had nur except nerc had critical infrastructure protection standards for quite some time you know at least 15 plus years they are more for compliance so as we know compliance is not security but even works of standards are being evaluated more of the recent standards have given risk weightage and and more flexibility um to incorporate security um controls based on risk versus um being a very uh formulaic approach like they were before and then we we also see a lot in north

america and the cyber security framework from nest being used um to to apply security controls and then active defense um we're seeing a lot of companies uh capable now of providing threat intel feeds and providing iocs so if you have an enterprise sock maybe use that as a level one um you know clearing for your ics specific attacks maybe use these and then have someone at the plant you know an ics expert you know take the level two or level three um follow-up but um these are available right now similarly you know even the miter attack has an ics specific framework and we have the ics pacific cyber kill chain as well all these are really helping us

understand how the attacks are happening currently across different industries and different parts of the world so you can then incorporate that in your you know scenario planning and you know change any controls if you need and finally grid resilience the cyber security aspect and bottom is not the only one that improves their resilience right cyber security is is a risk definitely but there are many other things so demand response for example is when the um operator is able to the supply and the operator is able to match demand with supply by cutting back on demand so if you were to plug in your electric vehicle at 6 pm um but if the supply at the time is not

enough and if the provider for example bc hydro is able to say don't charge the vehicle you know and then start it at start charging at 10 pm that would be demand response in fact you probably all got an email recently from bc hydro asking if they should be considering such a system in the future distributed generation is when you might have solar panels on top of your homes you're generating as well but you're connected to the grid this is called smart grid as in and you're not adding big generation equipment elsewhere but you're having more localized more local distribution so that um it's more reliable number one it's more diverse and secondly it's a

lot less expensive because you're not building new transmission lines and you're not building uh new permits required or you know new environmental regulations to to worry about so it's a very different way of thinking um and how to generate power digital transformation you know we talked about it before lots of benefits a lot more data from all the devices all the assets all helpful in connecting you know with the enterprise side to optimize you know how you run your equipment or when you start and stop your equipment or how you operate it over a certain period so lots of lots of projects underway and a lot more connectivity because of this and then increased interconnects you

know us and canada we mentioned before that the grids are connected in fact at 35 different places but if they have even more that actually helps in more resilience because even if something were to go wrong in some portions you can still import or export power from the other interconnects and then diversify sources so if for example for whatever reason uh natural gas supply is cut back but you happen to have you know geothermal or other alternatives then you'll be using them right that way you know your your natural gas could be at the time a backup and it just gives you a diversified supply to help in your resilience and then adapt to solutions as in

you know use existing power plants in a different manner as in you know coal plants are polluting so if you have carbon capture and sequestration you don't have to build a new plant but add more technology to an existing plant similarly you know you have an existing nuclear plant you upgrade it you don't have to build a new transmission line you're just using a non-polluting plant for much longer alternate fuels again same thing you diversify fuel mix it's always going to be helpful in having a more you know more options essentially so hydrogen and biomass uh increasingly being used and increasingly being considered as alternate fuels that you can depend on and then energy storage we mentioned

before that there is not a significant amount of uh battery or electric storage but um if if that's something that's possible in the future each home might have you know localized storage for you know a few minutes 10 minutes 15 minutes it really helps to create in balancing power and and not have to you know build a lot more capacity because usually that's what happens if you um don't have any flexibility then you have to keep building so that you have this margin at the very top to have to cover every peak but if you happen to have local um distributed generation and some storage then you can shave the peak you can shape the max demand

and so you don't have to build a lot of power plants a lot of generation finally you know to close out um to improve the security posture i mean that really helps in you know having a reliable grid and not have to worry too much if you know something was at risk uh we're seeing a lot more risk based decision making we're seeing um you know the merced regime improving changing in fact ferc has come out with some requests for information asking if they should fundamentally change how workshop is uh implemented and then finally no financial incentives both on the supply side and the demand side and you know changing people's behavior for example on the demands demand side

to you know we may not use as much power or not use at that time so that that really helps in balancing the grid and improves the overall reliability so going back to the question is the cyber security uh risk so significant power grid um yes or no there are many items many vulnerabilities so any risks but so far have been managed well and uh you know we're doing better all right i'll be available on discord channel for any questions