Cloud, cars and IoT could change grid cybersecurity

The proliferation of connected devices including electric cars could provide grid operators with an operational view of cybersecurity threats and change the way the grid is secured, said Karen Evans, assistant secretary of the Energy Department's Office of Cybersecurity, Energy Security, and Emergency Response.

While experts generally consider the internet of things to be a risky ecosystem full of unsecured devices, Evans said there could be an upside. In remarks to researchers from CESER's Cybersecurity for Energy Delivery Systems  (CEDS) program on Nov. 6, Evans said a growing fleet of connected electric-powered vehicles "could become sensors" to provide cybersecurity situational awareness.

"The cybersecurity model can work from the outside," instead of coming from the inside of a system, she told the researchers. Electric cars have to be recharged at homes or other locations, she said.  As they charge, they could reach out from that recharging station to gather threat data from local electric grid infrastructure.

"It could do a wellness check of the grid in that area," said Evans, particularly as mostly privately owned electric grid infrastructure providers create "microgrids" that can operate locally and independently or as part of a larger grid. That wellness data, according to Evans, could be provided to the Department of Homeland Security to help with that agency's overall cybersecurity situational awareness.

CESER, housed at the DOE, is the sector-specific agency responsible for monitoring the U.S. electric infrastructure, but it also passes on threat data and coordinates with DHS.

Using the growing numbers of electric cars as cybersecurity sensors is a goal that could be reached in the relative short term, within two or three years, she told her audience of cybersecurity researchers.

Cloud computing is also altering the cybersecurity posture of infrastructure providers, Evans told FCW in an interview after her remarks.

Cloud adoption among infrastructure providers is growing.

"A lot of the utilities are looking at 'how can I reduce my operating costs and what portions can I actually do that with?'" There is a distinct difference and set of concerns, said Evans, when using the cloud for administrative data and operational data for a grid system.

"Obviously you want to be able to take advantage of the efficiencies of cloud, but then DHS released a bulletin dealing with [threats against] managed services," she said. "CESER’s role is to get as much information out to industry about cloud security as possible.”

The volume of data from remote sensors in pipelines and energy systems has to go somewhere, said Evans, and that could be the cloud in the future.

Some utilities are extremely cautious about moving to the cloud, however, even using air gaps, or physical separation to keep some systems separate from the public internet.

A paper presented at the CEDS conference by Argonne National Laboratory researchers outlined an ongoing project to help grid providers securely move their data to the public cloud.

The project, which began in 2016 and is slated for completion in 2021, uses Amazon Web Services' GovCloud and specialized encryption capabilities that keeps "real" operations data on local servers, while it is decrypted for optimization, then encrypted before being to be moved to the cloud, said Argonne researcher Feng Qiu.

That step, said Qiu, protects against a gap in encryption for the data that could otherwise be exploited by hackers as it is moved into commercial cloud. The technology is designed to work on any commercial cloud, and the lab plans on making it available to the industry as a straight technology transfer or offered as a software-as-a-service for grid providers, he said.