The 'Essence' of Cybersecurity
by Reed Karaim, Contributing Writer
The online world can be a dangerous neighborhood. News
of another huge data theft or malicious computer virus seems to arrive
almost weekly. One study found that 740 million online records were hacked
last year. Target, the giant retailer, revealed cyber-criminals had stolen
information on as many as 70 million of its customers alone.
While it hasn’t received nearly as much publicity,
cooperatives and other electric utilities haven’t been immune from this
assault. Craig Miller, chief scientist for the National Rural Electric
Cooperative Association (NRECA), says there are thousands of probes, big and
small, into utility systems. These threats to the security and stability of
the nation’s grid are only expected to grow.
But an ambitious effort by the Cooperative Research
Network (CRN), the research-and- development arm of NRECA, and several
partners is underway to make sure the systems delivering your power remain
safe and secure. It’s called “Essence” and through the project, researchers
are developing the next generation of automated cybersecurity for the
industry.
That’s particularly important for co-op members and other
consumers, who not only count on the power being there when they need it,
but also on their electricity provider protecting their privacy. “The
success of Essence will improve the protections around their personal
information and it will improve the reliability of their power systems,”
says Miller.
Miller says most of the attempts to hack into utility
systems have been efforts to grab personal data or business information.
Consumers obviously want to be sure bank account information, social
security numbers or other personal data don’t fall into the hands of
identity thieves.
But there have also been more ominous attacks that should
concern any U.S. citizen. “There have been attempts on control systems. They
are much rarer because they require a much higher level of expertise, and
there’s no potential monetary gain,” Miller says. “But people have done it.”
The assumption, he says, is that some of these efforts
are by “state actors,” other nations probing for potential weaknesses.
Defense analysts also believe a cyber-attack on the nation’s power grid
could be attractive to terrorists for its potential to create widespread
chaos.
The essence of Essence is to protect Americans from all
these threats. There are existing software programs with the same goal, but
it’s how Essence safeguards utility systems that makes it a major advance in
cybersecurity.
Most computer systems are protected through firewalls,
special software that blocks suspicious attempts to connect or upload
software. But these programs largely depend on lists of known threats that
have to be constantly updated. “One of the challenges is that these security
systems require expert users who are hyper-diligent about staying current,”
says Miller. “They also have the potential for human error. This creates
vulnerabilities.”
But Essence changes the balance of power in this constant
battle. “Instead of monitoring what’s going in and out of the network, it
monitors the network itself and uses advanced algorithms (procedures) to
determine what is normal,” explains Maurice Martin, CRN’s project manager
for cybersecurity. “Essence looks for anomalies — stuff that shouldn’t be
happening — and then raises a red flag when it sees something that’s amiss.”
This means Essence doesn’t have to depend on lists of the
latest dangers out there, or on humans keeping it up-to-date. It doesn’t
need to know exactly what hackers are up to because anything that’s not
right with the system will get its attention.
All this is accomplished by an unassuming device, small
enough to be held in one hand, which can be added to a utility system in key
spots to unobtrusively monitor what’s happening on the network.
Project managers also have taken several steps, including
using storage in the cloud and open software standards, to keep costs down
and make sure Essence doesn’t require extensive expertise to manage. “It’s
going to bring state-of-the-art cybersecurity to co-ops of every size, from
the biggest to the smallest,” says Martin. “The philosophy is no co-op left
behind. Everyone will be able to use this.”
Essence is being developed through a $4 million grant
awarded by the U.S. Department of Energy to research next-generation
cybersecurity devices. CRN has partnered with Carnegie Mellon University,
the Pacific Northwest National Laboratory, and the cybersecurity firm
Cigital on the project. Several large corporations are also following the
effort.
Researchers hope to have the first version of the Essence
device in the field for tests early next year. If it’s as successful as
expected, commercial partners will be brought in to produce the product,
providing electric utilities with an affordable, automated cybersecurity
system they can depend on.
That will be good news for
consumers everywhere. As Martin notes, “Maintaining cybersecurity for your
co-op or utility is
something that matters to anyone who’s on a
power line.”
Reed Karaim writes on consumer and cooperative
affairs for the National Rural Electric Cooperative Association, the
Arlington, Va.-based service arm of the nation’s 900-plus consumer-owned,
not-for-profit electric cooperatives.
|