Utility Week - authoritative, impartial and essential reading for senior people within utilities, regulators and government
Issue link: https://fhpublishing.uberflip.com/i/686319
UTILITY WEEK | 3RD - 9TH JUNE 2016 | 11 Sponsored Report: Internet of Things "IoT-enhanced automation delivers a remote manage- ment and monitoring capa- bility that sharply reduces the skill requirement and labour intensity of network management." STEPHEN GOODMAN, CISCO, CTO – INDUSTRY & INFRASTRUCTURE "Without an efficient way of dealing with those security challenges, the task of securing end points grows in lockstep with the number of end points themselves." SVEN SCHRECKER, CHIEF ARCHITECT, IOT SECURITY SYSTEMS, INTEL an attack are less serious," sums up MWR InfoSecurity's Ruks. "From a technology provider's point of view, the race to be first to market needs to come second to develop- ing secure and stable IoT offerings." And key to those secure and stable IoT offerings in a utility context, it seems, are a number of cross-industry standards – some backed by regulatory mandates, others sim- ply seen as best practice. IEEE P2413, for instance, is a standard for an architectural framework for the Internet of Things, backed by industry-leading technol- ogy providers such as Intel, General Electric, Cisco, Siemens and Schneider Electric. ISA/ IEC 62443, meanwhile, is a series of standards defining procedures for implementing elec- tronically secure industrial automation and control systems. And most recently, in North America, there is a requirement for utilities to comply with NERC CIP 5, a cyber security and physical security standard designed to reduce the risks cyber security attacks. And the whole point about such stand- ards, says Sven Schrecker at Intel, is that they provide a consistent and well-under- stood open common framework for IoT deployment – something to be welcomed by both utilities and technology providers, as well as regulatory and governmental bodies. "From an Intel perspective, we welcome and participate in global standards: they provide clarity, a common consensus-based approach, reduce barriers to entry, and help build economies of scale," he points out. That said, adds Rick Geiger, Cisco, Execu- tive Director, Utilities & Smart Grid, the broad direction of travel within the wider European context is one that makes sense. "Have technology standards as a base- line, and then build from that in terms of risk assessments, regular reviews, and audits by appropriate third parties – exactly as hap- pens in other industries, and other contexts. What no one wants are 'box-ticking' audits, blindly carried out – and what we're seeing in the United States right now are a num- ber of regional variations within NERC CIP 5 auditing, as different regional NERC CIP 5 auditors interpret it in different ways." And ultimately, concludes Sven Schrecker at Intel, a common utilities-wide approach to IoT and cyber security will have to emerge: the Internet of Things isn't going away, and the benefits it offers – ranging from manage- ment to digitisation – are becoming increas- ingly alluring. "As the connected grid continues to grow, connecting more things in more places cre- ates new security challenges – and increas- ingly, security is a critical factor to unlock the value of IoT for business while not becoming vulnerable to sophisticated threats. Without an efficient way of dealing with those secu- rity challenges, the task of securing end- points grows in lockstep with the number of endpoints themselves. Here at Intel, we like to think that there's a way of breaking that lockstep relationship, so that utilities can continue to add endpoint devices without adding linearly to the security challenge." Europe's new General Data Protection Regu- lation – written into law by the European Par- liament just this April – give data protection regulators a whole new set of teeth. "Here in the UK, the Information Com- missioner can already levy fines of up to £500,000," he points out. "The new General Data Protection Regulation imposes both a requirement for companies to disclose per- sonal data breaches within 72 hours, and fines of up to 4 per cent of global turnover." No wonder, then, that both utility indus- try insiders and utility cyber security experts speak of utilities treading cautiously in their approach IoT technology. "It's a journey, it's incremental, and the industry will have to feel its way," says Chris Harrison, research engineer at the Univer- sity of Strathclyde's Power Networks Dem- onstration Centre. "Early adoption won't be in interconnectors and power plants, but smaller devices with lower levels of critical- ity, such as low-voltage feeders supplying small communities." Jalal Bouhdada, principal industrial con- trol, systems security consultant at Applied Risk concurs. "Many utilities can see the potential bene- fits of the Internet of Things, but are hesitant over whether or not to proceed," he observes. "In part, it's doubt over the certainty of those benefits, but mainly it's concerns over cyber security that are holding them back." Which is certainly a view that chimes with insiders such as Oliver Soar, marketing exec- utive at small business-focused independent gas and electricity supplier Yü Energy. "Taking our first steps into the IoT mar- ket would require a big investment in knowl- edge and marketing, and at present, the risks are too large for us to take – it might mean exposing our customers' data to vulnerabilities." So how can this circle be squared? How can utilities make safe and informed choices about IoT technology and IoT deployment, without opening up their networks to greater risk? Increasingly, among technology providers and utilities alike, there's a growing accept- ance that a standards-driven and risk-based approach, embodying best-in-class security and rigorous design and testing, can deliver IoT technology that's fit for purpose in a util- ity and network context. "When you're talking about devices connected to industrial control systems, and slated for deployment in major pieces of industrial infrastructure, the rigour required is much greater than for con- sumer devices where the consequences of Utility Week in association with