Network

Network February 2017

Issue link: https://fhpublishing.uberflip.com/i/782355

Contents of this Issue

Navigation

Page 32 of 35

NETWORK / 33 / FEBRUARY 2017 So might cloud adoption by energy utilities extend even further – into the operational systems that actually manage the flow of electricity and gas around their respective networks and grids? Here, the arguments for cloud are more nuanced, say insiders. On the one hand, there are the familiar arguments that the cloud offers flexibility, affordability and scalability. On the other, there are worries about security, legislative and regulatory hurdles, and utilities' instinctive conservatism. "There's a sense among utilities that if they buy or build something, and have their own people operate it, then there's a greater degree of control over it, and consequently less risk," says Jon Bridges, head of cloud at cloud and network service provider Exponential-e. What's more, those security worries can have regulatory teeth, adds Chris Sistrunk, principal consultant for industrial control systems at information security provider Mandiant FireEye, and a former electrical engineer in the transmission and distribution operations of Entergy, an integrated energy company in the Deep South of the US. NERC CIP 5, for instance – a US security standard designed to reduce the risk of cybersecurity attacks – imposes strict controls over security perimeters and data ownership to help keep critical infrastructure secure. "You can't just ship data off site to a server that you don't own, which is basically what happens when you outsource computer capacity to the cloud," Sistrunk points out. "To my knowledge, there isn't a single American power company using cloud technology in its network infrastructure." Given the generally pioneering role the US has taken in many technology-related areas, its restraint on cloud adoption is likely to engender a similar reluctance among UK and European energy utilities. Certainly, says Tony Rowan, chief security consultant at IT security provider SentinelOne, security remains the "big unknown" for utilities that are weighing up the cloud. "Utilities using cloud in their back-office business systems is one thing, but using it in operational systems is quite another," he says. "To my knowledge, no utility is yet using cloud for delivery systems and network control." All this worry about security isn't without a certain irony, though, according to Stuart Ravens, principal research analyst at Navigant Research. He says outsourcing to the cloud may well be a more secure setup than using on-premise servers, and not less secure at all. "Generally, utilities are probably behind the curve in terms of cloud security, partly through late adoption and partly for reasons of cost," he points out. "But cloud providers have made huge investments in security – investments that far outstrip utilities' ability to emulate them. At this point, the cloud is basically probably safer than on-premise servers." That said, while cloud deployment for network and grid management may be off the table for now, there's certainly evidence that energy utilities are at least mulling a partial move to cloud computing. Christine Easterfield, principal consultant at analyst firm Cambashi, for instance, sees utilities easing their way into cloud adoption through non-critical applications such as analytics – leveraging cloud technology to analyse information from network and grid sensors in real time. Such applications, she says, "will provide a sense of comfort, as well as give utilities valuable operating experience in terms of deploying cloud in their networks". Wales & West Utilities is one such utility. It is already using cloud technology for back-office applications such as a call centre, management information systems, and for capturing the details of vulnerable customers. The gas emergency and pipeline service for Wales and south-west England has also recently rolled out a cloud-based application to record the results of gas pipe pressure tests, as well as an application to control its district gas governors remotely, according to Mark Oliver, director of business services at Wales & West. "There is flexibility, the ability to scale, and improved access to remote data and systems as well as the cost benefit to using the cloud," he explains. "That said, from a regulatory point of view, we are continually focusing on reducing our operating costs, whereas cloud turns what would traditionally be capital expenditure into operating expense." N Security To understand utilities' concerns about the security of cloud- based network management systems, think no further than the attack on the electricity distribution networks of western Ukraine on 23 December 2015. Lights went out across the af- fected region, with technicians locked out of their computers while the attackers executed commands. Subsequently attrib- uted to Russia, the vulnerability was tracked to malware loaded on to USB memory devices. The Stuxnet malware brought Iran's uranium-processing cen- trifuges – literally – grinding to a halt in 2010, their mechanisms destroyed by commands that exceeded the machines' operat- ing limits. The perpetrators are alleged to be US and Israeli intelligence services, again us- ing USB devices. Steve Mulhearn, director of business development at IT security provider Fortinet says: "All that is required is one weak link – and hackers are inside." Geopolitical storm At the start of 2017, one of the 17 electricity distribution compa- nies in the US state of Vermont found itself at the centre of a media storm when it was re- ported that Russian hackers had compromised the grid. What nearly ended as a geo- political nightmare was caused by a simple IP address belong- ing to yahoo.com, which had been identified by the Depart- ment of Homeland Security as part of its Indicators of Compro- mise release. The release was intended to identify tools used by Russian intelligence services in attacks allegedly attempting to influence the US presidential elections. Security analysts have been critical of this move by the US government, saying that rather than serving as a definitive link between the Russians and the DNC hack last summer, the report "does nothing of the sort". Robert Graham of Errata Security said in a published letter to President Obama that the report is "full of garbage". "It contains signatures of viruses that are publicly available, used by hackers around the world, not just Russia. "It contains a long list of IP addresses from perfectly normal services like Tor, Google, Drop- box, Yahoo, and so forth. Yes, hackers use Yahoo for phishing and malvertising. It doesn't mean every access of Yahoo is an 'Indicator of Compromise'." The distribution company, Burlington Electric, unexpect- edly triggered the storm by dutifully feeding the indicators of compromise into its scanners. One of those signatures fired off an alert when one of the company's employees checked an email from yahoo.com. Burl- ington isolated the computer and informed the authorities. At this point it was wrongly reported in the media that the electricity grid itself had been breached, reports Burlington had to quickly quash.

Articles in this issue

Links on this page

Archives of this issue

view archives of Network - Network February 2017