RSA Conference: ​Lessons from Utilities – Internet of Things security

Bob Griffin is a long time senior executive at RSA. In that role, his primary focus is on a research project in Europe looking at security analytics on the smart grid. With the rapid proliferation of end point devices we’re seeing, particularly with the rise of the Internet of Things, or IoT, he brings some valuable insights from one of the oldest industries of the modern world.

I spoke to Griffin at this year’s RSA Conference in San Francisco.

“In the grid, in addition to inputting sensors into electric substations, where there’s always been some level of temperature and voltage sensors, the most rapid deployment of devices is actually on the wire infrastructure,” he says.

According to Griffin, in San Francisco, there may be in excess of a million sensors on the electrical cables just for voltage monitoring. As result, the utility can localise and analyse faults faster than before.

From the work he has done, Griffin has seen a significant divergence with two distinct IoT environments emerging.

“One is this industrialised environment in which a lot of what’s happening is the instrumentation of existing infrastructure and mechanisms – by and large it’s sensor information that’s being targeting as the focus of IoT. It’s the same in manufacturing,” says Griffin.

The other fork in the IoT road is personal devices, according to Griffin. That ranges from individuals with smartwatches, pacemakers or other medical and health related mechanisms. This also covers cars and homes.

“These significantly represent new kinds of information being gathered – information that was, in the past, largely done in doctor’s offices or in terms of cars at a repair shop”.

With such vast quantities of different information being collected in those two realms, there will be a growing need for analytics that can help us gain better insights through that data and then the ability to use that data for improved corporate and personal security.

The addition of so many sensors is delivering a qualitative change, and not just a quantitative one says Griffin. While we might be reviewing more data as we connect more devices to our networks, we are able to more finely control systems so we can operate them more efficiently.

For example, Griffin worked at aluminium smelters at one time. And while there were many sensors in place then, the latest generation of sensors, combined with analytics, allow those plants to better utilise facilities so yields are improved and equipment is operated more cost effectively.

“I know from colleagues in operational technology that those are being used for degrees of interactive feedback and manipulation of control systems that wouldn’t have been possible without this degree of additional information. It does mean new kinds of algorithms are being used that aren’t just looking for known patterns of variance but also indicators of compromise. Has someone being trying to manipulate the controller?”.

When it comes to security, it’s clear that not all IoT devices are created equally. For example, it would take a massive compromise for enough low cost sensors to be compromised and cause a significant issue. On the other hand, there are some significant opportunities to use sensors to get a better handle on operational security and detect anomalies and potential breaches.

When Griffin spoke about this with some utilities he was met with some opposition, particularly from IT departments that felt they were already overloaded. However, he pointed out that the use of this kind of data was already part of the organisational expertise where collection of data to monitor anomalies and correct faults was an everyday activity.

“That dramatically changed the conversation,” says Griffin.

That internal data can then be correlated with external data in order to detect and diagnose faults. But it’s analytics that makes it possible to manage the vast volumes of data and then prioritise what needs to be given the most attention rather than finding and fixing every small issue.

“It’s not about replacing people with artificial intelligence but deliver a much more broadly assistive system that takes care of things that otherwise they would otherwise not be able to accomplish’” says Griffin. “They’re not giving up control – they’re actually getting much better control of their environment”.

The key, he says, is to link the analytics with the risks you’re trying to specifically mitigate. For example, in the case of the recently hacked Ukrainian power grid, outages caused by external attack would have been high on the utility’s risk register. If the utility had the right tools in place to detect anomalies, then it may have been possible to either thwart or minimise the impact of that breach.

Anthony Caruana attended RSA Conference 2016 as a guest of RSA