Published on December 26th, 2018 |
by Charles W. Thurston
December 26th, 2018 by Charles W. Thurston
Hackers targeting the electrical grid, your local utility, or the solar microgrid your home is linked into will have a harder time disrupting your electrons in the near future. Manufacturers of electronic equipment used in smart homes, in microgrids, and in utilities are beginning to adopt a set of cybersecurity standards set out by the Underwriters Laboratory. At the same time, manufacturer-sponsored test hacking is helping to drive more frequent —and more secure — firmware and software upgrades.
Common points of vulnerability in microgrids, which are becoming indispensable generation sources for the US grid, are wired and wireless communications devices used to control — read shut down — monitor, repair, and reboot a system or a piece of equipment within the system.
“A distributed architecture in the energy space would be like having many smaller energy grids (read: microgrids) instead of a single, monolithic grid. With many microgrids, we go from a single point of failure to many points of failure. That might sound bad at first, but a system with many points of failure is more resilient than one with a single point of failure,” observes Christian Zdebel, a cybersecurity consultant at SilverSection.
“For example, If each U.S. state had its own power grid, a bad actor would have to take down 50 state-level grids to disrupt the whole country. Fifty (hypothetical) state-level microgrids, however, also increase the ‘attack surface,’ or the opportunities for intrusion and disruption from bad actors in cyberspace,” Zdebel says. “Increased resilience through microgrids demands that each microgrid operator adopts a sufficiently strong cybersecurity posture,” he adds.
While the utilities are routinely on the lookout for “bad actors” seeking to hack the big grid, microgrid operators must do the same for their equipment on a much smaller budget. Thus microgrid operators and individual smart home owners will seek to relegate the task to their equipment providers — if the chosen provider is proactive in this space.
For example, the communications ports of smart home controllers, which are common in microgrids, are a weak spot. On December 5, Eaton sent out a notice to owners of its xComfortSmartHomeController, alerting that a “potential vulnerability” had been detected, and that a new firmware download would cover the nominal breach.
Eaton is one of the electrical component and system manufacturers cooperating on cybersecurity and testing practices with UL, the global safety consulting and certification company headquartered in Northbrook, Illinois.
UL came out with the first edition of a cybersecurity standard in July 2017, the UL Standard for Software Cybersecurity for Network-Connectable Products, Part 1: General Requirements, UL 2900-1, which was published as an ANSI (American National Standards Institute) standard.
This UL standard “applies to network-connectable products that shall be evaluated and tested for vulnerabilities, software weaknesses and malware and describes: (a) requirements regarding the software developer (vendor or other supply chain member) risk management process for their product; (b) methods by which a product shall be evaluated and tested for the presence of vulnerabilities, software weaknesses and malware; and (c) requirements regarding the presence of security risk controls in the architecture and design of a product,” UL says.
The UL Cybersecurity Assurance Program (UL CAP) also aims to minimize risks by creating standardized, testable criteria for assessing software vulnerabilities and weaknesses. This in turn helps reduce exploitation, address known malware, enhance security controls and expand security awareness, UL explains.
“We seek to help manufacturers, their customers and other stakeholders mitigate security risks through science-based assessment and evaluation,” said Ben Miller, president of the Commercial and Industrial business unit of UL,” in a statement earlier this year.
Eaton is the only company in the industry to have two labs approved to participate in UL’s Data Acceptance Program for cybersecurity, which includes the Eaton cybersecurity research and testing facility in Pittsburgh, the first lab approved to participate in UL’s program, the company says. Recently, Eaton’s innovation center in Pune, India was added to the program, and can also test global products under specs of the UL.
Another way Eaton is pro-actively assuring the security of its devices is through the work of its new Eaton Cybersecurity SAFE (Security Assessment and Forensic Examination) Lab at Rochester Institute of Technology (RIT), which provides students with hands-on experience in solving cybersecurity challenges.
“Eaton’s proactive and consistent enterprise-wide approach to cybersecurity provides customers with confidence that our digital solutions meet rigorous testing standards to operate securely worldwide,” said Michael Regelski, senior vice president and chief technology officer of the Electrical Sector at Eaton, in a November statement.