Klaus Mochalski is joined by none other than Todd Wiedman, CSO of Landis+Gyr and CEO of Rhebo. Todd talks about his more than 15 years of experience in industrial enterprise cybersecurity and provides insights into the security challenges of the Smart Grid and Advanced Metering Infrastructure with its millions of smart meters and essential head-end systems.
Welcome to a new episode of the OT Security Made Simple podcast. I'm Klaus Mochalski, founder and CEO of Rhebo. With me is Todd Wiedman. He is the chief security officer of Landis+Gyr.
Yes, I've worked at Landis+Gyr for about seven years, but I've been in the security industry for over 15. I've done everything from corporate security to fighting bad guys in a security company. And now I'm protecting Landis+Gyr.
Okay, so maybe quickly tell us, what did you do before Landis+Gyr in terms of cybersecurity? What specific areas were you active in?
Before I worked at Landis+Gyr, I worked for a security services company called SecureWorks in the US. And we were responsible for protecting customers, mostly bank customers, from security threats and attacks. We also supported them and partnered with them when the attack did happen. And I was responsible for also protecting the internal company itself. Before that, I worked for a large bottling company in Atlanta, Georgia, and I was responsible for all their security operations functions.
So Landis+Gyr builds smart meters. And we all know that smart meters are very relevant from a security perspective. And that's mostly why we are sitting here today. We want to tell our listeners a little bit about the security challenges in a smart meter infrastructure. But we are also sitting here because Landis+Gyr acquired Rhebo about two years ago. Maybe tell our listeners a little bit about this. So from your perspective as security officer, what was the rationale behind acquiring a startup company dealing with OT security?
Well, let me start with why we looked at security. Landis+Gyr has been in the meter business for a very long time. And as we look forward to where this space is going, smart meters are really turning into smart infrastructure. And we see that there's going to be a lot of edge systems that are going to play a major role in this space going forward. And today we do a really good job at protecting and defending the smart meter infrastructure.
But as this extends into other areas and different types of meters and different types of solutions at the edge, there's going to be a need to focus on protecting the entire edge. And we see this as something that we are very much able to take our knowledge of today and be able to extend that into that edge piece. We also think that the threat landscape is changing. In the past, the thought was that the smart meter would be the avenue of attack. And we see that that's switching to more of an attack of the control systems that are managing these edge devices. And we also have had experience in managing head end systems for a long time.
We feel that knowledge and understanding can help the industry and our customers in how they protect this overall edge piece. But the one piece we didn't have a lot of knowledge about was the substation and the network between the substations. And so looking at opportunities, we found Rhebo as somebody that could come in and fill that gap. Now we feel with the current environment, we have a full focus from the entire distribution side of things, all the way from the substation down to the edge devices.
So you're saying that even for a company that for many years has been squarely focused on building smart meters, security is not only related to smart meters anymore, but goes way beyond because the infrastructures become more complex.
Especially for our German listeners, we have this famous book Blackout, which we have been talking about for, I don't know, at least ten years. And interestingly, it describes a scenario where there is a widespread blackout starting in Europe based on vulnerabilities that are being used by malicious attackers in the smart meters. So from an expert in this field, is this scenario still valid?
The challenge of attacking a smart meter is you have to attack a lot of them. And the vector of attacking the smart meter is that you have to either go to every single house and break into a meter or you have to get to the network and break into every single meter. In the scenario in the book, if I remember correctly, at the end of the day, they basically broke into the firmware and had a firmware bug that was planted in, which allowed them to control many of the meters, which is a potential valid scenario.
And by the way, Landis+Gyr does a lot of work to ensure that our firmware is protected but of course if you get into the network, then obviously you can control multiple meters from a network perspective. But again, Landis+Gyr and all the other companies in the space have done a very good job of protecting the network and the meter itself from an encryption perspective.
So my answer to you specifically would be: it would be very difficult via that attack vector. And with all the protections that Landis+Gyr as well as other companies in the space have, it's been something that has been very difficult to do and we haven't seen a lot of success in attacking a meter specifically.
I do think there are vectors of attacking the firmware. I also think, as I mentioned before, attacking the control systems – that are the systems that manage all those devices – is where the focus really needs to be from a protection perspective.
I understand that the attack vectors targeting the meters directly, have been in the focus of all the companies, pretty much. So although there is probably always a small risk remaining, that vector is pretty unlikely. I also understand that the market has developed away from just a smart meter infrastructure all the way to a smart grid infrastructure.
Sorry, let me clarify something here. It's very important that we protect the meter and it's very important that we protect the network. Right? Today we do that mainly with encryption. So we encrypt everything. We ensure that everything's protected and we have some visibility.
I do think that as we get more mature and we see more attack vectors that we need to increase our visibility at the edge, both in the meter as well as any other edge devices as well as the network that's connecting the meters to the control systems. So even though we do that good today, there's always room for improvement in that space.
Of course. Based on this development, what do you see as more recent, let's say, attack scenarios that we all need to work to protect this infrastructure from?
I do think that we really need to ensure that the control systems that are being used in these environments are protected and secured from a Landis+Gyr perspective. We have a number of head-end systems that we design, develop and sell and we feel that those are properly protected and secured.
There is a lot of other devices that are going to be added to the grid edge and those companies are going to also need to make sure that their systems are secured. Some of these companies have never dealt with critical infrastructure before. They're putting devices on the grid edge that could manipulate energy and we just need to make sure that everything that goes into this space is properly managed, protected, secured.
And the last piece is that I think we're going to see a lot of regulatory requirements that will be coming down from the government agencies that will drive this as well. Because I think they also understand that there's a lot of new players in the space, there's a lot of new systems in the space, and all these need to make sure that they're protected appropriately. Right?
A challenge we have come across over the past years actually already is that quite often you don't have a single vendor providing the systems for a critical piece of infrastructure. But it's quite often, well actually probably in most cases a multi-vendor infrastructure. And here the question comes in who feels responsible for protecting it if it's not a single vendor. We quite often had this discussion in the past.
So for instance, we provide our security solution to a vendor of residential battery storage systems, to monitor their infrastructure. It was a simple case because they are the manufacturer and they also run the infrastructure and they are monitoring the batteries. So there was only one stakeholder.
But in many other instances, for instance, we had discussion with wind farm operators, it was difficult to find the single stakeholder person or vendor who felt responsible. The operators of wind parks pointed to the people building them. The people building the wind parks pointed to the vendors and they pointed back to the operators. In the end, nobody really felt responsible.
So in a smart grid, smart meter infrastructure, how do you see this developing? Who's going to be the one most responsible for cybersecurity and how do you see this being dealt with in today's projects?
It's a great question. It's one that we bring up a lot of the time as well. If you look at where we're going with smart infrastructure, the utility does have responsibility for a number of the devices that are going to be used in the smart infrastructure, but they don't have the responsibility for all devices. And some of the devices that are in question are going to have major impacts to the grid.
Just think of the batteries, as you gave the example. If you have a battery system or even have consumer battery systems that are basically allowed to manage peak loads in an area of the grid and if those battery systems get hacked or crippled by ransomware or some type of event so they are no longer available, who is responsible for that? Is it the utility that is ultimately needing the energy? Or is it the consumer that bought the battery pack? Or is it the manufacturer who owns the battery pack?
And those questions, I think, need to be worked out from a bigger picture in the industry because no matter what's in the smart infrastructure space, it needs to be secured. We need visibility to that. And if we don't have the ownership, then when something does happen, nobody's going to know who's really accountable and how we would get the issues resolved.
Do you think the market will solve this or do we need stronger cybersecurity legislation regulation?
Yeah, actually we've seen this as a big driver. So besides growing awareness with different industry segments, regulation has increased, tightened, especially here in Europe. This was a big driver for our business here.
So I agree. As much as I'd like to see customers understand the challenge and everybody doing their part and working together. The more multi-vendors these environments get, the more difficult discussion becomes. And so the more important it is that we have a sound regulatory framework. And we've seen this, particularly here in Germany, where the regulation is based on the EU NIS directive and where regulations and the laws are becoming more and more technical. Which surprised me at first, but this is probably because they need to be technical and need to be specific.
For the final part of the podcast, let's turn a little bit to our cooperation. Rhebo provides a solution to do network-based monitoring of OT infrastructures. So, as you said, we're monitoring substations and control systems, but also endpoints of industrial IoT devices. From your perspective, how does it go together? So which gaps can a solution like Rhebo's close in, helping provide security not only to smart meter infrastructure, but to a wider smart grid?
From Landis+Gyr perspective, we see that there needs to be a full solution on the distribution edge space. So to the substation, to the edge. Rhebo does a really good job of filling the gap on the substation, the network and OT space. And we're starting to get into the IoT side of things as well with the Rhebo solutions. Landis+Gyr has a lot of knowledge on the control space and the smart meter space. So we'll be also layering solutions on top of that space as well to fill the gaps that either Rhebo doesn't do today or that we just have an extended Rhebo to.
And then on the edge perspective, there's a lot of changes coming with smart meters, they're becoming more grid edge intelligent meters, which means that we can do things actually on the grid edge that we couldn't do in the past, but it also means that there's more processing there, there's more things going on. And as those things happen, we're going to also be needing to ensure that those are protected. So we are taking the Rhebo solution and extend that to those smart grid edge devices, whether they're Landis+Gyr devices or other devices that we see that would end up in the homes.
Yeah, that's very interesting and something I personally look forward to because Rhebo is headquartered in Germany which has a market with regard to smart meters. It's still in its infancy for some reason. I mean, there's a complex number of reasons we're not going to discuss here.
But I find it particularly interesting that a company from Germany providing OT security and a smart meter vendor are cooperating here. I think there are very good things that we can build and we all need to work on making the smart grid and smart infrastructures more secure.
So, Todd, thanks for telling our listeners about smart meters and the trends in the markets here. And for me it was a very interesting discussion. And of course, we here at Rhebo are all looking forward to the future cooperation with Landis+Gyr.