Fears that it’s rapidly expanding electricity infrastructure may be vulnerable to security and cyber attacks prompted China to announce plans of staggering increase in smart grid security spending. Representing an annual compound growth rate (CAGR) of almost 45%, grid defense spend will grow from US$1.8b in 2011 to US$ 50b by 2020.
A new report by the business analysts at GlobalData described China’s smart grid security situation as an anomaly due to the scale of expenditure when compared with that of other regions. For example, Europe and North America combined are predicted to spend a comparatively modest US$16b on cyber security during the same forecast period.
But to put things in perspective, the GlobalData research also offers the insightful observations on China’s grid security policy:
- China has a strained relationship with a number of nations in relation to cyber security.
- The United States, in particular, has on several occasions accused Chinese hackers of attempting to breach their power systems.
- China fears that these accusations may have fostered an environment of mistrust which may lead to retaliatory cyber-attacks on their own power infrastructure.
- China continues to experience rapid urbanization and expanding its smart grid, which directly results in increased exposure to cyber attacks.
And let us not forget the Stuxnet computer worm discovered in 2010. The Stuxnet example is arguably the most dramatic demonstration of the vulnerability of modern power grids to malicious cyber-attack. According to Global Data, “the worm focused on 5 Iran-based organizations and was believed by many to be a deliberate attempt to disrupt the Iranian nuclear power program.”
Serious threats to securing the grid
A Pike Research 4Q 2011 report, entitled Utility Cyber Security: Trends to watch in 2012 and Beyond, identified the following threats to power grids everywhere:
- One size doesn’t fit all: cyber security investments will be shaped by regional deployments. As an example, consider smart meters saturation in the US and, comparatively, versus EV adoption rates in the Middle East.
- Industrial control systems, not smart meters, will be the primary cyber security focus. Here, they refer to control systems such as transmission upgrades, substation automation, and distribution automation.
- Assume nothing: “security by obscurity” will no longer be acceptable. Using the example of the Stuxnet worm, assume attacks are a probability and not merely a possibility.
- Chaos ahead?: The lack of security standards will hinder action. No industry standards exist.
- Aging infrastructure: older devices will continue to pose challenges. While modern advanced metering infrastructure (AMI) devises have built in cyber security, some supervisory control and data acquisition (SCADA) systems are older and have no built-in security features.
- System implementation will be more important than component security. Cyber security works to protect a whole entity and attackers look for holes.
In August 2012, Smart Grid News told of the US Department of Energy (DOE) urging the country’s electric utilities to take matters of security seriously – a lot more seriously. Asking the power providers to ignore the political inaction on the cyber security bill and move forward.
The DOE made the following recommendations (among others):
- Set up a cybersecurity governance board.
- Appoint a Chief Security Officer who reports to the company's board of directors.
- Develop a cybersecurity strategy.
- Recruit a new VP of cybersecurity to execute that strategy.
- Share data about threats, attacks and solutions with other utilities.
The final say:
It’s been said that power provides are reluctant to discuss and share information about imminent attacks. Let’s hope the lack of competition for China’s State Grid Co, which provides 85% of the nation’s power, will work in their favor. I cannot imagine a scenario where a utility may offer a plausible explanation for guarding information on a possible cyber threat to the nation’s grid.