The Exposed Smart Grid

Security threats to the smart grid are a reality which utilities have to grapple with in order to avoid major grid catastrophes. In Engerati’s The Future of the Smart Grid: The ICT and Data Management Perspective (The Big Report, the authors examine the factors that open the smart grid to security threats and how utilities are (and should be) dealing with them.
Published: Tue 22 Jan 2013

The electricity grid is an increasingly vulnerable target for a wide range of attacks. This is caused by a number of features, peculiar to the grid itself. Firstly, there is a greater degree of dependence on Information and Communications Technology (ICT) than any other energy format. Because electricity travels across the grid at near light speeds, the management of specific issues of component failure or over/under supply in respect of particular regions of the grid is beyond the capability of human operators to maintain. This issue is not entirely absent in respect of other networks, such as gas or water. However, the speed needed for decision-making is unique to electricity.

Factors causing anxiety are:

  • The possibility of new personalized forms of cyber attack- Theoretically, the new smart grid may allow the possibility of cyber attacks to be directed at specific individuals. Initially, these are more likely to be large businesses than private individuals. The damage that could be achieved, where control of significant electrically operated plant is available remotely, could be considerable.
  • The proliferation of Intelligent Electronic Devices (IED’s) in controlling the grid- This may be more of a theoretical issue than real, since control will reside in a relatively small number of SCADA centers.
  • Increased physical access to the grid-The proliferation of IED’s and related devices could increase the number of potential access points to the grid as a whole
  • The use of Internet Protocol (IP) and commercial off the shelf (hard/soft) ware- While there are good reasons for deploying IP technology to speed up smart grid development, a major drawback is that IP is a common network standard with numerous, widely known vulnerabilities. For example, attackers can exploit packet hopping within a network to mask the origin of a hostile packet or series of packets introduced in to the network
  • Increased number of stakeholders –According to M.Masera writing on the issue of governance (2010), “The current decentralized nature of liberalized electricity infrastructure has as a consequence that individual operators cannot be held responsible for the way the system as a whole functions…Nobody owns, designs, or operates the infrastructure. The state of the infrastructure is the result of many independent decisions taken by all participant actors, not just at the technical level but also at the market level.”

In other words, the degree of actual threat to electricity supply, potentially involved by failures in cyber security, is high. The ability of governments and the public to hold individual organizations to account for those failures is also comparatively reduced.

Threat awareness

Broadly speaking, any point in the grid that is addressable intelligently is open to attack. That means attacks on smart grids could be as significant as attempts to bring down power stations, through to the “mischievous” hacker attempting to switch on all washing machines in a neighborhood on a Sunday afternoon. Also in play are the commercial hackers, looking to scoop up personal data for financial gain. This was demonstrated by Tony Flick and Justin Morehouse in a presentation at Defcon 18 where they gave the audience an insight in to the threat to personal data from hacked smart meters.

US power companies, realizing the seriousness of security threats, are disclosing threats in US Securities and Exchange Commission (SEC) filings. Energy giant Con Edison is possibly the first company to describe cyber attacks as a standalone risk category. Such disclosure is motivated in part by self interest, since failure to do so or to follow North American Electric Reliability Corp. (NERC) compliance, can cost power companies as much as US$1m per day in mandated penalties.

A turning point in utility threat assessment was the Stuxnet virus. This is the first known malware to spy on and take down industrial systems, as well as the first to include a programmable logic controller (PLC) root kit. While the worm spreads indiscriminately at first, it includes  a highly specialized malware payload, designed to target only Siemens Supervisory Control and Data Acquisition (SCADA) systems configured to control and monitor specific industrial processes.

The broad industry view is that utilities and smart grid, in terms of security, are where the telecommunications grid was a decade ago. Organizations such as the Department of Homeland Security and McAfee anti-virus specialist have warned of a dramatic increase in attacks on utilities over the last two years, with the latter frequently only able to play catch up, closing security exploits after the event.

Still, the utilities are not yet ready to handle such threats, alongside analysts warning that threats to personal security and the national power grid are reaching critical mass.  A Pike Research report on grid security, describes utility cyber security to be “in a state of near chaos.” This is reflected in concerns that in the US, many utilities take a “tick box approach” to security; spending billions of dollars on meeting federally mandated security compliance, as opposed to investing in the development and testing of real security solutions.

In terms of consumer response, security remains a major concern which creates resistance towards the smart grid. Despite this, concerns about cyber security remain significant for a small percentage of consumers. Smart grid operators must respond by addressing this concern as part of the general PR approach to ensuring confidence in the grid.

Engerati Analysis

It is clear that smart grid security is lagging behind the development of smart grid technology. With time (and sufficient finance for research), the gap should close.

Sources                                            

Engerati-The Future of the Smart Grid: The ICT and Data Management Perspective (The Big Report)