Over the last two years, grid organizations such as the US Department of Defense, the Government Accountability Office (GAO), and the European Network and Information Security Agency (ENISA) have shown an increasing concern over cyber attacks on power grid infrastructures. Politicians and policy-makers across Europe and North America agree that the power grid is vulnerable to attack without proper security measures.
Another Pearl Harbor
US Defense Secretary, Leon Panetta, says that cyber attacks could “cripple” the power grid and “could represent the potential for another Pearl Harbor.”
These are strong words from such a senior figure and one would expect policy-makers to sit up and take heed.
However, this hasn’t been the case in the US where the US Cyber Security Act of 2012 has failed to make it through Congress. This is despite widespread support from utilities, IT firms and the North American Electrical Reliability Corporation (NERC). The lack of support for the Act, which focuses a great deal on grid security, will aggravate efforts to establish effective frameworks for grid security which will enable wider smart grid adoption. The Act was developed to increase the US government’s ability to set and enforce a minimum level of security on companies that own civilian infrastructure. In addition, it also provided a platform for information sharing amongst companies, government agencies and regulators with regards to security threats and preventative measures.
According to Sophos analyst Graham Cluley, there is little doubt that state-sponsored cyber weapons continue to be developed by developed countries. One such example is the 2010 Stuxnet virus which was developed jointly by US and Israeli officials to prevent the development of Iran’s nuclear program. It was intended to only affect the Natanz plant in Iran, but was mistakenly unleashed on the global Web. It is for this very reason why officials are calling for tighter security measures.
Concerns Over Privacy
Opponents of the Act have concerns about the invasion of customers’ personal data, as well as the “regulatory burden” that utilities may experience. Uncertainty around the smart grid is already brewing due to the technology’s “perceived” security vulnerabilities and potential to invade privacy, writes Ovum. To avoid this, utilities, government, and regulators need to show their support of the smart grid by developing clear standards for grid security. These standards are essential for the smart grid’s development. Role players should view this as a priority so that power grids are secure by design and can gain more trust.
Europe's Response to Cybersecurity
The European continent’s approach to smart grid security is not much better. EU decision-makers have announced that a smart grid security framework will only be in place by 2014. In the interim, cyber attackers get the opportunity to perfect their malicious craft. ENISA, in its 2012 report, Smart Grid Security: Recommendations for Europe and Member States, shows that the energy sector and the IT security sector must be aligned on security for smart grids. Professor Udo Helmbrecht, executive director of ENISA, explains: "We estimate that without taking cyber security into serious consideration, smart grids may evolve in an uncoordinated manner.” The report indicates that the European Commission (EC) and the authorities of the Member States (MS) must provide a clear, regulatory and policy framework on smart grid cyber security at the national and EU level, as this is currently missing.
Vulnerability of the Smart Grid
There is much anxiety around grid security as the deployment of advanced metering infrastructure (AMI) grows. Ovum explains that the increasing adoption of AMI, a greater dependence on distributed generation, and consumer adoption of home energy-efficiency programs and technologies are making power grids smarter. Grids are therefore no longer simple distribution systems, but are becoming two-way communications networks. The changes bring a greater reliance on standard IT and networking components, exposing the grid to many more security threats. Also, AMI components are designed to be remotely upgradable which makes the grid even more vulnerable to cyber attacks.
It is no secret that the smart grid will provide many benefits for the power sector and its customers. However, these benefits are useless without the necessary security measures. Role players should not wait for a major cyber attack to plunge a city or country in to darkness. Utilities and government representatives should address customer concerns and view grid security as a priority, thereby ensuring the long-term success of the smart grid.
ENISA-Smart Grid Security: Recommendations for Europe and Member States [pdf]