SMART AND SECURE?: A smart grid adds a layer of cybersecurity complexity to challenges that already existed with the traditional grid.
Image: © WILLIAM BRITTEN, VIA ISTOCKPHOTO.COM
-
The Best Science Writing Online 2012
Showcasing more than fifty of the most provocative, original, and significant online essays from 2011, The Best Science Writing Online 2012 will change the way...
Read More »
Unlike the traditional power grid, a "smart" grid is designed to accommodate a two-way flow of both electricity and data. This creates great promise, including lower energy prices, increased use of renewable resources and, it is hoped, fewer brownouts and blackouts. But a smart grid also poses several potential security problems—networked meter data, power companies' computers and those of customers could all be vulnerable to tampering.
A smart grid adds a layer of cybersecurity complexity to challenges that already existed with the traditional grid. In the past, a lot of cybersecurity efforts have focused on securing the bulk transmission system—from the utility company's generating plants to its substations—because those locations are where the worst-case scenario could happen: a large regional blackout, says Don Von Dollen, a program manager at the Electric Power Research Institute (EPRI), a Calif.-based non-profit research center. The bulk transmission system remains the top security priority, but with the dawn of the smart grid, power companies now have to think more about protecting the network connections they have with individual customers' homes, he adds.
If a customer has a home area network (HAN) that links computers, appliances and other electric appliances back to the power company for real-time monitoring, the company needs to make sure the network connection to that home is secure, "so as a prank the kid next door can't turn [the customers'] lights on and off," says Von Dollen, who coordinates EPRI's smart grid activities with the U.S. National Institute of Standards and Technology (NIST), the Department of Energy and other federal agencies.
Computer hackers who tamper with smart meters could do damage that spreads far beyond a few homes. At a Black Hat technical security conference (pdf) last year, Mike Davis, a senior consultant with Seattle computer security firm IOActive, used simulations to show how one smart-meter worm could infect a community and potentially shut off power to 15,000 homes within 24 hours.
NIST steps in with recommendations but few answers
With such scenarios in mind, NIST's Smart Grid Interoperability Panel–Cyber Security Working Group (SGIP–CSWG) in February released the second draft of its Smart Grid Cyber Security Strategy and Requirements, a 305-page document the agency expects to issue formally by July. It identifies potential vulnerabilities and outlines "recommended requirements" that the North American Electricity Reliability Corporation (NERC) can choose to add to its critical infrastructure protection standards. These measures to protect the grid from cyber-tampering would be enforced by the Federal Energy Regulatory Commission (FERC).
NIST's cybersecurity group draws its recommendations from a well-rounded core of more than 400 experts, including those from the Department of Homeland Security and the Department of Defense, as well as volunteers from academia, law firms, IT and telecommunication companies, and independent security specialists. Aerospace manufacturer Boeing and network technology provider Cisco Systems each have an employee serving as vice-chair of the group.
"To be so involved with the private sector on a task like this, it's very different for NIST," says Annabelle Lee, chair of the cybersecurity group (and senior cybersecurity strategist in the agency's computer security division). "Our intent was to get people from every group that's going to have to deal with the grid, because what we come up with is going to be important for the entire country."
The NIST document includes a section (Chapter 6), for example, that underscores the need for research and development to keep pace with evolving security needs. According to the section's introduction: "Cyber security is one of the key technical areas where the state of the art falls short of meeting the envisioned functional, reliability, and scalability requirements of the Smart Grid." NIST goes on to recommend improving the security of Intelligent Electronic Devices (or IEDs), which receive data from sensors and power equipment. If these devices are connected to a computer network, as they would be in the case of a smart grid, they are vulnerable to a cyber attack that could disrupt their control of circuit breakers (one of several functions of IEDs).
The document is short on answers regarding exactly how to solve these problems. “This is a starting point. It’s meant to give high-level requirements, not solutions,” says Lee. Rather, the intent is to get government agencies, utility companies and other businesses thinking more about security problems they may not previously have considered when components of the electrical grid were not hooked up to computer networks. NIST notes in this latest draft that without R&D advances to network security, local attacks can become distributed or cascading large-scale attack campaigns.
Rights & Permissions
See what we're tweeting about
7 Comments
Add CommentGreat article. I think the cyber-security of smart grid technology is one of the most under-examined issues as we move into this brave new world of self-healing, fully integrated T/D.
Reply | Report Abuse | Link to thisthe way to do this...i hate to say is like the telecommunications industry...private channels between nodes(command and control) and open/secured for viewing....ie run a fiber line along with the high voltage line for the private channel stuff and let the tail end(use point..homes..etc) be across public.....
Reply | Report Abuse | Link to thisHow come everyone but the utility companies can figure out how to protect their company and customers? I think these utility companies are just a bunch of whinny butts. Get with it utility companies, the smart grid is coming on-line; smack yourselves up beside the head and bring your smart grid on-line.
Reply | Report Abuse | Link to thisApparently some have absolutely no idea how insecure their personal information is, as evidenced by the increasing incidence of identity theft and resulting financial theft and destruction of credit standing. It seems as though ignorance truly is bliss...
Reply | Report Abuse | Link to thisThe problem is people have no outlet for their skills. Take the russians paid in rubles, they can make a shed load from hacking in USD than they would ever make in russia.
Reply | Report Abuse | Link to thisOnly Solution: New world where money no longer exists.
Chance of happening in our life-time: Zero.
The problem...the real problem is going to get worse in a way youd really not think about. Because pipes are getting bigger and bigger and bigger and detection is based on analysing trends, honey pots, layer3 conversation analysis and much more. Since no box in the known world can record all streaming traffic at duplex 100 gb on a single pipe all you are left with is intelligent analysis. Which is great if youre watching...
There is no chance devices are watching everything all the time so only a small percentage of the total security process will actually be working at any given time.
Many of yonder years hacking was done by people who knew more than the people managing the systems. I dont see this changing. Whens the last time the IT guy was paid twice the wage of the average Manager and sent on up-to-date courses and had ample reduncany in the position to cover all IT concerns. Yes the IT guy should be paid more than the manager... the manager is managing people....the IT guy is managing the money that is used to pay the manager...etc.
m - What is that - inspiration is 90% sweat, or something. The other n% is personal motivation...
Reply | Report Abuse | Link to thisIf a customer has a home area network (HAN) that links computers, appliances and other electric appliances back to the power company for real-time monitoring, the company needs to make sure the network connection to that home is secure, "so as a prank the kid next door can't turn [the customers'] lights on and off,"
Reply | Report Abuse | Link to this---------------------------------
Why should the power company be monitoring when and what is on? Yes they can get usage statistics, but they can get that from just looking at how many kw/hrs you are using. They will be able to tell when you normally go to work and come home just by usage spikes, Criminals can use this information to know when it is a good time to rob you. This information should remain private in order to protect the consumers rights.
Big brother is watching you...