State of the smart grid
Most consumers are not connected to the smart grid today, but that is expected to change dramatically during the next three years, thanks in part to $3.4 billion in smart grid investment grants from the American Reinvestment and Recovery Act (aka, the 2009 Stimulus Act).
By the end of 2009, more than 13.6 million smart meters were already installed in the United States, and that number could reach 23 million by the end of 2010, according to research firm Parks Associates. Pacific Gas & Electric says it installs 15,000 smart meters each business day and has deployed 2.7 million electric smart meters so far. By mid-2012, the company expects to have 9.8 million smart meters installed, covering its entire customer base, says PG&E spokesman Paul Moreno. About 60 percent of those will be electric meters (the rest will be gas meters).
More data, more danger
Joshua Pennell, IOActive's president, has mixed feelings about the state of smart-grid security. He is encouraged by the work NIST and other groups have done to assess security issues, and he notes that some smart-meter manufacturers have stepped up their devices' security features when vulnerabilities are exposed. But in the race to use stimulus money for smart-grid projects, not all companies proceed with caution, Pennell says, adding, "It's like releasing autos onto freeways without clear safety guidance."
Part of the problem is that connecting different parts of the electrical grid together over a network will lead to a massive influx of data. "We're collecting more data at more parts of the grid, in real time," says Gal Shpantzer, an information security consultant in the Washington, D.C., metro area who is part of NIST's working group. He serves on the privacy subgroup—one of eight subgroups within SGIP–CSWG. "It becomes more complicated to secure."
To illustrate the potential problem: data from synchrophasors (which measure voltage, current, and other data that indicate grid stability) will stream information about power supplies into central data centers at approximately 30 times per second. That is significantly more data than conventional sensors provide by tapping information from the grid every four seconds.
This constant flow of information to and from the grid could also help smart-grid hackers more easily monitor their attacks and determine whether they are successful. "If I'm able to see that stream and understand what's going on, then I'm able to remotely monitor how my attack is performing, essentially," Shpantzer says. "It gives attackers the ability to see in real time what's going on, and how their attack is working, and then optimize it."
Anyone who thinks federal agencies are immune to such concerns, that they have some special power plant that they are hooked up to, should think again, Shpantzer adds. "Certainly they have more disaster recovery capacity than the average small business, because they have generators…but there is no government power grid. So the feds are also dependent on that same power grid that you and I are."