To Mr. Lockhart's statement:
The electric grid is only different in one way, namely, that it operates in real time. In every other way, the problems faced by smart grid have already been addressed by other real-time industries, like telecommunications, or financial trading. The exact same technologies still apply, and the exact same principles still apply. The major problem with ensuring comprehensive security of the electric grid is related to interoperability. The prevalence of proprietary protocols and systems prevent security technologies from reaching entitlement. The industry needs to focus on ensuring that devices from a non-homogeneous set of vendors can operate securely together using well-established security technology that already exist today.
To Mr. Godbole's points:
1) Need to secure customer data: This need has always existed. Smart Grid does not change this. The FTC has tried to regulate this to some extent with the Red Flag rules and the utilities successfully negotiated themselves an exception. Conversations with law enforcement will tell you pretty quickly that a criminal isn't going to hack your smart meter to see if you're home. He'll watch your house or read the Facebook or Twitter statuses that kindly tell him your status with no hacking required.
2) The need to secure the grid itself: Again, this need has always existed, the Smart Grid does not change this. The communication paths being used by the smart grid in many cases already exist today. All that is changing is the number of devices that will be attached to those communication paths. Does this increase the risk? Absolutely. But the same issues exist today as will exist tomorrow. The electric grid is only as secure as the padlock on the door to a transmission or distribution substation.
3) The need to protect transmission and communications: AGAIN, this need already exists. Smart Grid does not change this.
It is disingenuous to imply that the electric grid needs these things because of smart grid. It has always needed those things, and will continue to need those things. The insistence of experts that the smart grid is somehow ignoring security, or that the people working on it are failing to address it, is frankly, insulting to the hundreds of people working on this problem in the NIST, IEC, and IEEE organizations dedicated to the challenge, as well as the skilled expertise present within the electric utilities themselves.
Some new data from Pike Research suggests that spending on cybersecurity measures for the smart grid will reach $1.3 billion by 2015. The researchers are calling for a 62 percent increase between 2010 and 2011 alone. But personally speaking, I think that sounds far short of where it should be, considering the many billions of dollars being spent on smart grid infrastructure holistically and the very real exposure that the smart grid could mean in terms or privacy and data loss.
In discussing the data, Pike Research senior analyst Bob Lockhart said:
“Smart grid cybersecurity is significantly more complex than the traditional IT security world. It is a common misperception that IT networks and industrial control systems have the same cybersecurity issues and can be secured with the same countermeasures. They cannot. To successfully secure the electrical grid, utilities and their key suppliers must design solutions that effectively bridge the worlds of information and operations technology.”
What exactly are we up against? A few weeks ago, I spoke about smart grid cybersecurity with Datta Godbole, a Honeywell director of research and director for the company’s Automation and Control Solutions (ACS) Labs group. According to Godbole, there are three primary concerns that we should all have when it comes to smart grid security:
- The need to secure customer data. That’s because the information that is collected about people’s energy could inadvertently be used to reveal details of a person’s private life — such as whether or not they are home at a given time of day. Or likely to be so.
- The need to secure the grid itself. This relates to management aspects, such as making sure the grid its stable, automating demand response requests, and protecting the physical infrastructure of the utility delivery system (doesn’t matter whether the utility in question is delivering water or electricity).
- The need to protect transmissions and communications. This refers mainly to communications between substations and the central transmissions equipment. Think of this as the “data in motion” part of the security equation.
Godbole suggests that those piloting smart grid projects — or building them out into commercial implementations — need to play more attention to security during the design and architecture phase rather than handling it as a patchwork of technology that is applied as an afterthought. “We have this great opportunity to design these systems from the ground up, he says.
He said another major consideration should be the upgradability of the technology in question: Do the metering or sensor devices in question, for example, have enough processing power and memory to handle improved encryption?
If you’re worrying about smart grid security, then you are following the work on security standards being done by the National Institute of Standards and Technology, through the Cyber Security Working Group (part of the Smart Grid Interoperability Panel. The group finalized an initial set of security guidelines last fall. The Federal Energy Regulatory Commission is also involved in the development of smart grid security.
The focus of those guidelines are on assessing risks, dealing with privacy issues for personal residences, and protecting from “attacks, malicious code, cascading errors and other treat.”
Said George Arnold, NIST’s national coordinator for Smart Grid Interoperability:
“These advisory guidelines are a starting point for the sustained national effort that will be required to build a safe, secure and reliable smart grid. They provide a technical foundation for utilities, hardware and software manufacturers, energy management service providers, and others to build upon. Each organization’s implementation of cybersecurity requirements should evolve as technology advances and new threats to grid security arise.”
The thing is, though, the U.S. General Accounting Office (GAO) issued a report in January 2011 suggesting that while these guidelines are a good start, they missed one very key thing: “addressing the risk of attacks that use both cyber and physical means.” The other big thing to realize is that these guidelines are voluntary. Yep, they are suggestions.
These two concerns are in the process of being addressed by NIST and FERC, but the fact is that the smart grid is unchartered territory.
The trouble is that like with information security, we seem to be very blase about security design until after the fact. Meaning that it takes some sort of incident for us to get on the ball. So far, many of us have sort of pooh-poohed the many smart meter security breaches that have been reported from trials.
But the fact that many people regard smart grid security as a much bigger challenge than information technology security — maybe they mean philosophically and not technically — means we should pay much more attention to what is going on.
