Smart grids raise risk of cyberattack, says US expert

The complex and distributed nature of smart grids means that energy infrastructures present more points of entry to hackers, according to a US Department of Energy expert
Written by Tom Espiner, Contributor

Smart electricity grids present information security problems for critical national infrastructures, especially for the US, according to a technology expert from the US Department of Energy.

National energy infrastructures are open to attack because the devices on the smart grid that control energy provision are becoming increasingly intelligent and autonomous, according to Patrick Ciganer, director of the US Department of Energy's transparency initiative. These systems management "node" devices are also connected to the internet, which adds to the risk, he said.

"We've developed extremely robust devices and distributed the decision-making process — and that is part of the problem," Ciganer told the AFCEA Conference on 'Integrating cyberspace into battlespace' on Thursday. "Instead of decisions being centralised, we have smarter [nodes] out in the field, making decisions based on rules... with discrete interface and instruction capabilities."

In the past, energy grids in the US have been separate, and each one has had its own internal supervisory control and data acquisition (Scada) system. These Scada systems are based on 1960s-era technology and often perform relatively simple functions, such as turning a turbine up or down.

The arrival of the smart grid, with nodes and linking of previously isolated grids, has added complexity to the set-up. This has led to security vulnerabilities and heightened the risk of attack, according to Ciganer.

"One of the reasons nothing really catastrophic has happened — and it's not been for want of trying over the past decades — is the distributed nature of the grid," he said. "Now there is the potential, given enough time, smarts and money, to bring systems down."

Growing use of sustainable energy has also brought more information security challenges, as solar power and wind energy have greater distribution needs, Ciganer added. In the US, for example, most of the solar-power generators are in the south-west, most of the wind masts are in the north-west, but most of the population is on the coasts, he said. This means the energy generated has to be distributed over a wider area than that generated locally by fossil fuel, adding complexity to the system.

As a result of these factors, US government systems are seeing a higher number of attempted intrusions, according to the expert.

"It's constant. Everybody's trying to get in," Ciganer told ZDNet UK. "The Department of Energy is one of the choice organisations for potential intrusion. So is Nasa and the Department of Defence."

The interconnectedness of smart grids, coupled with internet-facing nodes, means that "anyone, anywhere can find a way" into the grid, said Ciganer. Criminals, nation states, supra-national organisations and insiders could all disrupt service, he added.

However, intrusions are unlikely to result in complete electricity blackouts, as energy systems have failover states, he noted. "They have a lot of back-ups — it's not binary, things don't just go black," he said.

Ciganer also noted that threats against the energy grid are evolving, citing the example of the Stuxnet malware attacks against critical infrastructure and plants. Stuxnet combines attacks based on four zero-day vulnerabilities with rootkit-like abilities and targets Siemens Windows Scada systems, with the aim of giving hackers control of those systems.

"This is the dawn of a new era; [Stuxnet] is a harbinger," said Ciganer. "We've looked at it, the US government has looked at it, the US co-ordinated cyber-command has looked at it — it's a different paradigm."

In a speech at the AFCEA Conference, F-Secure chief research officer Mikko Hypponen echoed that remark, saying that Stuxnet was "a game changer". "Whoever was behind Stuxnet had astonishing resources," he said. "They had the money, know-how and resource capabilities to pull it off."

Editorial standards