White House smart grid framework short on cybersecurity details
Editor's Note: Post updated to include link to PwC report. Seriously jealous of TechRepublic Editor-in-Chief Jason Hiner, who was on hand today in Washington, D.C., at the latest White House hoo-hah over the U.S. fed role in the smart grid buildout. As Jason reports, there was no shortage of folk on hand to hear about the National Science and Technology's council's latest report on the grand plan to transform the electric grid in its manifesto, "A Policy Framework for the 21st Century Grid: Enabling Our Secure Energy Future."
In the note preceding the report, the Obama administration describes the development of this new technology as "essential to America's ability to lead the world and create jobs in the clean-energy economy of the future." So far, it has invested almost $4.5 billion in economic recovery funds related to the smart grid's development. That money, in turn, has inspired at least that much in private sector funding.
The new framework released today isn't so much a pledge of lots more money, it is a pledge to support the smart grid's development through private-public cooperation -- including a focus on getting more consumers in touch with what is going on. Which, if you read my post about interest in home energy management technology from late last week, you will know is an issue. Most U.S. consumers today aren't all that eager to invest in smart meters, smart grids or anything that can't be shown to have serious money-saving potential.
For the record, I happen to believe that making the way we deliver utilities of all sorts -- electricity, water, gas, Internet access -- is crucial to our future and that a smart grid made possible through smart application of information technology is critical for that. I also happen to be really concerned about one element that continues not to get enough focused attention, security.
Sure, the report covers security. There is a call for cybersecurity in the introductory letter signed by the co-chairs -- U.S. Chief Technology Officer Aneesh Chopra, U.S. Chief Information Officer Vivek Kundra and the National Economic Council's Senior Advisor for Technology and Innovation Phil Weiser. But the chapter on cybersecurity is only two pages out of more than 100. Sure, privacy gets a section, too, but seriously? Two pages? On the same day that the U.S. Senate is hacked -- the latest in an unprecedented barrage of cybersecurity incidents -- the government doesn't have more to say about security?
In that chapter, the feds commit to this key action, describing the unique natures of smart grid security threats such as the failure of communications technologies needed to communicate information in real time and the uncertain life expectancy of some of this sophisticated equipment. The report notes: "The federal government will continue to facilitate the development of rigorous, open standards and guidelines for cybersecurity through public-private cooperation. Cooperation between stakeholders can help identify and address the diversity of cyber risks the electric power sector faces. The Federal government will support the continuing evolution of those standards and guidelines to keep pace with the threat."
To be fair, the administration does call cybersecurity one of the key pillars to an effective smart grid plan. In the concluding section of the document, here is its last priority:
"Secure the Grid: Protecting the electric system from cyber attacks and ensuring it can recover when attacked is vital to national security and prosperity. Developing and maintaining threat awareness and rigorous cybersecurity guidelines and standards are keys to a more secure grid."
I'm just concerned that there isn't more detail. Do we really have to wait for an attack for people to get serious?
I also found it sweetly ironic that the other smart grid report to land in my inbox over the past few days is an analysis from PricewaterhouseCoopers (PwC) called "Getting real about cyber threats: where are you headed." The subtitle of the report reads "Energy, utilities and power generation companies that understand today's cyber threats will be in the best position to defeat them."
The PwC report is pretty straightforward about the impact of a smart grid breach. It notes:
"In light of the fact that smart grid systems collect valuable data about utilities and power customers, legacy privacy and security issues take on a new and perplexing dimension. Computerized smart meters are typically connected to large networks needing protection with a rigorous suite of security protocols against malware infiltration, physical tampering or data snooping. A security breach could result in unauthorized access to energy usage data or the corruption of smart meter settings, with the goal of disrupting power delivery to a single customer, neighborhood or entire city."
The report also offers examples of attack "indicators," such as unexplained outbound data transmissions, unusual connections between internal computers, log entries on domain controllers and so on.
The point is that we can't afford to let security be an afterthought when it comes to the smart grid, and PwC suggests utility and energy executives need to make this a competitive priority. Now.
OK, so the smart grid isn't here yet, and will take some years to emerge. But don't you think security should emerge at the same time?
[poll id="233"]
Related posts: