Are we really thinking enough about smart grid security?

Some new data from Pike Research suggests that spending on cybersecurity measures for the smart grid will reach $1.3 billion by 2015. The researchers are calling for a 62 percent increase between 2010 and 2011 alone. But personally speaking, I think that sounds far short of where it should be, considering the many billions of dollars being spent on smart grid infrastructure holistically and the very real exposure that the smart grid could mean in terms or privacy and data loss.

In discussing the data, Pike Research senior analyst Bob Lockhart said:

“Smart grid cybersecurity is significantly more complex than the traditional IT security world. It is a common misperception that IT networks and industrial control systems have the same cybersecurity issues and can be secured with the same countermeasures. They cannot. To successfully secure the electrical grid, utilities and their key suppliers must design solutions that effectively bridge the worlds of information and operations technology."

What exactly are we up against? A few weeks ago, I spoke about smart grid cybersecurity with Datta Godbole, a Honeywell director of research and director for the company's Automation and Control Solutions (ACS) Labs group. According to Godbole, there are three primary concerns that we should all have when it comes to smart grid security:

1. The need to secure customer data. That's because the information that is collected about people's energy could inadvertently be used to reveal details of a person's private life -- such as whether or not they are home at a given time of day. Or likely to be so.
2. The need to secure the grid itself. This relates to management aspects, such as making sure the grid its stable, automating demand response requests, and protecting the physical infrastructure of the utility delivery system (doesn't matter whether the utility in question is delivering water or electricity).
3. The need to protect transmissions and communications. This refers mainly to communications between substations and the central transmissions equipment. Think of this as the "data in motion" part of the security equation.

Godbole suggests that those piloting smart grid projects -- or building them out into commercial implementations -- need to play more attention to security during the design and architecture phase rather than handling it as a patchwork of technology that is applied as an afterthought. "We have this great opportunity to design these systems from the ground up, he says.

He said another major consideration should be the upgradability of the technology in question: Do the metering or sensor devices in question, for example, have enough processing power and memory to handle improved encryption?

If you're worrying about smart grid security, then you are following the work on security standards being done by the National Institute of Standards and Technology, through the Cyber Security Working Group (part of the Smart Grid Interoperability Panel. The group finalized an initial set of security guidelines last fall. The Federal Energy Regulatory Commission is also involved in the development of smart grid security.

The focus of those guidelines are on assessing risks, dealing with privacy issues for personal residences, and protecting from "attacks, malicious code, cascading errors and other treat."

Said George Arnold, NIST's national coordinator for Smart Grid Interoperability:

"These advisory guidelines are a starting point for the sustained national effort that will be required to build a safe, secure and reliable smart grid. They provide a technical foundation for utilities, hardware and software manufacturers, energy management service providers, and others to build upon. Each organization's implementation of cybersecurity requirements should evolve as technology advances and new threats to grid security arise."

The thing is, though, the U.S. General Accounting Office (GAO) issued a report in January 2011 suggesting that while these guidelines are a good start, they missed one very key thing: "addressing the risk of attacks that use both cyber and physical means." The other big thing to realize is that these guidelines are voluntary. Yep, they are suggestions.

These two concerns are in the process of being addressed by NIST and FERC, but the fact is that the smart grid is unchartered territory.

The trouble is that like with information security, we seem to be very blase about security design until after the fact. Meaning that it takes some sort of incident for us to get on the ball. So far, many of us have sort of pooh-poohed the many smart meter security breaches that have been reported from trials.

But the fact that many people regard smart grid security as a much bigger challenge than information technology security -- maybe they mean philosophically and not technically -- means we should pay much more attention to what is going on.