What does it take to secure smart grids?
The interlinking of networks to form smart grids may carry added security risks, say industry watchers, who recommend authorities and owners secure these grids by applying the same principles and mindsets used to beef up infrastructure.
Debashis Tarafdar, vice president for Asia-Pacific energy and utilities research at IDC Energy Insights, told ZDNet Asia in an e-mail interview that security is probably one of the most discussed aspects of smart grids.
According to the analyst, smart grid systems are increasingly complex due to the interconnectivity of systems, smart meters and communication networks. IT also has to converge with operational systems to be able to offer visibility, monitoring and control of these grids. This convergence, Tarafdar said, raises further governance issues over the ownership and management of security responsibilities.
"The dramatic increase in the number of interconnected systems, devices, appliances, networks and organizations--all serving the smart grid--will increase the 'surface area' to launch an attack or find entry points to compromise system security," he explained. "The result will make it significantly difficult to identify and isolate loopholes that potentially pose security threats."
There are evolving standards being put in place to assist utilities, service providers and risk-assessment companies to work toward a common approach to smart grid security, he said. However, the key challenge is that there is a lack of historical data on these new and evolving technologies to effectively benchmark security vulnerabilities, the IDC analyst pointed out.
Address service issues, too
Tarafdar added that around the world, governments are concerned about the threat of cyberwarfare to the security of critical infrastructure, and this concern would extend to smart grids.
"The 2010 Stuxnet attack that damaged over 1,000 centrifuges in [an] Iranian nuclear facility last year is timely reminder of the damage that can result with a well-coordinated attack," he said. "Individual homeowners are unlikely targets of a carefully orchestrated hacking attempt."
"While due diligence is important to prevent intrusion, the consideration should, however, also be focused on the quality, reliability and performance of the services provided, and how a potential security breach, for example, denial-of-service from an interconnected network asset, affects customer service levels, and adds to the overhead."
Tarafdar added that IDC believes a large-scale security attack on a utility grid through end-devices is "unlikely", but utility groups need to implement applicable security standards "to ensure quality, reliability and performance".
Johnson Lim, executive director of Accenture's resources operating group, noted that concerns around smart grid security are multifold as the risks encompass many fronts, including fraud or the corruption of data to avoid paying for electricity; breach of privacy when customer accounts are improperly accessed; and disruption through manipulating assets on the network in an attempt to make all or part of the grid behave incorrectly.
Cyberespionage, Lim said in an e-mail, was another area of concern.
He added that a "coherent cybersecurity strategy" needs to be incorporated from the beginning of any smart grid or advanced metering infrastructure (AMI) deployment.
Security first, as well as big picture
According to Lim, the security architecture of a smart grid cannot be "bolted on as an afterthought" and must include defense-in-depth considerations. In any implementation, compliance with standards and regulations is paramount, he said, noting that when it comes to security controls, the focus should be on standardization and interoperability.
Companies should also put in place a governance structure, as well as dedicate appropriate investments to train personnel and instill a culture of security, he added.
Accenture, which is working on more than 100 smart grid and smart city projects globally, was appointed by Singapore's Energy Market Authority in September 2010 to design and implement a pilot smart grid project, known as the Intelligent Energy System (IES). The initiative comprises two phases: implementation of the enabling infrastructure will be completed in 2012, while the second phase--between 2012 and 2013--will focus on building smart grid applications. Both Accenture and EMA were unable to share the progress made since the announcement was made.
IDC's Tarafdar added that smart grid owners need to conduct an initial security assessment and periodic security assessments, as standards, business models, deployment modes and partner ecosystems are constantly evolving. At the same time, it is imperative that these assessments look at the entire system as a whole, rather than equipments in isolation, he said.
"A critical point of failure is the interconnections or handshaking points between systems and devices. Each side of the two interoperable systems need to be hardened separately, as well as any potential 'gaps' that would open up during a connected operation," he explained.
According to Claus Hansen, NXP Semiconductors' senior director for identification, smart grids need to adopt "the most advanced security technology", similar to what is used in e-passports and banking cards. All points on the smart grid, he added, should be protected with a security chip that contains a unique ID or credential and the access rights tied to the device.
Measures to safeguard the data transmission infrastructure must also be implemented, Hansen noted in an e-mail. To that end, the vendor has teamed up with Atos Worldline, part of Atos Origin, on a security architecture to secure data within the grid. The offering was unveiled in January.
"Using secure last-mile devices and authentication technology from NXP, the solution will be able to provide end-to-end security, from the smart meter to the meter data management platform, and from the smart meter to end-devices in the grid," said Hansen. "This will protect confidential information shared between the consumer and [service] provider, and prevent unauthorized and unnoticed access to this information."
He added that NXP sees "significant potential" for the identification aspect of smart grid security in the mid- to long-term. Besides Atos Worldline, the company has also collaborated with light-emitting plasma provider Luxim, on a street component authentication product.