The energy information that will be unleashed by the digital technologies of the smart grid is valuable. That’s why companies and policy-makers are pushing so hard to add infotech to our electrical system. But that information is also valuable to people that could use it for ill will — to disrupt the power grid, for example, or steal personal information.
Worried? Don’t fret too much. The Department of Energy and the National Institute of Standards (NIST) are taking the subject seriously. NIST recently released a smart grid security document that’s twice as long (over 200 pages) as the group’s overall smart grid industry roadmap and the DOE has said it won’t hand out stimulus funds to otherwise strong smart grid projects unless security is addressed in them. Here’s 10 important things to know about security for the smart grid:
Security Added in Later is Costly: Internet security experts have been pretty clear about the fact that adding on security functions to the smart grid after the architecture has already been rolled out will be considerably more expensive than if security is folded in from the very beginning. Security consultants at IOActive recently wrote: “Studies show that overall project costs are 60 times higher when gaps in information security controls are addressed late in the development cycle, as opposed to projects where security is implemented in the design phase.”
It’ll Be A Big Business: There’s another reason that computing security and information technology companies are talking a lot about smart grid security — it’ll be a sizable industry. Last week computing giant Hewlett-Packard launched its Smart Grid Security Quality Assessment (SGSQA) service, which will provide auditing and testing of security services and is based on tools that HP uses to test its own software. Consultants like IOActive will also make some nice sales off of teaching utilities and power companies about how to keep their assets safe.
Two-Way Networks Mean More Risks: The very nature of adding digital intelligence and two-way functionality to the power grid will increase the risk of cyber attacks and vulnerabilities. As the NIST smart grid security document explains more endpoints and more interconnected networks mean more ways for security problems to get in and proliferate. But that said, the power grid — like everything else — needs to go digital, not just to combat climate change but to create more efficient operations. And as long as the industry builds the smart grid to prepare for these security concerns, the problem is manageable.
It’s Already a Problem: Don’t think this is an issue that is far in the distant future. According to Ian Watts, head of energy and utilities at British security firm Detica, the 40 million smart meters that have already been installed globally “have seen a number of security breaches,” including “insecure meters, hacking of customer details, denial of service attacks and suspected infiltration by foreign intelligence services.”
It’s Just Digital Security: We’ve seen this before. Smart grid security is very similar to keeping other important digital functions secure, like electronic voting systems, online banking and ATMs, personal information on cellphones and laptops, and of course the Internet and phone company networks, points out Steve Brain, an analyst with metering firm Meter-U. And as the NIST document explains: “IT and telecommunication sectors will be more directly involved. These sectors have existing cyber security standards to address vulnerabilities and assessment programs to identify known vulnerabilities in these systems.”
Smart Grid Security Has Even More Standards: While NIST has been busy identifying 77 standards for the smart grid, NIST has found at least five standards that are directly related to smart grid security. That includes standards from NERC, IEEE, AMI System Security Requirements, UtilityAMI Home Area Network System Requirements and IEC standards.
It’s a Work In Progress: NIST established the Cyber Security Coordination Task Group (CSCTG), which is made up of 200 volunteers from private companies and the public sector, and published the first draft (already a 236 page tome) of smart grid security requirements earlier this month. NIST is taking public comments and will craft a new version to be published by December 2009. Then the final document is supposed to come out March 2010.
Utilities Need Much Better Privacy Safeguards: A NIST group looked at privacy policies for utilities and found that state utility commissions often lack formal privacy policies related to the smart grid, and if the state does have privacy laws, they often aren’t specific to utilities. In response to these findings, NIST suggested these steps to ensure consumer privacy: 1). Appoint personnel to ensure privacy practices exist and are followed; 2). Explain clearly to consumers what and why any data is collected; 3). Give consumers choices for collecting their data and get consent; 4). Don’t collect more data than needed; 5). Only use the data for which it was intended to be collected; 6). Show consumers the data that is being collected and enable them to correct it if need be; 7). Protect data from security vulnerabilities.
The Smart Meter As the Pain Point: At the Black Hat security conference IOActive’s Mike Davis showed how smart meters could be the most vulnerable area of the smart grid because they’re cheap, accessible and — in a word — hackable. Using a simulation of a worm David showed how a smart meter could be hacked to spread a worm from meter to meter, which could cause a power grid surge or shut off.
Different Places on Grid Have Varying Vulnerability: The NIST group plotted out piece-by-piece how vulnerable each section of the grid is and what could happen to them under a security threat. Check out pages 18 to page 32 for this interesting info.