The security of the smart grid is going under the microscope this week. As Patricia Hoffman, the acting assistant secretary for the Department of Energy’s Office of Electricity Delivery and Energy Reliability said in a testimonial last week, the DOE may refuse to hand out smart grid stimulus funds to an otherwise promising project if that applicant can’t prove that the project has addressed cyber security concerns. Well, we should hope so — if we learned anything from the buildout of the Internet it’s that networks that have sophisticated connections will have increasingly sophisticated hackers.
The mainstream media is picking up the story this week, but the Washington Post adds a spin of its own and says utilities have to prove security to get the funds, “as they move to link nearly all elements of the U.S. power grid to the public Internet.” I disagree with that statement — it’s not that all elements of the U.S. power grid will end up connected to the public Internet, it’s that the power grid is creating its own form of Internet, which needs the same type of security requirements as the Internet. It’s still unclear to me whether utilities will end up embracing the Internet and chose to link “nearly all” or even just some of the power grid to the Internet.
Utilities that are building out their own wireless networks to monitor smart meter data and process it back at their data centers, sometimes only connect with the public Internet when it comes to presenting that data back to the customer through a web portal or broadband-enabled device. Other utilities are embracing the Internet more whole-heartedly at the consumer level, but deeper in the smart grid, at the distribution, transmission and substation level utilities don’t need to connect with the public Internet at all. Regardless they do need to make the network secure at all spots.
Expect more attention on how smart grid vendors and utilities are falling short on security via the famous hacker convention Black Hat, which this week will feature several security experts presenting on the smart grid in Las Vegas. In one talk, a computer security exec from IOActive plans to show off a worm the team created for smart meters. I’ve talked to the IOActive folks recently and they talk about smart meters as if they’ve got the security requirements of computing systems back in the ’80s: unsophisticated and easily hacked. As the Washington Post points out correctly, the smart meter is often “the weakest [security] link in the smart-grid chain.”
The biggest barrier to adding more security to the smart meter, from the perspective of the manufacturer and the utility is the upfront cost. Each meter already costs several hundred dollars and additional security functions will just continue to boost that sticker shock. But at the end of the day, it will cost considerably more to add on security functions after the smart grid is already built out, compared to weaving security into the network as it’s built. IOActive execs recently wrote:
Studies show that overall project costs are 60 times higher when gaps in information security controls are addressed late in the development cycle, as opposed to projects where security is implemented in the design phase.
Considering the overall cost and the fact that the DOE could withhold stimulus funds in lieu of proof of security, we’re thinking the utilities and tech vendors won’t raise a stink over the security requirements. We just hope the DOE is able to accurately assess the projects when it comes to security.
Image courtesy of Tom Raftery and Flick Creative Commons.