Blog Post

10 ways to deal with cybersecurity in a smart grid world

Stay on Top of Enterprise Technology Trends

Get updates impacting your industry from our GigaOm Research Community
Join the Community!

Cybersecurity — the word inspires fear and has become an urgent topic of discussion in the energy world. The U.S. Department of Energy released a report this week that aims to help public and private sectors figure out ways to protect the electric grid against cybersecurity breaches.

Concerns about cybersecurity have actually grown with the deployment of smart grid technologies, which typically means using digital communication devices with common technical standards and getting rid of some analog systems so that data can flow in large volumes and quickly. This could lead to a hodgepodge of legacy and modern equipment in the transmission and distribution networks that don’t work well together. That also makes it difficult to implement rules and security technologies that have to perform effectively across the networks.

The report updates a previous, 2006 version and includes a broader array of technologies and scenarios, such as smart meters and the need to protect consumer data collected by the meters. It also aims to encourage utilities to invest in cybersecurity measures, from employee training to development better monitoring software. Some of the changes might require utilities to suspend part of their operations for a period of time, and that costs them money.

Key challenges and strategies:

  • Fast and furious.  Cyber threats are difficult to foresee and could change too quickly for security experts to come up with fixes.
  • Protecting the old. Security threats as we know it typically involve attacks via digital broadband networks and over computers and mobile devices. But many systems at power plants and the grid are older and run on software designed exclusively to that a particular piece of equipment, and these systems still have years left in service. It could take more time and money to come up with proper security upgrades for these machines.
  • Costing money. Testing a new communication network or control systems before turning it live is a big part of deployment. But doing so could interrupt energy delivery services.
  • Let’s talk. Government and private sectors don’t do a good job trading information about security threats and solutions to minimize them.
  • Setting priorities. Utilities don’t always see a need or want to invest a lot of money on cybersecurity when they could use that money for equipment and services that will increase profits.
  • Regulatory uncertainty. Utilities spend a big chunk of their budgets on regulatory compliance. Yet because cybersecurity is a fairly new problem, regulations governing what utilities need to do are evolving. That makes it hard for utilities to draft and deploy a good plan.
  • Risk management. It’s common sense that a utility should develop best practices or rules about collecting and handling sensitive data. But coming up with a fail-proof plan is easier said than done, and it often means modifying employees’ behavior and adding to the number of tasks they have to perform.
  • Stay vigilant. Givem that cybersecurity breaches are unpredictable and could lead to disastrous consequences, utilities have to evaluate and tweak their security policies regularly.
  • Find good tools. After reviewing and tweaking policies, utilities need to figure out what new measures they need to take to beef up security (this could be something like changing passwords or placing sensors to send alerts when a communication network is compromised).
  • What happens after an attack? Yes, there are more policies and even step-by-step chichi that need to be drawn up to deal with security breaches. Those policies should spell out, among other things, the types of analysis are necessary to figure out what went wrong and how to prevent it.
Image courtesy of stebulus via Flickr

3 Responses to “10 ways to deal with cybersecurity in a smart grid world”

  1. Great commentary on the study and thanks for bringing attention to security in utilities. It is amazing how this topic has evolved from an afterthought prior to Stuxnet to a consistent discussion point within every utility. The utility executive always focuses on security in regard to systems, but for the most part has been in respect to theft. There has been a shift of focus from eliminating theft to protection from malicious attack. It is imperative that instead of focusing on NERC compliance that we look past just compliance and focus on making new systems impenetrable. With the consumer backlash faced in the industry due to some AMI programs, it important to avoid widespread security concerns. Thank you for your attention to this important subject. For more information around smart grid security, please visit Ben Edelbrock- Infosys

  2. The report is intent on making due with the assumed outcome that the smart grid will be widely deployed.

    Study Mistake #1.

    Mistake #2 is that the most effective security measure they could implement is not even mentioned as a way to deal with cyber security and the grid:

    *keep it dumb and decentralized*

    That precludes all manner of unpredictable events *by design*.

    Remember, all the smart grid does is facilitate billing, control and monitoring.

    Is enough value and savings to the utility and ratepayer generated to offset the costs associated with the downside of damage done by cyber threats to the local economies using the tech?

    Efficiency and ‘smart meter’ driven distributed demand response and/or load shifting has yet to be demonstrated/proven, and has actually been somewhat disproved with initial studies on savings here in California.

    So, WHY again are we doing this?

    To facilitate rate increases?

    To spend stimulus money?

    To facilitate cyber attacks and ratepayer in-home surveillance tech?

    HINT: ONE big cyber attack can damage the economy more in terms of real dollars than the cost to put all these toys in in the first place…so WHY, again, are we doing this?

    To not ask these questions is the height of incompetence, but typical of what I call ‘pro-industry PR’ and ‘PR-focus studies’ which use a limited set of ‘facts’ to rationalize the ‘outcome’ you want.

    This is self-defeating, as reality WILL catch up with the distorted assumptions, with eventually disastrous and expensive consequences.

    But don’t take my word for it, cuz I’m just a dumb ratepayer.
    Hear what an Old Spook like Woolsey has to say about it:

    Remember, understanding is a three-edged sword, and sometimes the best thing to do….is NOTHING.

    • I agree with some of your points and have my own concerns about the risks and rewards of spending so much money if that in fact makes the grid more vulnerable. The report of course has to *assume that smart grid will be widely deployed, or else how do you frame the discussion for deployment cybersecurity. It’d be stupid for a report to say, hey we don’t think there will be a smart grid but let’s talk about cybersecurity threats for smart grid.