Consumers and companies alike need to understand what's at stake if security is not a major consideration of the smart grid.
Both the Internet of Things (IoT) and the "smart grid" have immeasurable potential to improve our lives. However, if those building the smart grid allocate security — afterthought or no-thought — to a status similar to that of IoT devices; things could get ugly. Bad-actor issues caused by an IoT device's lack of security are a problem for sure, but not anywhere near the problem created by a hostile organization gaining control of a power-utility's network.
Companies selling smart-grid products say security is a consideration in product design. Security pundits find fault with statements like that: type smart meter hack demo into any search engine to see why.
What makes a grid smart?
Before continuing the discussion, it might be best to define smart grid. One of the better explanations can be found at Smartgrid.gov. The site defines smart grid by answering the following questions:
What makes a grid smart: In short, the digital technology that allows for two-way communication between the utility and its customers, and the sensing along the transmission lines is what makes the grid smart. Like the internet, the smart grid will use new technologies to adjust to changing loads in a more-economical fashion.
What does a smart grid do: The following would be considered features of a smart-grid infrastructure:
● More efficient transmission of electricity
● Quicker restoration of electricity after power disturbances
● Reduced operations and management costs for utilities, and lower costs for consumers
● Reduced peak demand, which will also help lower electricity rates
● Increased integration of large-scale renewable energy systems
● Better integration of customer-owner power generation systems, including renewable energy systems
● Improved security
There's that improved security again. However, no mention of how was found on the website.
NIST is paying attention
Trying to find middle ground, the Smart Grid Cybersecurity Committee of the National Institute of Standards and Technology (NIST) recently published an in-depth (600+ pages) report Guidelines for smart grid Cybersecurity that starts out: "With the implementation of the smart grid has come an increase in the importance of the information technology and telecommunications infrastructures in ensuring the reliability and security of the electric sector. Therefore, the cybersecurity of systems and information in the IT and telecommunications infrastructures must be addressed by an evolving electric sector."
This perspective is not obvious. Information technology needs to be secure for more than its own sake once the smart grid is in place. The committee also points out, "Cybersecurity must be included in all phases of the system (smart grid) development life cycle, from design phase through implementation, maintenance, and disposition/sunset."
Smart grid adds exploit vectors
The committee members have reason to be concerned that not enough is being done. The paper states cyber threats to critical infrastructure are growing and represent a serious national-security challenge. The report then outlines what committee members consider to be additional risks associated with the smart grid:
● Increasing the complexity of the grid could introduce vulnerabilities and increase exposure to potential attackers and unintentional errors
● Interconnected networks can introduce common vulnerabilities
● Introduction of malicious software/firmware or compromised hardware could cause denial of service (DoS) or other malicious attacks
● Increased number of entry points and paths are available for potential adversaries to exploit
● Interconnected systems can increase the amount of private information exposed and increase the risk when data is aggregated
● Increased use of new technologies can introduce new vulnerabilities
Power utilities need to change mindset
Pre-smart grid, the focus of utility companies had been reliability. In fact, information technology was
introduced to support and improve reliability. That, however, has not been the case.
The committee used the August 14, 2003 rolling blackout (see image to right) as an example. The report explains, "With the exception of the initial power-equipment problems, the ongoing and cascading failures were primarily due to problems in providing the right information to the right individuals within the right time period."
Strategy to develop a secure and reliable smart grid
The committee members then get down to business, stating the purpose of their report is to provide guidance to utilities, regulators, equipment manufacturers and vendors, retail service providers, and electricity and financial market traders on how they should address cybersecurity for the smart grid. That guidance is based on what is known about:
● The smart grid and cybersecurity
● Technologies and their use in power systems
● Our understanding of the risk environment in which those technologies operate
Communications, machine and human, are critical
NIST and power utilities divide the power-utility infrastructure into domains, which are groups of organizations, buildings, people, devices, and systems with similar objectives and/or offer comparable services. There are seven domains associated with the smart grid: Transmission, Distribution, Operations, Generation, Markets, Customer, and Service Provider.
The smart grid's main job is to provide communications between entities that until now were discrete silos (as shown by the 2003 rolling blackout). The slide below shows the anticipated communication flow (blue lines) and the expected electrical flow (yellow dotted lines).
The above slide furnishes an idea of who each domain communicates with. The next slide (below) is a more realistic depiction of the actual communications between different domains. It becomes apparent, that automated digital help is needed when things go wrong.
The committee's goal
As mentioned earlier, the report is over 600 pages long, and the first serious compilation of what is wrong and what needs to be done. Hopefully, members of the seven domains consider the committee's suggestions. If not, things may get scary "security-wise" once the grid gets smart.