Security Experts:

How to Make the Smart Grid Smarter than Cyber Attackers

Smart Grid Security - Utilities Must Address Several Pressing Security Concerns and Establish a Strong Cyber Security Framework, or the Benefits of the Smart Grid Will Remain a Promise, not a Reality.

As the United States and other countries prepare for the transition to a smarter electrical grid, there’s great reason to be optimistic about its promise: consumers would be given more insight into their energy usage, costs to the utility and their customers will drop as the system becomes more efficient and most importantly, we’ll conserve resources as we reduce the amount of wasted energy.

Making the Smart Grid Smarter Than Cyber AttackersBut there’s also reason to be cautious and concerned about the threat of cyber attacks that such a system could become vulnerable to. As utilities transform from simple one-way power grids to complex, bidirectional smart grids, they will soon be passing sensitive consumer information about identity and usage patterns over their networks. They must undergo a significant transformation in order to secure such a network from attacks. There are a number of characteristics of a smart electrical grid that make the system vulnerable to unhappy employees, angry customers, foreign agents or hackers without any apparent motives:

Two-way communications. While there are great benefits to be had from giving a utility and a customer the ability to communicate and share information, it also makes the system vulnerable to attack.

Customer usage data. The information shared over the network is inherently sensitive, raising privacy and personal security concerns.

Smart meter devices. These devices will be derived from various manufactures with varying levels of security built in, making it a challenge to standardize security practices.

Distributed connectivity. As smart meters and other networked devices multiply and spread across vast geographic areas, the boundaries of the network will expand and become more difficult to secure.

Authentication and access controls. As more and more customers, suppliers and contractors gain access to the network, the risk of identity theft increases.

Lack of proper employee training. This will only increase the likelihood of insider threats and lapses.

Lack of standards and interoperability. Again, this presents the potential for gaps in visibility, defense and recovery.

These threats are so real that the United States has declared its digital infrastructure a strategic asset and made cyber security a national security priority. Britain has set similar policies, and security chiefs there have called upon Prime Minister David Cameron to press companies responsible for critical electrical infrastructure to allow their government's electronic spy agency to monitor for hackers. Experts in Canada are now pushing for similar action.

But government regulation and pressure won’t be enough. Utilities have to take significant steps to secure their networks in advance.

In fact, Pike Research estimates that by 2015, utilities will spend $21 billion, or 15 percent of total smart grid capital investment, on securing their networks. And for good reason. As utilities set out to secure their networks, it’s critical that they focus on four key issues:

Defense. The system’s security architecture must be applied across the entire enterprise and deployed using widely adopted global practices. In the past, most applications at a utility were not necessarily built with security in mind, so many existing legacy applications will likely need to be reengineered or secured. Moving forward, commercial, off-the-shelf applications must be evaluated for their resistance to threats and their ability to process and handle sensitive information over the course of their entire lifecycle. Of course, rigorous testing will become essential, especially when it comes to identity and access management.

Proactive monitoring will also be critical. Utilities will need to gather cyber intelligence and constantly monitor downstream activities to spot back door vulnerabilities that might have been missed by point compliance and checklists. They should also be looking for complex patterns that often indicate the initiation of an attack, and expand the scope of standard vulnerability assessment or penetration tests. They should also take advantage of outside sources of threat intelligence and try to detect reconnaissance activity by likely attackers, which could include disgruntled employees, hackers, or third parties looking to escalate their privileges to the network.

Challenges of Smart Grid SecurityThe last defensive measure utilities should consider is closely monitoring the useful data generated by application vulnerability scanner results, event management reports, security information, and intrusion detection system threat engines. These sources can help prevent attacks or mitigate their effectiveness, and merging the data they produce together will help form an operating picture whose sum is much greater than its parts.

Standardization. Utilities must constantly assess their systems for points of risk and put in place security features gradually. A prerequisite for the security of smart grids is the interoperability of various security controls as well as compliance with standards and regulations. No utility – let alone an end user - will be able to choose a device and expect it to work on a smart grid network without interoperability, which will require some set of standardized testing.

Regulation also must be standardized immediately. Lawmakers and regulatory agencies must collectively take a tough stand when it comes to enforcing security standards for utilities and punishing those who violate those standards.

Governance. At many utilities, it’s often unclear what department is responsible for oversight or accountability for cyber security and data protection. In some cases, this responsibility is supposed to be shared between various functions. For example, the chief information officer might be charged with maintaining IT and data security, the chief security officer will set policies and procedures and the general counsel is asked to ensure the organization complies with regulations.

This type of fragmented responsibility often leads to breakdowns, where ownership of critical security issues is often pushed from one department to the next.

This becomes a particularly alarming technology management issue in the utility industry, where the corporate IT team usually manages only their own enterprise IT systems, including finance, email and human resources. Management of the electrical grid itself is often left up to field operations and engineering staff. This kind of system separates those who understand networking and information security from those who manage the electricity network. Such a gap will need to be closed as utilities transition to the smart grid.

Education. Unless consumers are convinced that their personal data is safe, utilities will face significant resistance to smart grid adoption. Just as banks focused on rigorous educational programs when automated teller machines were first introduced, utilities need to teach smart grid security skills and awareness programs to all employees, focusing their attention on the importance of security.

The smart electrical grid promises to change the face of the utility industry forever and enable efficiencies and consumer conveniences that will change the way we live for the better. But it will remain a promise, not a reality, unless utilities address these pressing security concerns and give consumers the confidence that a strong cyber security framework is in place to protect their personal data.

Related Content: Smart Power Grids a Prime Target in Cyber Warfare

Related Reading: The Increasing Importance of Securing The Smart Grid

Related Content: Stuck on Stuxnet - Are Grid Providers Prepared for Future Assaults?

view counter
Dr. Alastair MacWillson is the global managing director of Accenture’s global security practice. Prior to joining Accenture in 2002, Dr. MacWillson was the global leader of the technology consulting practice in PricewaterhouseCoopers. Dr MacWillson has acted as an adviser to a number of governments on technology strategy critical infrastructure protection, cyber security and counter terrorism and has sat on related committees for the US and UK governments, the European Commission and the United Nations. Dr. MacWillson has a B.Sc. in Physics, postgraduate diplomas in Computer Science and Digital Imaging, a Ph.D. in Theoretical Physics, and a D.Phil in Cryptographic Integrity.