Smart Grid Needs Strong Security Push

Thursday, November 4, 2010 @ 12:11 AM gHale

If smart grids can realize their full potential, then consumers, utilities, nations, and even the earth itself will benefit. However, the two letter word “if” looms large because smart grids show great promise, but security weighs heavy on whether or not the smart grid will succeed, according to a new study entitled “Smart Grid Cyber Security” by Pike Research.
Some of the major smart grid benefits:
• Consumers can reduce their energy bills by better managing their energy usage and consuming energy at off-peak times
• Demand response and variable pricing can help flatten the peaks in energy consumption, thus reducing the need for new generation, transmission, and distribution capacities
• Utilities can more efficiently transmit and distribute power or other commodities via realtime intelligent controls and reduce usage loss or wastage in the process
• Nations can better ensure their energy security for the future by making better use of existing resources
• More efficient use of existing generation, transmission, and distribution capabilities could mean a decrease in the need for new facilities or transmission capabilities, reducing the expected carbon footprint of utilities in the future.
With benefits known, it is easy to see why governments and utilities are pursuing smart grid rollouts as soon as possible.
Meanwhile, there is no shortage of suppliers trying to help with those deployments.
As with nearly any new technology, the focus has been on getting smart grids up and running, often with no consideration for security, according to the report. The cyber security professional faces a significant installed base of business at risk, but not secured. This promises job security for a number of security experts, but is not comforting to those that operate the networks. One bright spot is electric vehicle management, as serious security discussions are ongoing before any kind of widespread adoption of the technology.
For the purposes of the report, Pike looks at cyber security risks of smart grids via two standards: ISO 27002:2005 for information technology (IT) networks and NIST 800-82 for industrial control systems (ICS). Each standard is extremely thorough and considers a wide range of threats and vulnerabilities, including issues not always encountered, such as human resources risk and intellectual property risk. While there are overlaps in technology between IT and ICS networks, there are also significant differences.
The report identifies key issues that require attention if smart grids are to become and secure. Two main issues are:
•Industrial control systems, such as supervisory control and data acquisition (SCADA), have remained relatively free from attack simply because they are isolated from corporate networks. However, with the Stuxnet attack, the attackers solved that issue by using universal serial bus (USB) drives, which have no need of an Internet to spread, as their attack medium. Additionally, realization of the smart grid’s potential will require new interfaces between IT and ICS networks. This further erodes the isolation that has protected (or at least given a sense of protection to) ICS.
•By far the most common item is the critical need to help IT and operations teams to collaborate effectively. A few of our findings showed situations where the two are working together well, but the most common finding was IT and operations do not understand each other, nor (in many cases) do they trust each other. Each group has potential to do immeasurable harm to the other – and therefore to the grid – and it is critical that the two cooperate.
Two other trends in the smart grid cyber security market are compliance and situational awareness.
Compliance has become a full-fledged offering on its own that will draw inputs from cyber security, but it is no longer an offering within the cyber security product line, according to the report.
Situational awareness appears to be replacing event correlation as utilities become more interested in understanding events in real time, rather than after-the-fact analysis.
Some additional issues, according to the report:
• Stronger identity management
• Multi-factor authentication on powerful consoles
• Computer incident response
• Change management, asset management, and configuration management
• Business continuity planning
• Defense-in-depth for IT and ICS networks
• Stronger security on SCADA control systems
• More secure interfaces between IT and ICS networks
• Video monitoring capabilities for substations and control rooms
• End-to-end encryption of data from the HAN to the utility central site
• Need to prevent worms from spreading through smart meters
• Stronger cyber security software on smart meters
• Resiliency throughout the advanced metering infrastructure (AMI)
• Data integrity for electric vehicle recharging transactions
• Data privacy for electric vehicle billing data and recharging transactions

Leave a Reply

You must be logged in to post a comment.