(Photo credit: iStockphoto)
Smart grid security--utilities must address several pressing security concerns and establish a strong cyber security framework, or the benefits of the smart grid will remain a promise, not a reality.
As the US and other countries prepare for the transition to a smarter electrical grid, there's great reason to be optimistic about its promise: Consumers would be given more insight into their energy usage, costs to the utility and their customers will drop as the system becomes more efficient and most importantly, we'll conserve resources as we reduce the amount of wasted energy.
But there's also reason to be cautious and concerned about the threat of cyber attacks that such a system could become vulnerable to. As utilities transform from simple one-way power grids to complex, bidirectional smart grids, they will soon be passing sensitive consumer information about identity and usage patterns over their networks. They must undergo a significant transformation in order to secure such a network from attacks. There are a number of characteristics of a smart electrical grid that make the system vulnerable to unhappy employees, angry customers, foreign agents or hackers without any apparent motives:
- Two-way communications. While there are great benefits to be had from giving a utility and a customer the ability to communicate and share information, it also makes the system vulnerable to attack.
- Customer usage data. The information shared over the network is inherently sensitive, raising privacy and personal security concerns.
- Smart metre devices. These devices will be derived from various manufactures with varying levels of security built in, making it a challenge to standardise security practices.
- Distributed connectivity. As smart metres and other networked devices multiply and spread across vast geographic areas, the boundaries of the network will expand and become more difficult to secure.
- Authentication and access controls. As more and more customers, suppliers and contractors gain access to the network, the risk of identity theft increases.
- Lack of proper employee training. This will only increase the likelihood of insider threats and lapses.
- Lack of standards and interoperability. Again, this presents the potential for gaps in visibility, defence and recovery.
These threats are so real that the US has declared its digital infrastructure a strategic asset and made cyber security a national security priority. Britain has set similar policies, and security chiefs there have called upon Prime Minister David Cameron to press companies responsible for critical electrical infrastructure to allow their government's electronic spy agency to monitor for hackers. Experts in Canada are now pushing for similar action.
But government regulation and pressure won't be enough. Utilities have to take significant steps to secure their networks in advance.
In fact, Pike Research estimates that by 2015, utilities will spend US$21 billion, or 15 percent of total smart grid capital investment, on securing their networks. And for good reason. As utilities set out to secure their networks, it's critical that they focus on four key issues:
Defence. The system's security architecture must be applied across the entire enterprise and deployed using widely adopted global practices. In the past, most applications at a utility were not necessarily built with security in mind, so many existing legacy applications will likely need to be reengineered or secured. Moving forward, commercial, off-the-shelf applications must be evaluated for their resistance to threats and their ability to process and handle sensitive information over the course of their entire lifecycle. Of course, rigorous testing will become essential, especially when it comes to identity and access management.
Proactive monitoring will also be critical. Utilities will need to gather cyber intelligence and constantly monitor downstream activities to spot back door vulnerabilities that might have been missed by point compliance and checklists. They should also be looking for complex patterns that often indicate the initiation of an attack, and expand the scope of standard vulnerability assessment or penetration tests. They should also take advantage of outside sources of threat intelligence and try to detect reconnaissance activity by likely attackers, which could include disgruntled employees, hackers, or third parties looking to escalate their privileges to the network.
The last defensive measure utilities should consider is closely monitoring the useful data generated by application vulnerability scanner results, event management reports, security information, and intrusion detection system threat engines. These sources can help prevent attacks or mitigate their effectiveness, and merging the data they produce together will help form an operating picture whose sum is much greater than its parts.
Standardisation. Utilities must constantly assess their systems for points of risk and put in place security features gradually. A prerequisite for the security of smart grids is the interoperability of various security controls as well as compliance with standards and regulations. No utility--let alone an end user--will be able to choose a device and expect it to work on a smart grid network without interoperability, which will require some set of standardised testing.
Regulation also must be standardised immediately. Lawmakers and regulatory agencies must collectively take a tough stand when it comes to enforcing security standards for utilities and punishing those who violate those standards.
Governance. At many utilities, it's often unclear what department is responsible for oversight or accountability for cyber security and data protection. In some cases, this responsibility is supposed to be shared between various functions. For example, the chief information officer might be charged with maintaining IT and data security, the chief security officer will set policies and procedures and the general counsel is asked to ensure the organisation complies with regulations.
This type of fragmented responsibility often leads to breakdowns, where ownership of critical security issues is often pushed from one department to the next.
This becomes a particularly alarming technology management issue in the utility industry, where the corporate IT team usually manages only their own enterprise IT systems, including finance, email and human resources. Management of the electrical grid itself is often left up to field operations and engineering staff. This kind of system separates those who understand networking and information security from those who manage the electricity network. Such a gap will need to be closed as utilities transition to the smart grid.
Education. Unless consumers are convinced that their personal data is safe, utilities will face significant resistance to smart grid adoption. Just as banks focused on rigorous educational programmes when automated teller machines were first introduced, utilities need to teach smart grid security skills and awareness programmes to all employees, focusing their attention on the importance of security.
The smart electrical grid promises to change the face of the utility industry forever and enable efficiencies and consumer conveniences that will change the way we live for the better. But it will remain a promise, not a reality, unless utilities address these pressing security concerns and give consumers the confidence that a strong cyber security framework is in place to protect their personal data.
Dr Alastair MacWillson is the global managing director of Accenture's Global Security Practice. Prior to joining Accenture in 2002, Dr MacWillson was the global leader of the technology consulting practice in PricewaterhouseCoopers. Dr MacWillson has acted as an advisor to a number of governments on technology strategy critical infrastructure protection, cyber security and counter terrorism and has sat on related committees for the US and UK governments, the European Commission and the United Nations. Dr MacWillson has a BSc in Physics, postgraduate diplomas in Computer Science and Digital Imaging, a PhD in Theoretical Physics, and a DPhil in Cryptographic Integrity.
By : Dr Alastair MacWillson, Accenture