What if a burglar could browse data which reveals which houses in an area are empty, or a cyberattack could create an electricity blackout? What if you unwittingly paid for your neighbour’s electricity, or a hacker could hijack control of your washing machine?
These are all possible scenarios in an insufficiently secured electricity grid, and in particular in the emerging smart grid.
Smart grid is a bionic upgrade to power generation and distribution that will let our energy network diagnose and heal itself, dynamically integrate renewable energy and local power sources and automatically lower electricity demand. The source of those new superpowers is information technology. But increasing automation and communications within the electricity grid potentially has a dark side; increased vulnerability to attack.
The Stuxnet worm, which attacked nuclear power plants in Iran, suddenly thrust a subject which was previously the domain of a small group of experts, the security and automated control of industrial systems, into the limelight. The systems used to control nuclear power plants are very similar to those which run the power grid. “The idea that industrial control systems of infrastructure can be penetrated in a clever way like that has really opened the eyes of the community and the general public.” says Jeff Meyers, a smart grid executive at Telvent.
While security experts always knew that an attack like Stuxnet was possible, the general view was “the threat is going to be an external one. It’s going to come from hackers”. In fact Stuxnet was delivered as part of a Siemens industrial control system, an internal threat rather than an external one.
Markus Braendle is the cyber security manager at ABB, a leading vendor to utilities. He asks “How do you put a price on what happens if we lose power in a small distribution grid? Anywhere from a couple of people being annoyed because they can’t watch TV to, if it’s a cold winter, people losing their lives.”
Security in the smart grid
The Government Accountability Office (GAO), which audits government activities, recently released a report on smart grid cybersecurity which reveals significant problems. The report concluded that there are gaps in cybersecurity regulation and problems with jurisdiction and that even when regulation exists utilities are focused on regulatory compliance rather than comprehensive security. Utilities are governed by a complex set of national, state and municipal regulators who set compliance rules and can impose fines if they are not met. Many state regulators have not imposed any formal requirements on utilities, and even when there are requirements, they are usually limited to smart metering.
Currently NERC (North American Electric Reliability corporation) defines national standards on cybersecurity for utilities, but according to several of the experts I spoke to, the NERC CIP standards are not sufficient to ensure robust security in the smart grid. Making sure the standards are implemented correctly via testing and monitoring is also an area of concern.
The smart grid security problem
The smart grid presents unique security problems. When a power grid operator talks about security, he means reliability of electricity supply. Keeping the electricity flowing is the primary concern of every operator. In the IT world, security means cybersecurity.
Braendle explained that “in the end what we are trying to secure is a physical process and not a piece of information.” Most security techniques like encryption or authentication were developed for environments like banking which manipulate pure data. They don’t take into consideration the delays required to open a valve or switch a feeder and conversely often cannot operate fast enough for grid applications like protection where the local grid must be isolated from a malfunction in less than two milliseconds.
Bob Lockhhart, who wrote Pike Research’s smart grid cybersecurity report, told me that something as simple, from the IT point of view, as “pinging” a device to see if it is running can sometimes bring down a legacy system. Adding monitoring can disrupt real-time processes on the grid. For a grid operator reliability of supply is all. Braendle points out that “we have systems which have an allowed down time of 5 minutes per year.”
The smart grid will be composed of an enormous number of devices of various types and vintages, from smart meters and solar inverters to electrical substation equipment and sensors on electricity lines. More devices means more entry points into the grid which can be used as points of attack. Many legacy devices in the grid have limited processing power, communicate using proprietary protocols over low-bandwidth connections and have no built-in security. Replacing older devices is often not an option for cost or reliability reasons. For this reason, building the smart grid has been compared to rebuilding a plane in flight.
What are the security threats?
Ask a group of smart grid experts to name the major threats to the smart grid and you will get as many answers as people. According to Lockhart, when it comes to smart meters, utilities want smart meters to last for 20 year but this timeline is too long for IT companies. So they are concentrating on making the meters upgradeable. Upgradeability creates vulnerabilities. The threats include rolling back the meter to avoid billing, using the meter as an entry point to the rest of the network or even denial of service attacks on meters.
Braendle asserts that customer privacy is a new problem for utilities. Data from smart meters can reveal all kinds of private information from the number of people in your household to when you are on holiday. Utilities have a legal obligation to keep this data private. “How do you protect the privacy of the customer so not everyone knows when you are taking a shower?” he asks.
John Cooper, author of GridNet’s cybersecurity whitepaper, agrees on meters being a possible entry point to the grid but also points to the distribution grid (the part which connects to homes and businesses) where decisions which were previously manual are being automated and made locally. Cooper also considers renewables, in particular small-scale, local generation of renewable energy known as Distributed energy resources (DER), as a brand new area which doesn’t fit the current paradigm. Utilities are used to generating power in large-scale, centralised power stations. Distributed solar or wind farms, local electricity storage and even electrical vehicles add thousands of devices on the edge of the grid. “DER will require control” Cooper maintains “and we will have much less control over the physical access to those locations as opposed to substations (A substation transforms high to lower voltage and acts as a local centre to distribute electricity to homes and businesses)”.
Rolf Adam, Cisco‘s Director of utilities and smart grid in Europe, contends that physical security will be more important than cybersecurity in early smart grid deployments. “Doing physical damage to an infrastructure is much easier than damaging that infrastructure using cybersecurity” he says. The best firewall in the world won’t stop someone from driving a bus into a substation. Adams also highlights the need to apply security to people, e.g. who gets access to a substation, and processes. Cisco is using RFID tags for utility employees and materials to track them in the field. It is also advocating the use of video collaboration tools so that more inexperienced, maintenance staff, who may inadvertently cause damage by flicking the wrong switch in a substation, can get expert advice.
Meyers also mentioned physical security threats and small-scale power generation but added that there are threats everywhere that new communication and sensing technology is used.
The good news
The good news is that cybersecurity standards and techniques or smart grid are being developed. “In North America right now the awareness (of cybersecurity) is higher than anywhere else” asserts Braendle. One reason for this is the NERC CIP cybersecurity guidelines and the accompanying fines for non-compliance. Another is that all smart grid projects which receive stimulus money from the U.S. government must meet certain cybersecurity standards.
Meyers and Cooper agree that a lot of good work has been done on defining cybersecurity requirements, but there are still many open questions related to regulation, testing and compliance. Meyers explained that the diversity in the devices in the grid and their age could be an advantage as well as a difficulty since it makes it more difficult to acquire the knowledge to do harm. He also wonders if hackers will think it’s as “sexy” to take down a part of the distribution grid as, for example, a big bank.
Cooper says that the ultimate goal of cybersecurity is not to make the smart grid impregnable, but to make it more costly, and therefore less attractive, to attack. However, his final words are clear. “The smart grid should not be built if it’s not built securely.”