What if aあburglarあcould browse data which reveals which houses in an area are empty, or a cyberattack could create an electricity blackout What if you unwittingly paid for your neighbour&'s electricity, or a hacker could hijack control of your washing machine

These are all possible scenarios in an insufficiently secured electricity grid, and in particular in the emerging smart grid.

Smart grid is a bionic upgrade to power generation and distribution that will let our energy network diagnose and heal itself, dynamically integrate renewable energy and local power sources and automatically lower electricity demand. The source of those new superpowers is information technology. But increasing automation and communications within the electricity grid potentially has a dark side' increased vulnerability to attack.

The Stuxnet worm, which attacked nuclear power plants in Iran, suddenly thrust a subject which was previously the domain of a small group of experts, the security and automated control of industrial systems, into the limelight. The systems used to control nuclear power plants are very similar to those which run the power grid. &''The idea that industrial control systems of infrastructure can be penetrated in a clever way like that has really opened the eyes of the community and the general public.&'' says Jeff Meyers, a smart grid executive at Telvent.

While security experts always knew that an attack like Stuxnet was possible, the general view was &''the threat is going to be an external one. It&'s going to come from hackers&''. In fact Stuxnet was delivered as part of a Siemens industrial control system, an internal threat rather than an external one.

Markus Braendle is the cyber security manager at ABB, a leading vendor to utilities. He asks &''How do you put a price on what happens if we lose power in a small distribution grid Anywhere from a couple of people being annoyed because they can&'t watch TV to, if it&'s a cold winter, people losing their lives.&''

The Government Accountability Office (GAO), which audits government activities, recently released a report on smart grid cybersecurity which reveals significant problems. The report concluded that there are gaps in cybersecurity regulation and problems with jurisdiction and that even when regulation exists utilities are focused on regulatory compliance rather thanあcomprehensive security. Utilities are governed by a complex set of national, state and municipal regulators who set compliance rules and can impose fines if they are not met. Many state regulators have not imposed any formal requirements on utilities, and even when there are requirements, they are usually limited to smart metering.

Currently NERC (North American Electric Reliability corporation) defines national standards on cybersecurity for utilities, but according to several of the experts I spoke to, the NERC CIP standards are not sufficient to ensure robust security in the smart grid. Making sure the standards are implemented correctly via testing and monitoring is also an area of concern.

The smart grid presents unique security problems. When a power grid operator talks about security, he means reliability of electricity supply. Keeping the electricity flowing is the primary concern of every operator. In the IT world, security means cybersecurity.

Braendle explained thatあ&''in the end what we are trying to secure is a physical process and not a piece of information.&'' Most security techniques like encryption or authentication were developed for environments like banking which manipulate pure data. They don&'t take into consideration the delays required to open a valve or switch a feeder and conversely often cannot operate fast enough for grid applications like protection where the local grid must be isolated from a malfunction in less than two milliseconds.

Bob Lockhhart, who wrote Pike Research&'s smart grid cybersecurity report, told me that something as simple, from the IT point of view, as &''pinging&'' a device to see if it is running can sometimes bring down a legacy system. Adding monitoring can disrupt real-time processes on the grid. For a grid operator reliability of supply is all. Braendle points out that &''we have systems which have an allowed down time of 5 minutes per year.&''

The smart grid will be composed of an enormous number of devices of various types and vintages, from smart meters and solar inverters to electrical substation equipment and sensors on electricity lines. Many legacy devices in the grid have limited processing power, communicate using proprietary protocols over low-bandwidth connections and have no built-in security. Replacing older devices is often not an option for cost or reliability reasons. For this reason, building the smart grid has been compared to rebuilding a plane in flight.

More devices also means more entry points into the grid which can be used as points of attack. あAs Rolf Adam, Cisco&'s Director of utilities and smart grid in Europe says &''From an IT environment security perspective, it&'s a nightmare.&'' He also told me that utilities are very reluctant to share information about security vulnerabilities due to liability issues.

Ask a group of smart grid experts to name the major threats to the smart grid and you will get as many answers as people.あAccording to Lockhart, when it comes to smart meters, utilities want smart meters to last for 20 year but this timeline is too long for IT companies. So they are concentrating on making the meters upgradeable. Upgradeability creates vulnerabilities. The threats include rolling back the meter to avoid billing, using the meter as an entry point to the rest of the network or even denial of service attacks on meters.

Braendleあasserts that customer privacy is a new problem for utilities. Data from smart meters can reveal all kinds of private information from the number of people in your household to when you are on holiday. Utilities have a legal obligation to keep this data private. &''How do you protect the privacy of the customer so not everyone knows when you are taking a shower&'' he asks.

John Cooper, author of GridNet&'s cybersecurity whitepaper, agrees on meters being a possible entry point to the grid but also points to the distribution grid (the part which connects to homes and businesses) where decisions which were previously manual are being automated and made locally.あCooper also considers renewables, in particular small-scale, local generation of renewable energy known asあDistributed energy resources (DER), as a brand new area which doesn&'t fit the current paradigm. Utilities are used to generating power in large-scale, centralised power stations. Distributed solar or wind farms, local electricity storage and even electrical vehicles add thousands of devices on the edge of the grid.あ&''DER will require control&'' Cooper maintains &''and we will have much less control over the physical access to those locations as opposed to substations (A substation transforms high to lower voltage and acts as a local centre to distribute electricity to homes and businesses)&''.

Adams contends that physical security will be more important than cybersecurity in early smart grid deployments. &''Doing physical damage to an infrastructure is much easier than damaging that infrastructure using cybersecurity&'' he says. The best firewall in the world won&'t stop someone from driving a bus into a substation. Adams also highlights the need to apply security to people, e.g. who gets access to a substation, and processes. Cisco is using RFID tags for utility employees and materials to track them in the field. It is also advocating the use of video collaboration tools so that more inexperienced, maintenance staff, who may inadvertently cause damage by flicking the wrong switch in a substation, can get expert advice.

Meyers also mentioned physical security threats and small-scaleあpower generationあbut added that there are threats everywhere that new communication and sensing technology is used.

The good news is that cybersecurity standards and techniques or smart grid are being developed. &''In North America right now the awareness (of cybersecurity) is higher than anywhere else&'' assertsあBraendle. One reason for this is the NERC CIP cybersecurity guidelines and the accompanying fines for non-compliance. Another is that all smart grid projects which receive stimulus money from the U.S. government must meet certain cybersecurity standards.

Meyers and Cooper agree that a lot of good work has been done on defining cybersecurity requirements, but there are still many open questions related to regulation, testing and compliance. Meyers explained that the diversity in the devices in the grid and their age could be an advantage as well as a difficulty since it makes it more difficult to acquire the knowledge to do harm. He also wonders if hackers will think it&'s as &''sexy&'' to take down a part of the distribution grid as, for example, a big bank.

Cooper says that the ultimateあgoal of cybersecurity is not to make the smart grid impregnable, but to make it more costly, and therefore less attractive, to attack. However, his final words are clear.あ&''The smart grid should not be built if it&'s not built securely.&''

Next Story: The Internet is about to run out of addresses Previous Story: Why entrepreneurs dona4ぎa4д care about the small business lending act

Print Email Twitter Facebook Google Buzz LinkedIn Digg StumbleUpon Reddit Delicious Google More&8230'

Tags: cyberattacks, cybersecurity, editors choice, energy, security, Smart Grid, Solar

Companies: ABB, Cisco, gao, GridNet, Pike Research, telvent

Tags: cyberattacks, cybersecurity, editors choice, energy, security, Smart Grid, Solar

Companies: ABB, Cisco, gao, GridNet, Pike Research, telvent

Ciara Byrne is a full time techie and part-time writer. She has worked as a software developer, team lead, engineering manager and mobile standards expert. Ciara is based in Amsterdam and her interests include creative companies, useful technology, torture by piano and cycling in high heels. Follow her on Twitter at @deciara.

Have news to share Launching a startup Email: tips@venturebeat.com

VentureBeat has new weekly email newsletters. Stay on top of the news, and don't miss a beat.


Discuss   Add this link to...  Bury

Comments Who Voted Related Links