Fifty-five million is a large number. That is roughly the number of people impacted by the great Northeast blackout of 2003, which to date is the largest electrical blackout in this nation’s history. At the time, many people thought about the possibility that the blackout was related to terrorism because the grid’s centralized structure leaves us open to attack. In fact, the interdependencies of various electrical grid components can bring about a domino effect—a cascading series of failures that could bring our nation’s banking, communications, traffic, and security systems, among others, to a standstill. If that happens, 55 million suddenly won’t seem so large a number in comparison.
Eventually, the smart grid will add layers of security to the interdependencies of the electric grid. Justin Searle is an analyst with Salt Lake City-based InGuardians, and when talking security and the smart grid, he compares it to the Internet. “To ask someone how secure the smart grid is amounts to the same as asking someone how secure the World Wide Web is. The World Wide Web simply isn’t a physical or logical object that can have a state of security. It is a term, like the smart grid, that can mean anything from Web browsers, email, e-business, Web servers, etc.”
So for the smart grid’s security, the best that can be said is it is as secure as your own home computer networks and your utility’s corporate networks, which means they keep most people out, but are not without flaws. That said, how much should we be concerned about security on the smart grid? What could happen?
The major problem consumers may suffer is degradation of service. Ron Meyran is director of security products with Radware, based in Tel Aviv, Israel. He points to some of the results. “Let’s start with reduced savings on power consumption. Smart-grid technology is about cost savings by turning on electrical equipment when power cost is low and turning it off at peak hours. If the monitoring and control systems are breached, data flow may either be interrupted or send the wrong information—which will yield unexpected behavior.
“In addition, there could be power shut downs. This is the main concern of security experts as attackers will most likely use security breaches to cause widespread electricity shut downs. Users will suffer from outages that are not due to physical failures but due to software systems alteration.”
So how secure is the smart grid? Several factors should be taken into consideration. Meyran notes, “The smart grid does not include any security standardization; hence no security tools or considerations are planned as an integral part of smart-grid deployment. Software, any software, always suffers from vulnerabilities that can be later exploited for malicious purposes. The use of software to monitor and control critical infrastructure opens a new door to attackers who previously had to launch physical attacks or use internal agents. The major threats that the smart grid, as part of a nation’s critical infrastructure, is exposed to are the ability to disrupt the power service and cause widespread shut downs.”
InGuardians’ Searle agrees with this assessment, saying, “The most obvious problem a consumer would experience if their utility’s meter network is compromised is a power outage. As a base, you should assume that anything the power company can do to your meter via remote control can be accomplished by a successful cyber attack. This could be done in small scale on a house-to-house basis or, worse case scenario, an entire region served by a utility company. While impacts that span larger than a single utility company’s service region are theoretically possible, the likelihood of such attacks is much lower.”
Utility companies in general are carefully evaluating the “intelligence” of devices before wide-scale deployment. “Every day I work with multiple utilities, vendors, and government officials to create national standards and recommendations to prevent these cyber-security attacks,” claims Searle. “Most of these utilities are spending great amounts of money in time and effort to understand these flaws through vulnerability assessment, penetration testing, and architectural designs.”
The National Institute of Standards and Technology (NIST) just issued the second draft of its Smart Grid Cyber Security Strategy and Requirements, which now identifies more than 120 interfaces that will link diverse devices, systems, and organizations engaged in a two-way flow of electricity and information, and classifies these connections according to the level of damage that could result from a breach in security.
Meyran says, “Remember the idea of the smart grid is about adding software to passive components. But the concern that users will alter the meters to reduce payment is a major motive for electrical companies to define a security standard for a meter and perform penetration tests to validate its robustness. The same has been applied by electrical companies with existing meters—breaking into meters requires physical damage which is quickly detected and abusers can be prosecuted.”
Searle adds, “Vulnerabilities to change meter read data allowing homeowners to commit fraud and save money exist in both old analog and all generations of ‘smart’ meters. This type of attack is not new and will not be going away anytime soon. However the next concern is over the new functionality of these devices. All of these smart meters are controlled by a single server, which makes a great new target for attackers. Not only can attackers go after these servers from the wireless meter networks, but they can go after them in a traditional way by compromising the utility corporate network via physical or Internet-based attacks.”
Utilities that are deploying or planning smarter grids are well aware of the potential problems, just as computer network security experts are when dealing with the Internet. Many utilities are developing what might be called “rapid response” methodologies. Searle explains, “These rapid responses are still in development and, since the smart grid is not one single network, these defenses must be created and developed by each player for its own domain of control. Each utility has to come up with its own responses to what they perceive as likely attacks. For a utility such an attack/defense might be to throttle or completely stop all control signals from their control servers to home meters in times of attack. For transmission companies—those companies transporting power across the country to individual utility companies (also call distribution utilities)—their controls often entail multiple redundant lines with redundant controlling mechanisms.”
Meyran believes the fastest and best solution might be for the deployment of an intrusion detection and prevention system within the core network of the smart grid. These systems are equipped with signature detection technology that identifies application vulnerability exploitations tailored for smart-grid technology. This advanced technology detects attempts to exploit vulnerabilities in certain related protocols.
Behavioral analysis technology will complement signature detection by detecting abnormal user patterns and alerting in realtime before widespread damage has occurred.
So, like the Internet, the digital smart grid has vulnerabilities and will generate attacks by cyber terrorists and criminals—and the “I can beat the best” hackers who have no motive save ego. But like the Internet, the smart grid will have an equal number of specialists whose efforts will be to prevent the disruption of the network by these attacks. And the game continues.