Forget terrorists for a moment. The biggest threat to the security of the grid might be vandals and organized crime.
Unsecured or vulnerable smart meters could become gateways for electricity theft through unauthorized programs that prompt the meter underestimate individual consumption. Who would dare doubt the accuracy of a digital device, after all? In effect, this would be the reverse of the fear of some consumers, who (for the most part, erroneously) believe that smart meters are being used to overcharge them.
“Overseas, there are protection rackets that can provide power discounts. You can actually purchase power discounts,” said Heath Thompson, CTO of Landis + Gyr North America, which has teamed up with SafeNet to create a security framework for its smart meters and other grid technologies. “There are definite examples.”
Another problem: rogue programs could shut off lights or HVAC systems in blocks in communities, thereby causing induced blackouts that can damage or prematurely age field equipment.
“If you get enough meters shutting off at once, you’ve got a load shedding event,” said Rob Shein, a member of the Federal Government Security group at Hewlett-Packard.
Just like the computer industry did more than a decade ago, the smart grid industry is moving from the stage of slaying hypothetical monsters to tackling the unanticipated (and in many ways, more insidious) ones. Have major blackouts been caused by rogue grid code? No. The 2003 blackout in the northeastern U.S. and the 2009 Brazilian blackout were both caused by random trees falling during peak hours.
Still, unauthorized code has been found in the nerve centers of utilities, and the Stuxnet virus has shown how vulnerabilities in building management systems can lead to unauthorized access. Various security experts have exposed holes in different networks and/or software, as well.
“There are active groups of hackers looking at the smart grid,” said Thompson.
Perhaps the chief difference between how security will roll out on the grid and how it got introduced in computers centers on time, opined Shein. Both the internet and email were around for years before they became fully established in the market and long before they became gateways for attack. That gave security experts the luxury of time to burn out the impurities and for corporations to instill a cultural awareness about security within their organizations. As with computers, cultural awareness will likely become the main defense against a rolling wave of security issues in smart grid, but at this point, the basics of the technology need to be worked out, too.
“Smart grid technologies are critical right out of the gate,” Shein said. “The trial-and-error process needs to be abbreviated or we will have to find another means for testing security.”
As part of the effort, HP has created a program called Smart Grid Security Quality Assessment for testing for vulnerabilities. (Shein came to HP from EDS, the mega-service provider bought in 2008.) One can also expect to see names like McAfee (now part of Intel) and Symantec discussing smart grid security products; in fact, Symantec is already pushing into energy management.
Some utilities, Shein noted, are already well on their way. One particular utility, for instance, employs dual-firewall architecture to segregate its power plants. To connect power plants to the wider network, two change requests to open ports need to occur: one from the network side to open a port and one from the power-generation side. The extra paranoia reduces the odds of inadvertent entry.
“They are in an equally mistrustful relationship,” he said. “It shows a certain philosophy.”