Smart grids are "a society-changing activity, roughly akin to the railroad, the car and the telephone system," said Bill Hunteman, senior advisor for cybersecurity for the Energy Department's Office of Electricity Delivery and Energy Reliability. "Consider the Internet. When it started no one could have predicted where it would be today. The same is true of the smart grid. We don't have a clue where it's going."
Yet to a large degree, smart grids, and the nascent IP networks that control them, represent a voyage into the technological unknown. Energy control systems, such as Supervisory Control and Data Acquisition (SCADA) systems, will become increasingly complex as smart grids are deployed, allowing utility companies, and even third-party application providers, to collect large sets of data from users—data that will need to be encrypted and protected, sources said.
"The utilities are creating this parallel universe, a new Internet, to monitor electric usage," said Annabelle Lee, senior cyber security strategist at the National Institute of Standards and Technology (NIST), which is developing cybersecurity standards and specifications for smart-grid control systems.
"We've got a big cybersecurity challenge ahead of us," Hunteman said. He points out that while cryptography will be one of the prime security defenses in managing the new grid, smart grid cybersecurity also will require a new, more strategic approach.
"We will need tools to do risk assessment and risk management from all levels of the grid," Hunteman said.
For federal agencies, smart grid control systems will open up new security vulnerabilities, so it's a good idea to start thinking ahead about grid-related risks. "Anything that is Internet-connected can be compromised," said Shawn McCarthy, research director for IDC Government Insights. "I don't believe anybody who says the grid is invulnerable or can be made invulnerable. It's all about risk management."
McCarthy said agency managers should ask themselves: What are the possible points of failure? And what's the backup plan?
As smart grids come online, addressing potential smart grid-related security vulnerabilities should be part of agencies' routine, overall security risk assessments -- and that includes asking utilities to provide "some visibility into the specific controls and [security] protections," said Paul Proctor, a vice president of Gartner Research in the risk and security area.
Shawn McCarthyResearch Director, IDC Government Insights
Among the biggest security issues with smart grid infrastructures is the potential for cyber attackers to shut down power that supports mission-critical services or monitor patterns of energy usage from which information about sensitive operations could be derived.
Agencies should be prepared to scrutinize outgoing smart-meter data and determine if their power-usage patterns "give visibility to internal workings that they don't want people to know about," Proctor said. "They should work with their power company to mask those usage patterns. I would not trust the power companies to protect that data, [especially] if we're talking about highly sensitive [operations] or national security."
As NIST officials continue to draft smart-grid cybersecurity standards, they are aware of possible risks for government organizations whose missions involve sensitive operations and national security, such as the Defense intelligence agencies, Lee said. "They may have some requirements that may need to be addressed by the commercial [SCADA] networks," she said.
About the author:
Richard W. Walker is a freelance writer based in the Washington, D.C., area who has been covering issues and trends in government technology for more than 10 years.