Top 6 hurdles to securing a smart grid

GAO has identified the most significant challenges to ensuring the cybersecurity of a power grid

In its recent assessment of electricity grid modernization, the Government Accountability Office hosted a panel of government, industry and academic experts on smart-grid security. The panel identified six critical challenges that need to be met to ensure the cybersecurity of systems and networks that support the nation’s electricity grid.

Jurisdictional cracks. The existing regulatory environment makes it difficult to ensure the cybersecurity of smart-grid systems.

Jurisdictional issues and the difficulties of responding to continually evolving threats are a major regulatory challenge. There is a lack of clarity in the division of responsibility between federal and state regulators because smart-grid technology can blur the traditional lines between transmission and distributions systems. And there are concerns about the ability of regulatory bodies to respond to rapidly evolving cybersecurity threats. Panel members also expressed concerns about future regulations that could be overly specific, including requiring the use of a particular product or technology.


Related coverage:

Smart electrical grid: Big benefits, big target

Smart grid tapped to inspire alternative energy sources


Lack of consumer education. Consumers are not adequately informed about the benefits, costs and risks associated with smart-grid systems. That lack of awareness might make consumers unwilling to pay for secure systems, and regulators could be reluctant to approve rate increases associated with cybersecurity. Until consumers know more about smart grids, utilities might not invest in or get approval for comprehensive security.

Least common denominator for compliance. Utilities are focusing on regulatory compliance instead of comprehensive security. The existing federal and state regulatory environment creates a culture of compliance. Experts said utilities focus on achieving minimum regulatory requirements rather than designing a comprehensive approach to system security. Because security requirements are inherently incomplete, that could leave organizations vulnerable to attack.

Insecure components. Smart-grid systems don't have adequate security features. For example, some currently available smart meters don't have a strong security architecture and lack features such as event logging and forensics capabilities, and many home networks — used for managing electricity usage in homes — do not have adequate security built in. That could leave utilities unable to detect and analyze attacks, which increases the risk that attacks will succeed.

Industry opaqueness. The electricity industry does not have an effective mechanism for sharing information on cybersecurity and other issues. Although the electricity industry has an information sharing center, it does not fully address information on vulnerabilities, incidents, threats and best practices. President Barack Obama’s cyberspace policy review also identified challenges related to cybersecurity information sharing in critical infrastructure sectors. Information regarding incidents, including unsuccessful and successful attacks, must be shared securely to allow industry to analyze practices and approaches.

No measure, no progress. The electricity industry does not have metrics for evaluating cybersecurity. That makes it difficult to measure improvements from investments in cybersecurity. Although the metrics are difficult to develop, they could help compare the effectiveness of competing solutions and determine what mix of solutions combine to form the most secure system. Metrics also could help utilities develop a business case for cybersecurity by demonstrating the return on investments.

About the Author

William Jackson is freelance writer and the author of the CyberEye blog.

Reader Comments

Mon, Apr 4, 2011 Shalin Shah

Great list post. Indeed, cyber attackers are developing attack patterns faster than current solutions can detect. Most existing cyber security solutions simply look for "signature-based" threats that search for known malicious patterns. This approach, while sufficient in some cases, is ultimately inadequate for two key reasons: (1.) Cyber attackers are quickly evolving their methods to evade signature-based detection and (2.) Signature-based detection often flags as threats benign activities, generating a stream of false positives that only exacerbates the needle-in-the-haystack problem inherent in cyber security. Cyber security solutions must therefore evolve to detect changes in user behavior. Operational Intelligence is able to provide such a comprehensive, fully-integrated cyber security solution.

Please post your comments here. Comments are moderated, so they may not appear immediately after submitting. We will not post comments that we consider abusive or off-topic.

Please type the letters/numbers you see above