COMMUNICATIONS / NETWORKS
Smart Grid will only be as good as security behind it
Security standards for smart grid must be addressed before new advanced infrastructure is in place
- By William Jackson
- Mar 24, 2009
The United States is at a critical juncture in the development and deployment of technology that will enable a new generation of smart power grids. The economic stimulus package includes $4.5 billion for Smart Grid projects and industry is developing and deploying some of the technology.
However, security standards for the new technology are only beginning to emerge from government and industry programs.
“Research conducted throughout the industry has independently concluded these technologies are susceptible to common security vulnerabilities such as protocol tampering, buffer overflows, rootkits and code propagation,” the security services firm IOActive said in a recent statement.
If exploited the vulnerabilities could expose the Smart Grid, a 21st-century system for more reliably distributing and delivering electric power across the country, to the same types of attacks now threatening our information technology networks. IOActive recommends that industry best practices for the development of secure technologies be identified and adopted and third-party assessment of baseline security standards be required before deployment.
“The good news is, we are not in a total catch-up phase,” said IOActive President and Chief Executive Officer Joshua Pennell. “It’s still in the early adoption phase. We should take advantage of the fact that it’s not too late.”
The Smart Grid is a concept that would use intelligent networking and automation to better control the flow and delivery of electricity to consumers. It is “a fully automated power delivery network that monitors and controls every customer and node, ensuring a two-way flow of electricity and information between the power plant and the appliance, and all points in between,” The Energy Department said in its “National Vision for Electricity’s Next 100 Years.” “Its distributed intelligence, coupled with broadband communications and automated control systems, enables real-time market transactions and seamless interfaces among people, buildings, industrial plants, generation facilities, and the electric network.”
By applying IT to the energy infrastructure, the government hopes to create not only a more reliable energy system, but a greener one.
“A smart grid can increase reliability, heighten security, optimize the entire electricity system from generation to consumption, and contribute to the decarbonization of the electricity industry,” Katherine Hamilton, president of the GridWise Alliance told the Senate Energy and Natural Resources Committee earlier this month. “A smarter grid can also enable the integration of dynamic forecasting, energy storage, clean distributed generation, and energy efficiency technologies, including plug in hybrid vehicles. A smarter grid allows for a more effective deployment of energy from renewable sources, reaping the full benefit of wind, solar, geothermal, hydropower, and biomass power.”
GridWise, a coalition of utility and IT companies, universities and research organizations, says deployment of a Smart Grid also could create 280,000 jobs over the next four years, thus the program’s inclusion in the economic stimulus program.
There are multiple elements to a Smart Grid. One of the first to be deployed is advanced metering, which monitors power use by the consumer and offers choices to the user and the utility for more economical delivery based on usage patterns. Some elements of this are in use, including electronic meters that report usage to the utility so that the meters do not have to be read by workers in the field. IOActive estimates that more than two million of the devices now are in use in the United States, and that another 17 million are on order by 73 utilities.
Because these meters also can have the ability for remote power shutoff to the customer and can allow access to the rest of the grid, securing the communications between the meter and the utility is important.
“Because of cybersecurity issues, certain criteria in developing technology are critical,” Hamilton testified. “Industry has been engaged in this process collectively through several partnerships so that the security architecture for all smart grid technologies will be consistent.”
One of the first products of these efforts is a baseline set of security requirements for smart meters developed by the Utility Communications Architecture International Users Group, a coalition of utilities that also includes the Energy Department. The group’s AMI Security Task Force developed the AMI System Security Requirements between May and December 2008.
The requirements were created to standardize existing best practices now used by utilities. They are intended to be used by the vendor industry in product development, and by utilities for procurement requirements. The requirements cover primary security services, supporting security services and assurance services.
The National Institute of Standards and Technology (NIST) also is charged with developing Smart Grid security standards under the Energy Independence and Security Act of 2007, although the act provided no funding for the effort. The stimulus package is expected to provide some of the needed budget.
Meanwhile, industry is not waiting for these standards, Hamilton said.
“Developing standards and protocols for smart grid is important, yet entrepreneurs, utilities, universities, and other businesses developing smart grid technologies will continue to implement smart grid in the absence of NIST standards,” she said. “We do not want to hold up these efforts that can stimulate the economy by waiting for standards to be developed.”
If security issues are addressed quickly they need not delay progress in rolling out a Smart Grid, Pennell said. “If they can do it in a quick time frame, I don’t see that there should be any delay.” But, “what’s really hard is when the products have already shipped. To go back and fix it later costs so much more,” and once deployed, elements of this new infrastructure are likely to be in place for 40 or 50 years.
Pennell also recommended that the Smart Grid industry adopt the formal Security Development Lifecycle (SDL) used by Microsoft Corp. in its Trustworthy Computing Initiative. The SDL has not eliminated security problems from Microsoft products, but it has succeeded in reducing the attack surface available to hackers, he said.
William Jackson is a Maryland-based freelance writer.