Smart grid security: Will 'good enough' be enough?

Standards for enabling an interoperable, interconnected electric energy system are emerging at a time when the appearance of a new class of threats is changing the way we think about cybersecurity.

There is an assumption that systems and networks already are or will be compromised and a growing emphasis on responding to rather than preventing breaches. C-level executives attending a recent discussion convened in Washington by RSA and TechAmerica concluded that advanced persistent threats are a new fact of life and that organizations should assume that they already have been or will be breached.

Related coverage:

Energy’s 10-year plan to protect the power grid from cyberattack

Building an interoperable smart grid: IEEE weighs in

“If someone really has you in their sights, they’ve got you,” said Tim Roxey, director of risk assessment at the North American Electric Reliability Corp., which issued alerts about two new threats to power distributors this summer.

This is the new landscape in which the nation is moving one of the most critical elements of its infrastructure — the electric energy grid — to a next-generation network that will enable the two-way flow of information and energy. Standards for security are being developed along with standards for interoperability. But if officials are being forced to concede they cannot keep out a determined attacker, how do we ensure the security of our power system?

"I am concerned,” said Dick DeBlasio, chief engineer at the Energy Department’s National Renewable Energy Lab, who also is chairman of an Institute of Electrical and Electronics Engineers working group that develops smart-grid standards. The working group wrestled with the security question while developing an interoperability reference model for Energy's smart grid. “It was tough,” DeBlasio said, and in the end, “it wasn’t something we could answer.”

The short answer is that there are no assurances of security in a system as complex and expansive as a smart grid. There will be too many endpoints to ensure isolation from the Internet — too many doors, windows and cracks to ensure that a targeted threat does not get through.

However, DeBlasio is optimistic about the smart grid. The cooperation of multiple disciplines, including power systems, communications and IT, in developing standards makes him confident that the system can be made safe, if not secure.

If the grid cannot be made impervious to attacks, it is all the more important that it be fault-tolerant, resilient and transparent. Fault tolerance will allow it to work around problems and bypass damaged or malfunctioning sections without bringing down the whole grid or even large sections of it. Resilience will be needed to spring back from the problems once they have been identified and isolated.

Perhaps most important, transparency will allow visibility into the system so that if — or when — malicious code is executed and it interferes with the generation or flow of power or information, the anomaly can be immediately detected. This is a tough job. The Stuxnet worm apparently was able to hide the damage it was doing to centrifuges in an Iranian uranium processing plant until the damage was done. Stuxnet has at least demonstrated that we cannot depend on nominal displays of system activity to identify anomalous behavior.

In the end, we most likely will need to set our eyes on having a grid that is good enough, not perfect. DeBlasio is confident that we can do that. “The best thing we can do is get better at what we do,” he said.

About the Author

William Jackson is a Maryland-based freelance writer.

inside gcn

  • A framework for secure software

Reader Comments

Fri, Nov 4, 2011 Ben Edelbrock

Great article, security is the future opportunity/headache of smart grid. This is probably one of the hottest topics and something that comes up every day. The technology and devices behind the scenes enable the grid, but the power is in the data. This creates a few main concerns primarily around security, visualization and storage. Utilities must find a way to protect data across the lifecycle from collection, transmission, storage, consumption and archival. It is imperative to secure every component of the network, across end points, aggregation points, communication network, head end systems and storage. Utilities must present data in a usable form for both internal stakeholders and customers. Finally, utilities must focus on storage strategies that are cost effective and secure. Please feel free to read my blog at Ben Edelbrock, Infosys

Please post your comments here. Comments are moderated, so they may not appear immediately after submitting. We will not post comments that we consider abusive or off-topic.

Please type the letters/numbers you see above

More from 1105 Public Sector Media Group