Security considerations for US Smart Grid and Smart Metering deployment

On May 18, 2009, US Commerce Secretary Gary Locke and US Energy Secretary Steven Chu announced significant progress that will help expedite development of a nationwide Smart electric power grid. A Smart Grid would replace the current, outdated system and employ real-time, two-way communication technologies to allow users to connect directly with power suppliers. Once implemented, the Smart Grid is expected to save consumers money and reduce America’s dependence on foreign oil by improving efficiency and spurring the use of renewable energy sources.

Before it can be constructed, however, there needs to be agreement on standards for the devices that will connect the grid, there also needs to be a review of the new information security and availability threats that such a system might engender. In this article Dr. Jim Kennedy looks at the latter and highlights what needs to be considered.

Introduction
There are many market forces that are driving today’s electric utilities to consider Smart Grid and Smart Metering for their operations. The primary driver is the demand for increased service delivery. But before Smart Grid and/or Smart Metering are employed it is imperative that electric utilities consider and address the security vulnerabilities inherent in today’s energy providers’ network, computing and control infrastructures. If this is not done it is possible that in future computer hackers, cyber criminals, or rogue countries could adversely impact portions of the country’s power infrastructure.

On the national front

Published reports over the last few months, crediting unnamed national security sources, indicated that hackers from several large nations have penetrated the US power grid, mapped it and potentially installed malicious tools that could be used to launch future attacks on the electrical infrastructure. It is important to note that these discoveries were made by US Intelligence Agencies and not the compromised utilities’ internal security organizations.

On the local front

Every day the local newspapers and electronic media front-page media breaches and information compromises. The very same communications networks and computing infrastructures utilized by these financial, insurance, government and retail sales organizations are also in use by many electric utilities. Power grid hackers could potentially exploit the very same vulnerabilities (virus attacks, buffer overflow attacks, and etc.) to attempt an attack on electric utilities. In addition there are more and more attacks being exploited using most recent vulnerabilities or zero-day attacks. Zero-day attacks are those where patches are yet to be developed and distributed to address the vulnerability.

Smart Grid

Smart Grid is the evolution of the power industry to utilize the rapidly advancing network and computing technology to improve the transmission, distribution and control of the electrical grid that supplies homes and industry with electrical power. The advantages are: improved efficiency of power generation and distribution, reduced cost of operations and improvement of reliability of the overall electric grid – all laudable goals.

There are estimated to be in excess of two million Smart Meters used in the United States today. It is also estimated that greater than 50 major US electric utilities are preparing to implement (pilot) smart-metering in their territories. To accomplish this more than fifteen million smart-metering devices have already been ordered.

It should be noted, however, that every incorporation of Smart Grid and Smart Metering within an area increases the reliance on the implementing utility’s network and computing infrastructure to supply and maintain electric power for the end consumer. So as you can see it is of the utmost importance that the networks and computing resources are properly protected from failure and improper use.

Security and the Smart Grid

There are many steps that can be taken to build security into the smart grid from the beginning and not added on after the fact (usually where security problems start). The US stimulus package is allocating more than $10 billion for Smart Grid-related technology. Some of that money should be spent to research, develop and implement proper security controls for this new technology.

One of the most critical steps to incorporating and maintaining security will be utilizing existing relevant security standards such as the ITU’s X.805 (now the ISO/IEC 18028-2 standard for security architectures), the NIST standard 800-53 for system security controls, ISO 27001 & 2 for security management programs, and of course the NERC-CIP regulations. It will also be necessary to draft new industry standards to meet the requirements of the new technologies introduced by Smart Grids and Smart Metering architectures and operations. In addition, all software developed for Smart Grid and Smart Metering systems and applications should also be put through a proven software and security development lifecycle.

The second most crucial step is to implement a thorough before, during, and after deployment testing methodology for all Smart Grid and Smart Metering hardware, software and network systems. These newly introduced systems should be taken through a rigorous cadre of automated source code reviews, testing of executables, and continual scanning for any deviations from approved configurations. It is imperative for solution providers to ensure the Smart Grid and Smart Metering systems are as secure as possible before deployment onto the grid.

Lastly, is to ensure that the utilities provide the necessary diligence to insure that the required security controls are in place and that mandated policies, standards and regulations are being followed. As we have found with many security breaches and successful hacks in other industry sectors the reason for the security compromise was a lack of due diligence. Failures such as security controls inadequately implemented, security procedures not followed, and security rules ignored regularly. Security needs to be tightened up. Security awareness training needs to be done regularly to reinforce security throughout the organization.

In summation

Smart Grid and Smart Metering are good for the environment, the consumer and society in general. However, power utilities, government regulators, and equipment and software manufacturers need to insure that security is in the forefront of their designs and implementations to keep the grid maximally safe and operational.

About the author

Dr. Jim Kennedy, MRP, MBCI, CBRM, CHS-IV is the Business Continuity/Security Services Practice lead and a principal consultant for Alcatel-Lucent. Dr. Kennedy has over 30 years' experience in the information security, business continuity and disaster recovery fields. He is the co-author of three books, ‘Security in a Web 2.0+ World, A Standards Based Approach’, ‘Blackbook of Corporate Security’ and ‘Disaster Recovery Planning: An Introduction’ and author of an e-book, ‘Business Continuity & Disaster Recovery – Conquering the Catastrophic’. jtkennedy@alcatel-lucent.com

•Date: 5th June 2009• Region:US •Type: Article •Topic: Power management
Rate this article or make a comment - click here