The Looming Smart Grid Security Crisis: Lessons learned from online banking provide the blueprint
In 2007, scientists at Idaho National Labs revealed the vulnerability of an electrical utility's control system by demonstrating the ability to instruct the control system to destroy itself. However, it wasn't until very recently that CBS aired a special on this discovery while the Wall Street Journal1,2,3 and the New York Times4 reported on the vulnerability of our energy grid.
The New York Times summed the issue up best:
"The accelerating deployment of tens of millions of advanced electric meters and other smart grid devices.increases the targets of attack and could make the nation's power network potentially more vulnerable as the threat of penetration grows."
Historically, this looming crisis has been too abstract for consumers to take notice. By the very nature of its ubiquity as a utility service, the public does not care how the electrical system works, as long as it works. That includes security. If some sort of threat creeps in it's expected to be rectified before the lights go out. If an outage happens, once the lights come back on, all is forgotten.
As an example, the massive blackout in 2003 left approximately 50 million people across Ohio, Michigan, Pennsylvania, New York, Vermont, Massachusetts, Connecticut, New Jersey and Ontario without power and with an overwhelming fear by some that it was a result of a potential terrorist attack. When the public learned that the blackout was caused by a downed power pole, the fear of a national catastrophe turned into a mere inconvenience.
Advanced Metering Infrastructure (AMI) Changes the Game
The move towards smart meters is analogous to the revolution the banking industry saw with ATMs, debit cards and online banking. According to Pike Research, approximately 45 million smart meters exist today worldwide and, by 2015, this number is expected to grow to approximately 250 million. 250 million homes and commercial and industrial establishments will be connected to the grid and benefit from information such as itemized energy bills and peak pricing periods to help them modify energy usage patterns.
The revolution in the way consumers conduct day-to-day banking brought incredible efficiencies and conveniences. Yet, it also brought heightened public unrest - and action from financial companies - regarding security. Now, users have become accustomed to the many required security features such as site keys, multiple passwords, and pin numbers in exchange for assurance that their account will be protected. Without these security measures, online banking would not exist.
But average consumers tend to care about cyber crime only as it relates to their own pocket and own financial security. In his CBS interview, Admiral McConnell said that people's first question about cyber crime in the banking industry is if their money could be stolen from their account. These same questions are now being asked about smart meters and the utility industry.
Tackling Smart Grid Security?
How do we address new security concerns amid utility system overhaul and paradigm shift in process by which electricity and information flows from generation to end-user and back? With advanced planning, as in banking, it must be addressed by building security into every level of technology throughout the Advanced Metering Infrastructure (AMI) "stack." Anything less will result in weak links that, ultimately, will be exposed and exploited.
CIS: Customer Information System; OMS: Outage Management System; DRS: Demand Response System; GIS: Geographic Information System; AMS: Asset Management System; DCU: Data Concentration unit
"Built In" versus "Bolted On"
According to IOActive, a security consultancy, "Studies show that overall project costs are 60 times higher when gaps in information security controls are addressed late in the development cycle, as opposed to projects where security is implemented in the design phase."
Once it is understood and accepted that security controls must be built in from the design phase, the next question is: Where should they reside? The answer is everywhere. When you break down the AMI Stack into its different layers, the problem becomes much more manageable. With the AMI Stack diagram, you can begin to dissect the different components of AMI, from the meter itself, to the communications network, to the meter data management system (MDMS), and to the mission-critical billings applications. Security controls need to be approached holistically and be designed within and across these layers one by one.
As your journey into the world of AMI security begins, here are several questions for you to consider:
- Do you manage encryption from an enterprise-wide perspective?
These questions, among others, are already being asked by the North American Electric Reliability Corporation (NERC). The more the public is sensitive to and understands these issues, the more they'll begin to demand that action be taken.
"What I'm worried about is, because of so many competing priorities, and so many issues that we have to deal with, we will not get focused on this problem until we have some catastrophic event," Admiral McConnell said.
Now is the time to act.