The Looming Smart Grid Security Crisis: Lessons learned from online banking provide the blueprint

Dan Pearl | Mar 18, 2010

Share/Save  
On November 8, 2009 on CBS's 60 Minutes, Retired Admiral Mike McConnell equated the threat that the United States faces today from cyber attackers to problems facing the banking industry. The true danger, McConnell asserted, is not that hackers might siphon from bank accounts; it's the potential systematic destruction of the entire process by which we account for wealth. The same issue now faces the utility industry around the world and has for some time.

In 2007, scientists at Idaho National Labs revealed the vulnerability of an electrical utility's control system by demonstrating the ability to instruct the control system to destroy itself. However, it wasn't until very recently that CBS aired a special on this discovery while the Wall Street Journal1,2,3 and the New York Times4 reported on the vulnerability of our energy grid.

The New York Times summed the issue up best:

"The accelerating deployment of tens of millions of advanced electric meters and other smart grid devices.increases the targets of attack and could make the nation's power network potentially more vulnerable as the threat of penetration grows."

Historically, this looming crisis has been too abstract for consumers to take notice. By the very nature of its ubiquity as a utility service, the public does not care how the electrical system works, as long as it works. That includes security. If some sort of threat creeps in it's expected to be rectified before the lights go out. If an outage happens, once the lights come back on, all is forgotten.

As an example, the massive blackout in 2003 left approximately 50 million people across Ohio, Michigan, Pennsylvania, New York, Vermont, Massachusetts, Connecticut, New Jersey and Ontario without power and with an overwhelming fear by some that it was a result of a potential terrorist attack. When the public learned that the blackout was caused by a downed power pole, the fear of a national catastrophe turned into a mere inconvenience.

Advanced Metering Infrastructure (AMI) Changes the Game

The move towards smart meters is analogous to the revolution the banking industry saw with ATMs, debit cards and online banking. According to Pike Research, approximately 45 million smart meters exist today worldwide and, by 2015, this number is expected to grow to approximately 250 million. 250 million homes and commercial and industrial establishments will be connected to the grid and benefit from information such as itemized energy bills and peak pricing periods to help them modify energy usage patterns.

The revolution in the way consumers conduct day-to-day banking brought incredible efficiencies and conveniences. Yet, it also brought heightened public unrest - and action from financial companies - regarding security. Now, users have become accustomed to the many required security features such as site keys, multiple passwords, and pin numbers in exchange for assurance that their account will be protected. Without these security measures, online banking would not exist.

But average consumers tend to care about cyber crime only as it relates to their own pocket and own financial security. In his CBS interview, Admiral McConnell said that people's first question about cyber crime in the banking industry is if their money could be stolen from their account. These same questions are now being asked about smart meters and the utility industry.

Tackling Smart Grid Security?

How do we address new security concerns amid utility system overhaul and paradigm shift in process by which electricity and information flows from generation to end-user and back? With advanced planning, as in banking, it must be addressed by building security into every level of technology throughout the Advanced Metering Infrastructure (AMI) "stack." Anything less will result in weak links that, ultimately, will be exposed and exploited.

AMI Stack



CIS: Customer Information System; OMS: Outage Management System; DRS: Demand Response System; GIS: Geographic Information System; AMS: Asset Management System; DCU: Data Concentration unit

"Built In" versus "Bolted On"

According to IOActive, a security consultancy, "Studies show that overall project costs are 60 times higher when gaps in information security controls are addressed late in the development cycle, as opposed to projects where security is implemented in the design phase."

Once it is understood and accepted that security controls must be built in from the design phase, the next question is: Where should they reside? The answer is everywhere. When you break down the AMI Stack into its different layers, the problem becomes much more manageable. With the AMI Stack diagram, you can begin to dissect the different components of AMI, from the meter itself, to the communications network, to the meter data management system (MDMS), and to the mission-critical billings applications. Security controls need to be approached holistically and be designed within and across these layers one by one.

As your journey into the world of AMI security begins, here are several questions for you to consider:

  • Do you manage encryption from an enterprise-wide perspective?

  • What access controls do you employ?
  • How will consumers authenticate themselves to the new portals?
  • How do you protect meter data as it flows through the network and once it is stored in the data center?
  • How will you manage thousands to millions of new network-connected devices in a secure manner?
  • What existing enterprise cyber security investments can you leverage across the emerging Smart Grid information infrastructure?
  • These questions, among others, are already being asked by the North American Electric Reliability Corporation (NERC). The more the public is sensitive to and understands these issues, the more they'll begin to demand that action be taken.

    "What I'm worried about is, because of so many competing priorities, and so many issues that we have to deal with, we will not get focused on this problem until we have some catastrophic event," Admiral McConnell said.

    Now is the time to act.

    Related Topics

    Comments

    Your graphic is missing a point of interaction -- customers directly to and from the meters.

    "could make the nation's power network potentially more vulnerable" in the news article gets translated immediately into "this looming crisis" in your article's next sentence?

    If there is a microcontroller or computer involved, then malicious code may have been inserted.

    Google 'nojeh nsa lawsuit' for one of the more visible examples.

    For a good chunk of my life I don't even recall a reason to use the word "security." (I do recall having to get something new called a social "security" card to get a 25 cents/hour job.) No school I ever attended had what is called "security" today. I never saw a policeman at any school or high school function for the purpose of security nor on duty at a library or local public building.

    When I visited Washington DC one could walk into the Capitol as easily as walking into a Walmart.today.

    Airplane tickets were almost as negotiable (with no identification) as greenbacks during many years I traveled on business. (When I worked a thousand miles up the Amazon (about1955) Brazilian inflation was so bad that Brazilians would buy American airplane tickets to hold in lieu of depreciating cruzero.) One didn't even have to give one's name to a policeman or airline without cause.

    All this time it was possible to make bombs about as well as we can be them today.

    Now our lives are designed to cope with the will of the criminals. We all have to dance to their tune.

    A security system that is 99.99% effective is not very effective. But criminals with a probability of success of 0.01% are effective.

    Briefly, and locally, as the US was being settled men were hanged for stealing horses. Horse "security" was not possible under most conditions of that time and horse thieft was intolerable, as society could not function.

    As a judge explained, questioned for sentencing a killer to 5 years and a horse thief to be hanged: I've known men who needed shooting but I never knew a horse that needed stealing.

    The price in time and money and lost economic productivity for security today makes Cyber criminals our horse thieves.

    I second Don's discussion above entirely. I would also add that voters are very poor at estimating risk, a fact which political campaign managers in the US have known for about thirty years now.

    The Moscow subway bombings demonstrate that "Security" cannot win and determined terrorism cannot lose. The lives of millions of people have been to some degree forever degraded. The Islamic terrorists have won a monumental victory at no cost. Yes, no cost - in fact a profit, martyrdom. We, on the other hand, without a martyr, are outraged and will "increase security" around the world whether the terrorists plan more subway atrocities or not. That'll show them! They must be having a ball watching our fatuous scramble.