Smart grid (in)securities

The U.S. is rapidly moving forward on its smart grid initiative. At the White House Grid Modernization event earlier this week, U.S. Department of Energy Secretary Steven Chu touted how smart meters will provide utility companies with greater information about energy flows in their service areas, and give consumers access to timely data about their own power usage.

“To compete in the global economy, we need a modern electricity grid,” said Secretary Chu in a statement. “An upgraded electricity grid will give consumers choices and promote energy savings, increase energy efficiency, and foster the growth of renewable energy resources.”

Also see: “Despite years of talk, utilities remain compromised, vulnerable”

Few doubt the potential benefits. But at what cost to new risks and shenanigans caused by hackers, pranksters, attacks on power distribution by adversarial nation-states or terrorists that wish to unleash havoc on the system? Essentially, as hundreds of millions of smart meters and devices get connected to the power grid, it introduces entirely new risks to the system. “You are increasing the attack surface with every new device connected to the grid,” says Eric Knapp, director of critical infrastructure markets for NitroSecurity.

In the fact sheet, The President’s Plan for a 21st Century Electric Grid, the bullet point referencing security was last on the list — behind cost savings, innovation and consumer benefits.

A fitting metaphor for when security is often taken into consideration.

To keep the grid secured, the administration says it will provide grid operators with actionable threat information, support research and development for enhanced security, and work closely with the private sector to meet security standards.

There’s much work that needs to be done, says one security researcher who has conducted security assessments at a number of utilities. “There is significant potential for problems, but a lot that people can’t talk about it. Everybody’s under gag orders about specific technology and specific utility security issues,” he says, asking not to be named. “The vendors who make these devices are used to operating in relative obsurity, and they’re not used to the scrutiny. It can get advesarial at times.”

Last month, the industry got a taste of that friction between SCADA vendors and security researchers when a SCADA security talk was nixed at the last minute, due to the vendor’s inability to patch the flaw as quickly as expected.

However, as the grid becomes more automated and “intelligent” — the threats will move much more swiftly. “When you move to instrumenting all of the power distribution, you’re now trusting the network protocol to tell you what’s going on. So instead of somebody physically coming out and doing a meter read, the utility is trusting the data that comes back over the network. That changes the landscape from theft of service to now interfering with the monitoring and interfering with the collection of data, and can also open us to to all types of mischeif, including denial-of-service attacks,” the researcher says.

That’s especially true as the power grid continues to look a lot like traditional corporate networks. Which means it will be, for good or bad, secured much in the same way, including intrusion detection systems and security event monitoring. Earlier this week, NitroSecurity released an enhanced version of its NitroView SIEM that monitors both business and SCADA networks. A number of the enhancements, the company says, include additional support for the specific devices, protocols and applications in intelligent distribution and metering, and expanded capabilities to collect and analyze the extreme breadth and volume of Smart Grid data.

“Utilities are going to need to continuously be looking for anomalous behavior,” says Brad Bauch, energy and utilities and power generation principal at advisory firm PricewaterhouseCoopers LLP. “The smart grid is a vulnerability multiplier, and the attack surface expands exponentially as these devices get deployed,” says Knapp. “They’re gaining in complexity, and will require much more monitoring across many additional attack points,” he says.

George V. Hulme writes about security and technology from his home in Minneapolis. He can be found on Twitter as @georgevhulme