You are here

Home » Security and the Smart Grid

Security and the Smart Grid

By: 
David Latchman
/ Published on: 
Thu, 04/21/2011 - 15:52

At present, utilities are unable to monitor in real time load or usage beyond the substation level. The smart-grid is a digital two-way network that can address this problem. They achieve this by giving operators a real time picture of energy consumption in much the same way a computer network administrator or Internet Service Provider (ISP) monitors network load, usage, and congestion [1]. This can be accomplished through the use of various ‘smart-devices’ and a smart-meter that can be installed in a consumer's home or office to monitor electricity usage, which can then be relayed back to utility companies in real time. This enables power generation to be monitored and adjusted to meet demand. The strengths and advantages of this concept allows for more efficient electricity distribution and energy savings, but it is also the system's greatest vulnerability as it allows several vectors by which the system can be compromised.

The 2009 Defcon Conference

In 2009, security consultant Mike Davis unveiled a simulation of a worm designed to take over smart meters. Over a period of 24 hours, approximately 15,000 out of 22,000 homes were compromised. While there was no demonstration of how a smart-meter could actually be hacked, Davis did highlight the fact that his worm was capable of being spread due to a fundamental design flaw in a specific meter model, though he did decline to name which one. But he did highlight some of the flaws of this particular meter, particularly the fact that it did not have proper data encryption protocols nor was it able to verify that the device it was communicating with was authentic [2, 3]. In his words, ‘The guys that built this meter had a short term view of how it would work’.

Security Concerns

The above scenario does highlight one very important fact; not just that smart grids are insecure but that hackers are interested enough to find a way in. That means it is not a question of when they will start doing so but rather how long have they already been at it. The effects of a hacked smart grid are numerous and depend upon intent. A malicious hack can include a collapsed grid or sections, damage to a utility's reputation, and possibly loss of human life. There are obviously financial repercussions to all of the above. Thus, without a proper security protocol in place, it becomes easy for even a moderately capable hacker to gain access and, once in, it may be simple to spoof or falsify a signal along a data channel and do harm. Not to put too fine a point on it, this has privacy, financial, industrial espionage, military, and terror implications.

The smart grid's reliance on digital communication to automate many of its processes, while being its biggest advantage, is also potentially its biggest weakness as the multiple avenues of communication means multiple vectors for attack are opened [1-3]. While the smart grid represents a new way in which devices are networked, the principles upon which they can be compromised are decades old.

The Need for Security

To say that smart grids are fundamentally insecure would be an inherently unfair statement. The Energy Independence and Security Act of 2007 provided the US Department of Energy with the responsibility of developing the smart grid program and security has most assuredly been included as part of that framework. Whether utilities and manufacturers follow these guidelines is another matter however. There are, in fact, several smart grid designs and implementations in existence that were initiated several years before the Security Act's initiatives. Thus, one must assume that security features on one device may not exist on another or even exist at all. Therefore, while elected officials certainly give lip service and loudly proclaim their good intentions, they completely missed the window of opportunity to truly integrate security from the very beginning by several years. But then, so did the industry. There are presently insecure devices in service, many of which may remain in operation for years before they are discovered and removed or upgraded. Like the Internet and many of the other online industries, any security feature will have to be applied as an ‘add-on’ feature after the smart grid has been implemented.

What is needed is an able central regulatory body capable of defining robust security standards and ensuring that device manufactures and utilities are in compliance, much like the Internet Engineering Task Force (IEFT) and the National Institute of Standards and Technology (NIST) are doing for the Internet. In this way, testing and validation programmes can be developed to ensure compatibility and compliance and at least reduce the probability of a cyber-attack.

There are problems with this. Utilities face new challenges from a new type of network that uses devices with which relatively few people have experience. More specifically, how can these devices be compromised? The experience of securing computer networks already exists and future smart grid administrators can draw upon this existing body of knowledge and experience. Managers may also be reluctant to accept that their network may be vulnerable or may underestimate the risks involved.

Not all attacks will be designed to take down a smart grid or damage component devices but may serve to specifically target the consumer. Through the use of social media, such as Facebook and Twitter, a hacker could acquire a customer's usage data and determine the times they are home, a high-tech means of ‘casing the joint’ [3]. This type of scenario not only hurts innocent consumers, but also damages the reputation and credibility of companies that own and operate smart grids. This can lead to an erosion of consumer confidence. If utilities expect consumers to accept smart grids into their homes and become a part of their lives, they cannot just focus on the energy-saving benefits. Security concerns must be addressed as well.

References

[1] S. Moyer and N. Keltner, ‘Wardriving the Smart Grid: Practical Approaches to Attacking Utility Packet Radios,’ presented at the Def Con 18, Las Vegas, Nevada, 2010.

[2] M. Davis, ‘SmartGrid Device Security—Adventures in a New Medium,’ presented at the Def Con 17, Las Vegas, Nevada, 2009.

[3] J. Morehouse and T. Flick, ‘Getting Social with the Smart Grid,’ presented at the Def Con 18, Las Vegas, Nevada, 2010.

Share / Save
Tagged with
smart grid, Editors blog

Related content

People who read this also read