I have written here several times before about the potential security issues involved in the installation of “smart” electricity meters, and the more general move to add more “intelligence” to the electricity distribution system. Earlier this month, the US Government Accountability Office [GAO] issued a report [PDF] on the current status of security strategy and planning for the smart grid, and it is not entirely reassuring reading. (The ThreatPost blog from Kaspersky Labs also has a summary article on this report.)
The electric utility industry is now heavily involved in planning for, and implementing, smart grid technology. As I’ve noted before, there is much to recommend about moving to a smarter grid. It potentially saves money and energy, by removing the need for meter readers to visit customers’ premises, for example, and it can potentially improve energy efficiency, by facilitating differential rates depending on load. Peak load capacity is expensive to keep available, and typically uses the utility’s least efficient generating capacity. So, for example, if you and other consumers can be persuaded, by means of lower rates, to wash and dry your clothes at off-peak hours, overall efficiency would be improved.
The concern over all this is that it involves building out a new networked infrastructure, which is almost certain to introduce new potential security vulnerabilities, as recognized by legislation.
To address this concern, the Energy Independence and Security Act of 2007 (EISA) provided the National Institute of Standards and Technology (NIST) and Federal Energy Regulatory Commission (FERC) with responsibilities related to coordinating the development and adoption of smart grid guidelines and standards.
The NIST, which was charged with developing the guidelines, issued in August of last year an initial version of them. Though they did a reasonably careful job of addressing purely cyber attacks, they did not examine the possibility of attacks using both physical and cyber means. They now have a plan to issue revised guidelines to address this gap. However, even if the amended guidelines are perfect, they are still only voluntary; Congress did not give the FERC any enforcement authority, just the ability to specify standards and monitor compliance with them. A patchwork of federal and state regulations further complicates the issue.
The GAO report summary contains six high-level conclusions, which I have cited below, along with some comments.
Aspects of the regulatory environment may make it difficult to ensure smart grid systems’ cybersecurity.
In addition to the lack of enforcement mechanisms, and the potential confusion and conflict among different regulators, there is no established mechanism for sharing security information and best practices across the industry.
Utilities are focusing on regulatory compliance instead of comprehensive security.
In an industry like the electric utilities, with a long history of regulation, this should hardly surprise anyone who is conscious.
The electric industry does not have an effective mechanism for sharing information on cybersecurity.
This also should not be a surprise. Cybersecurity is really a new game for the utilities; their past security concerns have mostly revolved, reasonably, around physical assets, such as power plants and transmission lines. They may have some expertise in keeping kooks from blowing up transmission towers with dynamite, but that doesn’t necessarily “scale” to network systems.
The electricity industry does not have metrics for evaluating cybersecurity.
If you don’t really know how to do something, it’s improbable that you know how to measure it correctly.
There is a lack of security features being built into certain smart grid systems.
The track record of technology vendors in general is fairly dismal when it comes to providing adequate security in version 1. (“There’s never time to do it right, but there’s always time to do it over.”) This unfortunate tendency is not likely to be ameliorated by having largely clueless utilities as customers.
Consumers are not adequately informed about the benefits, costs, and risks associated with smart grid systems.
Perhaps utilities in other areas are better, but in the several places I’ve lived in the US, the electric utilities have generally been dreadful at communicating even basic service (or absence of service) information to their customers. To think that they will provide their customers with security information really is a triumph of hope over experience.
As I said earlier, there are good reasons for the goal of having a smarter electricity grid; but, as we have seen many times, security is hard. I hope that the enthusiasm for the new technology does not get too far ahead of the understanding of how to get it right.