As someone who has been knee-deep in Smart Grid security research, collaboration, assessments, and integration projects for the past year, it is sometimes easy to forget that most of the information security community hasn’t had much exposure to this area. Given that we received several submissions for sessions related to Smart Grid security, and it has been getting a fair amount of media coverage, I thought I would offer an introduction.
While definitions of the Smart Grid vary, a definition provided by Secretary of Energy Steven Chu, Ph.D., seems to offer a clear view of what is involved. He defined it as the “`dynamic optimization of grid operations and resources’” with the “`incorporation of demand response and consumer participation.’” Key to the Smart Grid concept is the ability to offer flexibility in how electricity is generated, transmitted, distributed, and consumed. To accomplish this, a variety of sensors and control devices need to be distributed throughout the grid, offering greater visibility and control, both centrally and at various levels. It includes direct involvement from consumers on everything from power use reduction during peak periods to the ability to generate one’s own power for sale onto the grid. Not surprisingly, this increased flexibility can also mean greater complexity that inevitably presents security challenges. Moreover, the direct involvement of millions of consumers in these sophisticated transactions represents a host of potential threats to the reliability of the electrical grid. Without the appropriate controls, individuals may be able to compromise critical utility systems by simply tunneling through meters attached to their homes.
This is the challenge facing cyber security professionals. In some sense, the Smart Grid is like a brand new Internet strung together via various communication media with varying degrees of access. And just like the Internet, it may radically depart from its initial purpose of being simply the utility’s network for controlling its own devices. Instead, it and the current Internet may act as a massive exchange for the buying, selling, and delivery of electricity. If that happens, let us hope that outcome is better planned and implemented in a way that builds in security from the ground up rather than bolting it on at the end. Given our past experiences, we are naturally skeptical, but for the sake of economic and physical well-being, let us also be hopeful.