Securing the Smart Grid: Next Generation Power Grid Security


Posted on by Ben Rothke

Smart grid is one of the hottest topics and to a degree fad, in the energy sector.  Security is and always has been a most important topic.  The challenge then is integrating security into smart grid.

In Securing the Smart Grid: Next Generation Power Grid Security, authors Tony Flick and Justin Morehouse provide a comprehensive and first-rate overview of smart grid technology and what is needed to ensure that it is developed and deployed in a secure and safe manner 

An issue is that smart grid has significant amount of hype around it, including the promise that it will make energy more affordable, effective and green.  With that, promises around security and privacy are often hard to obtain. 

While the books notes early on that there is no singular definition of what defines smart grid, a generally accepted definition is that it is a “network of technologies providing real-time two-way communication that delivering electricity from utilities to consumers”.  Most importantly, it is crucial to understand that the smart grid is an evolving environment, not a single entity or technology. 

As important as the smart grid and security is, roughly 80% of Americans claim to know little or nothing about the smart grid, while 76% lack knowledge or understanding of smart meters, according to results of the latest Market Strategies International E2 Study.  From a security perspective, securing the smart grid is a complex endeavor.  When you combined this with a public that is oblivious to the security and privacy issues, it gets worrisome quite fast. 

The books 14 chapters provide a good overview of the various aspects of smart grid, energy and utility transmission, security, privacy attack vectors and more. The book offers a good balance of the topics, in a very readable format. 

In chapter 1, the authors note that a smart grid is not a single device, application, system network, or even idea.  And that there is no single authoritative definition for what a smart grid is.  With that, the initial chapter sets and defines the various aspects to smart grid. 

Chapter 2 provides an overview of the threats and impacts of smart metering at the consumer level.  A large part of smart grid technologies is advanced metering infrastructure (AMI), which is a set of systems that measure, collect and analyze energy usage, and interact with advanced devices such as electricity meters, gas meters, heat meters, and water meters, through various communication media.  Once smart grid is ubiquitous, AMI will be a hacker’s platform of choice.

With all those benefits of AMI come security and privacy issues, and those open the metering infrastructure to smart thieves, stalkers, and a broad range of other threats and attacks.  AMI also opens up a new set of privacy issues in that the AMI devices will be collecting significant amounts of personal energy data, which may or may not be transmitted over a secure channel. 

Unfortunately, leaving security to vendors of home-based products has traditionally not been met with much success.  Let’s hope the smart grid vendors learn from the security debacles of the past and build effective and strong security into their products.

Chapter 4 notes that smart grid security is a matter of national security and that the US government is playing a large role in directing the effort.  Numerous groups have efforts in place to secure smart grids, including DOE, FERC, DoC, DHS and more. 

An important group working on this is the NIST Cyber Security Working Group (CSWG).  The primary goal of the CSWG is to develop an overall cyber security strategy for the smart grid that includes a risk mitigation strategy to ensure interoperability of solutions across different domains/components of the infrastructure. This strategy addresses prevention, detection, response, and recovery. 

The CSWG recently created NISTIR 7628 - Guidelines for Smart Grid Cyber Security, which complement everything detailed in this book.  It also has the added benefit of being free.  At 577 pages, it is also much more comprehensive. 

Chapter 11 is especially fascinating, which deals with the topic of social networks and smart grid.  While smart grid can leverage the power of social networking, it is inevitable that people will start tweeting about their energy usage.  While that energy data may seem like an innocuous tweet, that information can be used to determine if the people are at home, on vacation, using specific appliances, etc. 

For example, the Lyceum is the oldest building on the University of Mississippi campus.  The Lyceum also has a twitter feed about its energy usage.  While this is more informational, when individuals start sharing their energy usage, without effective social media controls, the security outcome is quite predictable.  With that level of information disclosure, it is quite easy to determine if a family is home, not home, sleeping, entertaining guests, etc. 

As to users who in the future will integrate tweets and other energy data into their social networking, the chapter illustrates how much of a security risk this can pose by detailing vampire energy cost estimates for over 75 different types of electronic products.  Attackers can use the energy data and extrapolate what products are in use, when, and more. 

The chapter concludes with a smart grid social networking security checklist. The smart grid social networking security checklist contains five categories for implementing basic security controls, name around: identity, authentication, information sharing, networking and usage. 

The book also includes a number of sidebar Epic Fail stories, which detail major failures and catastrophes in various energy topics. 

Overall, Securing the Smart Grid: Next Generation Power Grid Security provides an excellent overview on the state of smart grid technology and its related security, privacy and regulatory issues.  The book provides an excellent introduction for anyone looking to understand what smart grid is all about, and its security and privacy issues.


Contributors
Ben Rothke

Senior Information Security Manager, Tapad

Blogs posted to the RSAConference.com website are intended for educational purposes only and do not replace independent professional judgment. Statements of fact and opinions expressed are those of the blog author individually and, unless expressly stated to the contrary, are not the opinion or position of RSA Conference™, or any other co-sponsors. RSA Conference does not endorse or approve, and assumes no responsibility for, the content, accuracy or completeness of the information presented in this blog.


Share With Your Community

Related Blogs