This is the second in a series of blogs on the topic of smart grid security issues and how to overcome them. In the previous post, we discussed some cyber security myths, and gave a brief history of attacks against industrial control systems.
Smart grid benefits worth fighting for
The smart grid promises to create a utility grid that is far more efficient, by taking some of the guesswork out of energy production relative to demand. It will improve reliability by collecting energy consumption data from smart devices, like smart meters, and providing that data to the utility in real-time.
Using this information, the utility can properly balance and anticipate load across the grid to avoid outages and ensure uptime. Utility providers can also provide their customers with real-time information, such as the cost of energy at a given time, enabling new pricing models based on demand.
By helping consumers use less energy, the smart grid can help to reduce CO2 emissions and other harmful pollutants. A smart grid means utilities only need to bring power plants on line when necessary, as production levels are based on real-time demand. The smart grid also enables greater integration of alternative energy sources, like solar and wind, into the generation ecosystem.
Smart grids can also be self-healing with systems constantly monitoring conditions and running simulations to quickly anticipate issues and perform actions to mitigate problems in a matter of seconds. This could be as simple as triggering breakers to isolate an issue and balancing energy production across other generators, but doing so in a way that avoids physical damage to infrastructure. With these types of tools the smart grid is also empowered to priorities critical functions like streetlights and hospitals during major disasters.
The future of smart grids
The benefits of the smart grid are numerous, and one could argue that smart grids will be essential to the sustainability of a modern society. In fact, according to some power retailers, energy costs could increase as much as 400% in western countries that fail to deploy smart grids.
With so much at stake it should come as no surprise that smart grid deployments are accelerating, with over 13.3 million meters forecast to be shipped and $2.7 Billion invested as part of smart grid projects in the United States in 2016 alone.
Unfortunately, smart grid security issues are equally numerous, and the smart grid threatens to dramatically expand the threat landscape. With so much at stake, security failures could put one of our core utilities in peril.
Three smart grid security issues to overcome
We can sort potential smart grid cyber attacks into three primary categories based on the target of the attack—attacks against a device (such as a smart meter), attacks against the masters (device manufactures for example), and attacks against the communication between devices and masters.
Attack the device
To a potential attacker, a device presents an interesting target for several reasons. First, many of the devices will have an inherent value by the simple nature of their function. A smart meter collects energy usage data that could prove to be valuable to people seeking to do us harm. A burglar, for example, could use this information to establish when a homeowner was likely to be away based on a pattern of energy usage that decreases during certain times of the day.
Some smart grid deployments marry smart meters to other devices in the home to allow for more granular control over energy usage. This could be as simple as allowing a utility to make slight adjustments to air-conditioning in a home to help prevent a blackout. Unfortunately, this same mechanism could be used by hackers for less than noble purposes.
Finally, devices have a value based on what is entrusted to those devices. The smart grid trusts data from the connected meters to be true and accurate. Hackers could manipulate a single meter to reduce an energy bill or in an attempt to hide more nefarious activity, like the manufacture of narcotics.
Attack the communications
A common method of attack involves monitoring and altering messages as they are communicated. The volume and sensitivity of data traversing the smart grid environment makes these types of attacks especially dangerous, as messages and data could be intercepted, captured, or manipulated while in transit. All of these threats jeopardize the trust in the information and data being transmitted, and the ultimate confidence in the overall infrastructure.
For instance, information regarding the energy consumption from your home or business to your utility provider opens itself up to a number of threats. A few examples include the following—a hacker could track your energy usage to see when you had downtime or uptime at your home or business in order to plan an attack on your property; a hacker could manipulate the data being transmitted to the utility company and alter the information.
Attack the ecosystem
A skilled attacker will attempt to target the organizations at the heart of the smart grid as a successful attack against one of these links in the chain has the potential to do the most harm – or be the most lucrative. These targets could be device manufacturers, solution providers, network operators, generation plants, and the utilities themselves.
These organizations are trusted to collect and analyze sensitive data which attackers will target for theft. They are the target of attacks designed to disrupt the delivery of a utility, and will be the first point of attack for malware and cyber-weapons similar to Stuxnet.
Smart grid security goals
Security in the smart grid can be summarized into to several core goals: availability, integrity, confidentiality and accountability.
- Availability: Ensuring timely and reliable access to and use of information is an essential component of the smart grid. Without actionable, real-time, and reliable access to data, the benefits of the smart grid simply cannot be realized. How data is collected, distilled, and shared is highly important, and security solutions must support these aims by avoiding negative effects on availability.
- Integrity: The smart grid depends on reliable and accurate data. To prevent fraud and other more harmful attacks measures must be taken to ensure that data is accurate and free from manipulation.
- Confidentiality: The smart grid generates huge volumes of data which must be collected, stored, and analyzed. Some of this data will include sensitive details about consumers and the utilities themselves. Steps must be taken to prevent unauthorized disclosure of sensitive information.
- Accountability: Accountability is the idea that users of a system should be responsible for the actions they perform. This means that user interactions with sensitive systems should be logged and associated with a specific user. These logs should be difficult to forge, and have strong integrity protection.
The smart grid ecosystem is inherently complex, which poses some significant security challenges. Software providers, meter and device manufactures, generation plants, energy markets, and the networks they operate on all come into play when discussing security. Therefore every link in the chain must be held accountable to this same set of core security objectives.
Want to learn more? Check out our on demand webinar, Building the Trusted Smart Grid: Threats, Challenges, and Compliance! Plus, don’t forget to check out the first blog post in this series, covering smart grid myths as well as the key smart grid security breaches in modern history.