Securing the smart grid

4 October 2011 (Last Updated October 4th, 2011 18:30)

Smart grids hold the potential to revolutionise power distribution, but going digital opens the grid up to new risks. Chris Lo explores the new connected frontier of energy infrastructure to discover the threat posed by hacking and other cyber attacks.

Securing the smart grid

Smart grids truly represent the next frontier of power distribution. Leveraging modern advances in digital communications, this burgeoning technology holds the potential to revolutionise electricity distribution, metering, efficiency and data monitoring at both local and national levels.

A number of pilot smart grid projects are already up and running around the world. Following the lead of the world's first smart grid system, Telegestore, established by Enel in Italy, other new projects are being set up in the US, Europe, South Korea and elsewhere.

"The European Commission is set to standardise the deployment of smart grids on the continent."

But as the smart grid concept picks up momentum and seeps further into the public consciousness, a significant concern has emerged: if we digitise the electrical grid, are we not also exposing it to the dangers of hacking and cyber terrorism? The Stuxnet attack on Iranian industrial control systems (ICS) in 2010 showed the world just how sophisticated cyber attacks have become, and the possibility of a similar assault on such critical infrastructure as the electrical grid has cast a dark shadow over modern smart grid development.

Prioritising smart grid security

The growing anxiety over the potential vulnerability of a fully connected smart grid system has been reflected in the increasing media coverage of the issue. One recent article in The Economist argued the smart grid "adds a vast layer of hackable points to the network", citing Lockheed Martin's Energy and Cyber Services department, which estimated that these vulnerable points could reach 440 million by 2015.

But as public consternation grows, so too has industry and governmental focus on securing future smart grids from electronic attack. Elster executive vice president Frank Hyldmar, who also led a task force on smart grid security for the European Commission (EC), has noticed the shift.

"[In the past] security was a consideration," he says. "Was it on top of the agenda? Probably not. I have to take you to 2009, when the European Commission set up a task force advising the commission on cyber security on smart grids, and asked that initiative to come up with a recommendation.

"Since then, you've probably seen a lot of articles about cyber security and how the industry is addressing them. We also have the big industry event in Amsterdam, and I see this year cyber security is one of the key issues being addressed at that event. So in the past, cyber security was addressed but it probably wasn't given the highest priority. But that has changed."

Although Hyldmar hasn't come across any major security breaches at existing smart grid projects his work for the EC, the risk is likely to increase as the profile of smart grids increases over the next few years. "I think it's been below the radar, but now the whole smart grid is getting more and more focus, so the concern is that it will get the attention of people who could try to interfere with the system," he says.

The nuts and bolts of cyber security

The main concern about smart grid security lies in attacks at both ends of the scale, from massive, potentially nationally backed attacks on critical infrastructure targets all the way down to normal users trying to tamper with their smart meter at home, which Hyldmar describes as essentially "a small computer".

"The key to smart grid cyber security is securing all points that are exposed to human contact."

"Organised cyber security has seen examples, without going into too much detail, of even countries trying to break into certain parts of the infrastructure," says Hyldmar. "So that is on the very macro level. But then on the micro level, the concern is that I try to get access to my meter data to manipulate my billing. So there's the big scary picture where somebody on a macro level tries to hack into the system to start doing unpleasant things with the grid. You could shut down airports; there would probably be back-up systems, but you could shut down parts that are very critical to the infrastructure."

The key to smart grid cyber security, says Hyldmar, is securing all points that are exposed to human contact and the possibility of tampering or manipulation. He calls these handover points. "Wherever you have a handover point in the grid, you have a potential risk," he says.

"So that starts down in what we call the HAN [home area network] interface in the house. So my meter will have a HAN interface, which speaks to thermostats and so forth. We have to make sure that this interface is secure. And then it goes all the way up through the different handover points into the EIP [Ethernet/IP] system. So our recommendation was always that you have to have security as part of your concept when you set up your smart grid project."

Both in Hyldmar's role for the EC and for Elster, improving smart grid security has also involved learning lessons from the security standards of other industries. "For the EC, we benchmarked up against, first of all, what was available as standards within Europe and the United States, and we looked at other industries. We have been benchmarking against the telecommunications industry and found some similarities. And a lot of the security measures the company I work for, Elster, has introduced are standard in other industries. We have learned a lot, especially from the banking industry," he says.

As well as safeguarding the grid from disruption by external attack, smart grid operators also have a responsibility to protect the personal information of energy customers from being accessed by unauthorised persons.

After detailed EC consultation with consumer groups, the course of action decided upon in Europe is a mixture of aggregation for data that doesn't contain personal information and heavy encryption for any data that does.

"If the data are not aggregated, we make sure the data is encrypted in a way that I have to sit with a key to be able to encrypt that data, ensuring that no one can get access to data that they shouldn't get access to," says Hyldmar. "Those technologies are available today, and they're part of the pilot projects that you will see with British Gas, with the utilities in the Netherlands and so forth."

Building a regulatory framework

As smart grids move closer towards becoming a wide-scale reality across large swathes of the developed world, one of the most important factors in securing them will be to establish a fixed set of standards and regulatory protocols for all operators to follow.

In September 2011 in the US, the Department of Energy published a draft guideline for the management of risk regarding cyber security in the electricity sector, with a heavy emphasis on the new security complexities thrown up by smart grids. The document is currently being subjected to public comment, but ultimately aims to "provide a consistent approach in which to make risk decisions".

Sections of the guide's introduction make clear how seriously the US Government takes the threat of cyber attacks on the grid: "The increasing number of vulnerabilities as well as the interconnectedness of systems could serve as a blueprint for attackers who wish to access controllers, safety systems and physical and cybersecurity systems. This can cause damage to an Electricity Sector organization's assets or individuals, and can even compromise the reliable delivery of electricity."

"Lockheed Martin's Energy and Cyber Services department estimated vulnerable points in the grid could reach 440 million by 2015."

Europe, meanwhile, is taking a more hands-on approach than suggested guidelines for the private sector to follow. Under mandate 490, the European Commission is set to standardise the deployment of smart grids on the continent.

The self-imposed deadline for these standards to be finalised is the end of 2012, and a particular workstream, informed in part by the work of Hyldmar and his task force, is dedicated to setting security standards.

Clearly, neither the establishment of national and international standards nor the investment in state-of-the-art security technology will ensure the perpetual security of the smart grid. The relationship between cyber security and cyber attacker will always be fluid, subject to rapid change as strategies and counters evolve in competition with one another.

But with the body of regulatory work that has already been achieved ahead of smart grid's technology into the mainstream, as well as the private sector investment that will continue to pour into smart grid security, operators have every reason to believe that enough is being done to secure our upgraded electrical grids, at least for the foreseeable future.