The "Smarter" the Smart Grid, the Greater Potential for Security Issues

Cyber Security Solutions Must Be at the Development Stage Rather Than a Retrofit

Smart Grid Cyber Security Drivers                   

Sometimes called the world’s largest interconnected machine, the electric power system is the most capital-intensive infrastructure in North America. The system is undergoing tremendous change that will unfold over a number of years. As the grid is modernized, it will become highly automated, leverage information technology more fully, and become more capable in managing energy from a variety of distributed sources. However, in this process of becoming increasingly “smarter,” the grid will expand to contain more interconnections that may become portals for intrusions, error-caused disruptions, malicious attacks, and other threats.

The convergence of the information and communication infrastructure with the electric power grid introduces new security and privacy-related challenges. The introduction of these technologies to the electric sector also presents opportunities to increase the reliability of the power system, to make it more capable and more resilient to withstand attacks, equipment failures, human errors, natural disasters, and other threats. These greatly improved monitoring and control capabilities must include cyber security solutions in the development process rather than as a retrofit.

Potential cyber security issues to the smart grid are numerous. The "Smart Grid Cyber Security Drivers" chart outlines certain drivers to increased attack surface and increased risk to operations.
Included in the potential cyber security issues to the smart grid are:

• Increasing complexity that could introduce vulnerabilities and increase exposure to potential attackers.
• Without proper planning, a natural- or man-made event could disable the communications infrastructure, rendering the smart grid ineffective at coping with an emergency situation;
• A cyber intruder could compromise electricity use data and send false information to the utility and either lower or increase the billing, depending upon the motivation;
• Linked networks can introduce common vulnerabilities;
• Increasing vulnerabilities to communication disruptions and introduction of malicious software that could result in denial of service or compromise the integrity of software and systems;
• Increased number of entry points and paths for potential adversaries to exploit;
• Potential for compromise of data confidentiality, including the breach of customer privacy; and
• Compromise of the automated device/service control functionality of the Smart Grid devices, in such a way that significantly disrupts, impairs, or destroys the self-sensing and monitoring, self-adaptive, self-healing electricity generation, transmission, and distribution infrastructure.

The first and possibly most important recommendation for “securing the smart grid” is in the mindset - cyber security must be viewed as a critical element of the Smart Grid deployment. It is then important to apply a “defense in depth” concept isolating and segregating systems and applications, and then allow selected connectivity. These concepts are best accomplished at the foundational/design level. Once the mindset and strategy is set, it is crucial to keep in mind the “you can’t manage what you can’t measure” philosophy, and establish a security management system.

You are not alone. Remember to involve your vendors and interconnected partners throughout the process, and embed into your corporate governance systems. And finally, you never want to commit to a project without developing and tracking a business case. It is important to do this on a project by project basis and as an integrated system. This will be life-saving when it comes to evaluating and repeating the process.

For the full “Securing the Smart Grid” presentation, and more information on cyber security practices and solutions, contact Trisha Breckenridge at tbreckenridge@corprisk.net.