​

A LONG-TERM GOAL of the electric utility sector and the U.S. government is to transform the software, hardware, and communications systems that constitute the electric utility grid in the United States into a smart grid, an interconnected network that will help utilities better manage and monitor the flow of energy resources over a nationwide grid. But many experts say that the smart grid would increase the system’s vulnerability to cyberattacks.

While IT capabilities and technology are not new to the electrical industry, the scope of its use is creating new risks. “As digital configurations and communications capabilities stretch out to more of the infrastructure, that challenge of managing the IT risk is certainly growing,” says Josh Wepman, senior network engineer at Science Applications International Corporation (SAIC).

Particularly worrisome is the control that can be exercised within the two-way smart grid communication network where someone can potentially manipulate power in others’ homes through the smart devices, says Ron Chebra, director of advanced metering infrastructure (AMI) at KEMA.

“[T]hat’s a level of access and control that traditionally we have not had,” says Chebra. Because of that access, security protections are all the more critical, he notes, not only at the traditional location on the utilities’ side but also “at the device end that actually executes that information.”

Computer security company IOActive found that many traditional computer attack methods are viable on smart grid devices, because these devices were made with unsafe coding practices, according to IOActive’s director of services, David Baker.

All the devices that the company tested are already on the market, says Baker. He also reiterates Chebra’s point that although the technology has been around for years, now that it is being combined with the remote communications aspect, accessing the devices is easier. And that translates into more vulnerability.

To address the risk, the National Institute of Standards and Technology’s (NIST) cybersecurity coordination task group is outlining recommendations for smart grid security standards, according to Annabelle Lee, senior cybersecurity strategist for NIST, who heads the task group. At press time, Lee’s group was in the process of identifying smart grid security requirements.

One of the resources NIST has highlighted in its smart grid work is the Advanced Metering Infrastructure security task force (AMI-SEC), which was established two years ago to set security requirements for smart meters, a part of the smart grid. AMI-SEC issued a report of its findings, which “gets into pretty good detail as far as things to consider when vendors are developing smart meters and companies are implementing smart meters,” says Aldo Nevarez, CISSP, senior consultant at KEMA.

Nevarez points out four integral factors that AMI-SEC outlines: confidentiality of data, integrity of maintaining data, availability of data to authorized persons in a timely manner, and nonrepudiation of data (or proof of delivery).

Without these principles, there will be a lack of trust in the systems, says Nevarez.

After the NIST task group compiles what it considers a good set of security recommendations, there will be a testing phase to assess how well those standards would work if implemented, says Lee.

NIST does not have the power to mandate requirements for the private sector, but it is working closely with regulatory authorities, such as the National Association of Regulatory Utility Commissioners and state public utility commissions, says Lee, to ensure that they are involved. Additionally, Lee says that the Federal Energy Regulatory Commission (FERC), which is responsible for adopting NIST’s standards when it deems them sufficient, has the power to mandate requirements for the bulk generation and transmission components of the grid.

FERC Commissioner Suedeen G. Kelly, testifying at a congressional hearing, expressed the view that piecemeal regulatory fixes may not be the best solution. She said that further legislation must be considered if Congress wants to see industrywide compliance with the upcoming standards. There was no related legislation proposed as of press time.