The grid's flow of data is supposed to improve energy delivery but must be protected from hackers' prying eyes. Unlike the traditional power grid, a "smart" grid is designed to accommodate a two-way flow of both electricity and data. This creates great promise, including lower energy prices, increased use of renewable resources and, it is hoped, fewer brownouts and blackouts. But a smart grid also poses several potential security problems—networked meter data, power companies' computers and those of customers could all be vulnerable to tampering.
A smart grid adds a layer of cybersecurity complexity to challenges that already existed with the traditional grid. In the past, a lot of cybersecurity efforts have focused on securing the bulk transmission system—from the utility company's generating plants to its substations—because those locations are where the worst-case scenario could happen: a large regional blackout, says Don Von Dollen, a program manager at the Electric Power Research Institute (EPRI), a Calif.-based non-profit research center. The bulk transmission system remains the top security priority, but with the dawn of the smart grid, power companies now have to think more about protecting the network connections they have with individual customers' homes, he adds.
If a customer has a home area network (HAN) that links computers, appliances and other electric appliances back to the power company for real-time monitoring, the company needs to make sure the network connection to that home is secure, "so as a prank the kid next door can't turn [the customers'] lights on and off," says Von Dollen, who coordinates EPRI's smart grid activities with the U.S. National Institute of Standards and Technology (NIST), the Department of Energy and other federal agencies.
Computer hackers who tamper with smart meters could do damage that spreads far beyond a few homes. At a Black Hat technical security conference (pdf) last year, Mike Davis, a senior consultant with Seattle computer security firm IOActive, used simulations to show how one smart-meter worm could infect a community and potentially shut off power to 15,000 homes within 24 hours.
NIST steps in with recommendations but few answers
With such scenarios in mind, NIST's Smart Grid Interoperability Panel–Cyber Security Working Group (SGIP–CSWG) in February released the second draft of its Smart Grid Cyber Security Strategy and Requirements, a 305-page document the agency expects to issue formally by July. It identifies potential vulnerabilities and outlines "recommended requirements" that the North American Electricity Reliability Corporation (NERC) can choose to add to its critical infrastructure protection standards. These measures to protect the grid from cyber-tampering would be enforced by the Federal Energy Regulatory Commission (FERC).
Scientific American
