Securing the smart grid no small task
The Stuxnet virus made it clear just how vulnerable networked infrastructure is to attack. But plugging potential security holes in the smart grid is a multifaceted affair.
SAN FRANCISCO--The road to a secure smart grid is still being built. Can it be finished in time to keep next-generation threats at bay?
That question was left largely unanswered during a panel discussion on "securing the smart grid" at the RSA security conference taking place here this week.
The smart grid promises to bring a number of benefits to both consumers and utilities in the coming years--things like intelligent off-peak appliance use; real-time metering; and customer education on efficiency and conservation. But bringing that kind of experience to fruition is still a work in progress, with some of the blame being placed on utility companies for not being agile enough when it comes to security, interconnectivity, and the like.
According to specialists, the problem is (and continues to be) huge fragmentation among the power companies, something that on its own is issue enough, but as the panelists lamented, the same problem threatens the technologies these companies plan to roll out.
"In my experience, utility companies are very siloed," said Mike Echols, the program manager for critical-infrastructure protection at the Salt River Project in Arizona. "Each of those silos has its own IT groups, and there's a reason for that. They don't want to converge because in typical IT that's considered a risk."
In the electricity industry that risk has become more apparent after what happened last year with Stuxnet, the computer virus that targeted homogenized industrial systems and represents the first in a wave of expected attacks aimed at infrastructure. As the grid gets more intertwined with consumer electronics and home area networks, the likelihood of a wider range of targets is expected to increase.
So what would it take to make utilities less fractured from an IT perspective? Echols suggested that IT security be put higher on the ladder of the corporate structure of these utility companies, so that important decisions trickled down into the subgroups. "Cybersecurity tends not to be in a leadership position," he said, while noting that this is beginning to change with increased compliance, which is driving changes in the power industry.
Another big issue, as noted by panelist Gib Sorebo, chief cybersecurity technologist for SAIC, is that outside security companies looking to do business with the utilities first need to gain a deep understanding of power companies before trying to tackle security challenges.
"We have to know how important it is for us to understand how everyone does their jobs, what the concerns are, and what the potential impact is depending upon what kind of events take place--and to show that communication," Sorebo said. "You see that same kind of thing happening in banking."
One question that lingers is whether a system that's simply more secure will be able to handle evolving threats. Heath Thompson, the CTO at Landis & Gyr, said the industry hadn't come to grips with that yet but that there were the beginnings of a foundation for stronger security across the entire ecosystem. To attack new threats head on, however, the systems need to be readily adjustable with things like upgradeable firmware and infrastructure.
Ultimately though, making the grid too connected from a technology perspective could do just as much harm as good, which is why the right safeguards have to be put in place. "The smart grid can do a lot of wonderful things in terms of automation and finding events quickly," Sorebo said. "But it can also automate disaster, and that's something that more and more people obviously need to focus on."