The development of smart grid technology seems to hold multiple benefits, ranging from more efficient power usage to lower utility costs. But as the U.S. and other countries ramp up adoption of the technology, which aims to intelligently connect electrical utilities and consumers via the Internet and other technology, many see looming danger.
The interconnected nature of the grid could make it far more vulnerable to attacks. An example of the type of threat that critical infrastructure sectors could face occurred last year with the discovery of the Stuxnet worm. Highly sophisticated and able to manipulate certain industrial control systems made by Siemens, the worm has infected more than 44,000 systems worldwide, according to a recent Symantec report. One of the biggest concerns is that others might use Stuxnet-like programs for similar attacks, said William Hunteman, senior advisor for cybersecurity at the U.S. Department of Energy, when he spoke as one of a panel on cyber threats and infrastructure at a recent Washington, D.C., conference.
Another reason that utilities are pursuing a means to better grid security is that utilities must submit security plans to obtain federal funds allocated for smart grid development. There is currently little security standardization across the large, diverse utility industry. But there are common steps utility companies can take now.
The most important near-term step for utilities is to conduct a security assessment and develop a smart-grid security framework, says Usman Sindhu, a Forrester Research analyst.
To do that, utilities can take advantage of a growing number of consulting and other services that specialize in security assessments and penetration tests for utilities and smart grids. Utilities should also seek outside expertise in security “baselines” across infrastructure and systems, according to Sindhu, as the benchmarks can prove highly valuable over time.
Another important component to improved grid security is better collaboration between physical and IT security experts. That’s the most important issue identified in a Pike Research report on smart grid security. On some occasions, such professionals collaborate well together, but more commonly they “do not understand each other,” the report found.
After security assessments, companies may want to install traditional IT security products such as antivirus solutions, firewalls, or intrusion prevention systems, says Sindhu. They can also research a rapidly growing array of solutions meant especially for utilities and smart grid technology. But Sindhu and other experts emphasize that companies should be careful in deploying such solutions, which lack widespread standardization and are often relatively untested.
Utilities should work with potential vendors to ensure that proper security testing is conducted, according to Sindhu. In addition to penetration and other tests, vendors should test how newer products would work with legacy systems in utility infrastructures, he says. It could also be advisable to test newer products’ source code and to require vendors to demonstrate any product’s compliance with existing or emerging standards.
At the infrastructure panel, a few speakers stressed the importance of greater standardization and interoperability of smart grid security solutions. Others stressed the need to strengthen existing security policies, including those governing access control and administrative privileges.