Safeguarding the Smart Grid: Cyber-terrorism Implications
Cyber security of the transmission and distribution grid has been top-of-mind across the board as utilities move to embrace smart grid upgrades to their systems. This article, from the NYSPSC's and NARUC's Garry Brown, addresses the concerns and questions arising from automating the grid, from generation to end user.
In the not too distant future, state and regional electric transmission and distribution grids will be integrated with two-way communications systems and sensors. This technology will enable utilities to optimize grid performance in real time and provide incentives to consumers to reduce energy consumption through demand response. This is the smart grid.
The federal government is playing a key role in stimulating development of the smart grid; and states, including New York, are turning the concept into a reality. However, with the development of the smart grid comes the possibility that international or domestic terrorists, or perhaps unfriendly foreign governments, could maliciously seize control of the electric utility grid, create economic havoc, and threaten life and property.
Although this is arguably a remote risk, state and federal regulators are keen to ensure that the anticipated investments in the smart grid over the next decade -- estimated in billions of dollars -- will not lead to a decrease in transmission and distribution system safety and reliability, and in turn make it easier for hackers, and even terrorists, to do harm.
Potential scenarios detailing such risks have been played out in fantasy, and in real life.
The 2007 movie Live Free or Die Hard had actor Bruce Willis' character John McClain again facing terrorists bent on destruction. In this case, they were domestic terrorists who were able to shut down power on the East Coast and seize control of natural gas pipelines by hacking into a computer. While thrilling, it was only a fictional story.
More terrifying than the movie, however, was a demonstration conducted by the U.S. Department of Homeland Security that same year whereby a 20,000-pound industrial turbine was made to self-destruct as a result of a simulated computer hack -- made more frightening than Willis' epic because it was real.
The Homeland Security test highlighted reasons to be concerned with security for the electric grid. What are we going to do as we move toward a smart grid environment? For example, how can we prevent unauthorized people from buying or otherwise having access to smart grid data? Marketing firms or competitors may wish to know how much energy a consumer is using, or what a customer's pattern of energy use is, or other energy-related information.
Can we be sure that smart grid communications networks won't allow unauthorized access to information between customers on the same network? Customer interfaces, such as through a customer's computer, must also be protected against undetected changes because they are conduits to critical customer equipment and systems. How can we address the vulnerability of customer systems and "gateways" to incoming tampering efforts?
Smart meters will be located in non-secure locations where they can easily be reached by the public. Therefore, physical security or "walls" around the meter are impractical. Because meters are on customer premises, attempts to tamper or vandalize might be unpreventable. Will there be technology to detect such attempts in real time?
How can we move forward in the development of the smart grid without compromising our security requirements? If we wait for security to be built-in, and not added-on, how much will that slow us down? Who will or should be the final arbiter of what security is sufficient security?
I am heartened to say that these issues are well recognized. Regulatory commissioners across the country, including New York, are intently focusing on smart grid security. In the months ahead, regulators will be asking stakeholders tough, pointed questions to help discern the threat, and identify how it could be isolated and minimized.
Cyber security issues are important considerations. The North American Electric Reliability Corporation Critical Infrastructure Protection Standards have specific requirements that electricity producers, system and transmission operators and other system users must meet in order to ensure the security of their systems and infrastructure, and this will likely serve as a model.
Meanwhile, the Control Systems Security Procurement Guidelines, which I am proud to note were started by New York state, will likely be expanded to include some new technologies, including some wireless applications and advanced metering infrastructure.
There are those who might take a Luddite approach and who say the technology is too dangerous, and not worth the risk; but that is not the proper response. The smart grid will be a reality because the efficiencies it will bring are compelling both in terms of cost savings and improving reliability and fuel diversity. Given these facts, we have to ensure that the billions of dollars in investment will be managed soundly, and we must work together to ensure that the smart grid attains its lofty promise.