A “smart grid” refers to the traditional electric power grid updated with modern information technology equipment and knowhow. It is comprised of digitized devices and the industrial facilities in the energy sector that such devices help operate: electrical plants, electrical substations, utility towers, relays, and transformers, nuclear power plants, and oil refineries.

A smart grid pertains to all the facets of the power grid—generation at power plants, distribution and transmission along electrical lines, and delivery and consumption at the customer homes or businesses of a utility. It features intelligent monitoring of the status and amounts of the electricity flowing throughout the grid. A smart grid employs such devices as sensors, programmable logic controllers, field controllers, distributed control systems, emission controls, intelligent electronic devices, and remote terminal units.

For the consumer, a smart grid typically means, rather like with a person’s Internet provider, a two-way digital interaction between the utility and his home and home appliances. Usually this includes smart meters that allow quick and precise measuring and information sharing about the power and electrical supply. This digitized interaction is supposed to allow easy, real-time adjustment of power, heating, and cooling devices, and appliances. It also raises privacy concerns, as smart meters and other tools could provide a utility, or a malicious observer, with access to much more personal and financial data on a consumer.

A smart grid has various purposes: increase the reliability of power supplies, reduce waste of energy, cut costs, enhance consumer choice and flexibility, and permit the merging into the traditional power grid of alternative energy sources. Smart grids can continuously monitor crucial system components and keep track of energy use. They are supposed to diagnose, and to flexibly and precisely respond, to surges in power demand and other grid variables.

Regional and local utilities manage the U.S. electrical grid. The grid’s thousands of miles of transmission lines, substations, and power generation facilities make up three distinct operating networks in the Western and Eastern states, and in Texas.

Due to growing energy and environmental concerns, smart grids have become a subject of growing interest. The financial resources being invested in them are substantial. A year ago, the size of the U.S. smart grid market was about $21 billion. By 2014, it is estimated it will grow to $43 billion. World-wide, the smart grid market in 2009 was $69 billion. By 2014, fueled by large expenditures in East Asia, it should reach about $170 billion. In the U.S., a chunk of the federal stimulus spending in 2009-10, some $3.4 billion, was directed to investment in, and modernization, of smart grids.

The cyber security market for smart grids is also growing fast, about one-third a year. It is thought security-related expenditures on smart grids will reach $4 billion annually by 2013. Major corporate players in this field include General Electric, IBM, Lockheed, and Raytheon in the U.S., and Toshiba and Kyocera overseas.

Cyber security in infrastructure is also a growing concern, because smart grids have many vulnerabilities. Richard A. Clarke, the former federal National Coordinator for Security, Infrastructure Protection, and Counter-Terrorism, has stated that a cyber attack aimed at energy infrastructure “could disable trains all over the country and it could blow up pipelines. It could cause blackouts and damage electrical power grids…It could wipe out and confuse financial records… It could do things like disrupt traffic in urban areas by knocking out control computers. It could…wipe out medical records.”

An obvious vulnerability is the physical infrastructure of electricity grids. The long stretches of overhead transmission lines could make inviting targets for terrorists. In fact, in recent years, terrorists overseas have launched many attacks against the physical infrastructure of power systems. The placement of lines underground would better protect the lines. At the same time, high construction costs render this option impractical. Video surveillance of transmission lines is expected to play a growing role in protecting these valuable assets.

A growing concern is the threat of cyber attacks on smart electrical grids. This is because smart grids by their very nature are susceptible to hacks and malware. In the past, electrical installations were essentially stand-alone operations separated from the outside world. Today, they are increasingly being hooked up to, and operated by, IT devices connected to the World Wide Web.

The connection to the Internet makes them susceptible to many of the same malicious attacks that regularly occur against computer networks outside the electrical and energy sectors. One example of vulnerability is the intelligent electronic ddevices that control the circuit breakers in many electrical networks. A hacker could target the sensor and equipment data that such devices receive from computer networks.

A wide range of IT systems and applications in smart grids cries out for better security. Many energy facilities operate old-school mainframe computers running “tried and true” COBOL code that date from before the Internet. When such systems were built, cyber security was not an issue, and was not incorporated into their design architecture. Therefore security features developed with the Internet in mind have not been incorporated into many of these systems.

Modern IT applications in smart grids are often full of security defects. Web apps, such as online billings applications aimed at providing utility customers more convenience and flexibility, may provide hackers with the account and credit card information of the same clients. Remotely hosted services and applications provided by power and utility companies pose similar risks. The IT departments of such organizations may have insufficient knowledge sets and trained personnel, compared to the IT departments of organizations long accustomed to the Internet, for properly configuring and maintaining the security of server and client-side databases and software.

Modern applications, and smart grids, thrive on vastly greater amounts of data, which poses its own risks. Smart grids employ devices called “synchrophasors,” which measure and stream voltage and other data many times faster than previous devices.  And such data is now “visible” over the Internet. “We’re collecting more data at more parts of the grid, in real time. It becomes more complicated to secure,” noted a NIST security consultant. “If I’m able to see that stream and understand what’s going on,” remarked the consultant, “then I’m able to remotely monitor how my attack is performing… and see in real time how the attack is working, then optimize it.”

Another new device that poses potential risks is a recloser. A recloser is an electrical device, placed in substations or atop electrical poles, that permits the flow of electricity. Facilities are outfitting reclosers with Bluetooth to allow maintenance personnel to manipulate the reclosers from afar. But because security has not been designed into recloser architectures, attackers could use Bluetooth to access and illicitly manipulate the devices.

The two-way digital communications that technologically advanced grids provide between energy suppliers and consumers are other reasons for concern.  A hacker with a basic knowledge of electronics and a few hundred dollars in hardware could interfere with, and get control over, the smart meters that are essential to managing the two-way interaction. By gaining control over the devices of a large number of consumers, a malicious attack could alter the load balance of a power grid, or shut down power to a large number of users.

The sharp expansion in the installation and use of smart meters underlines this worry. In 2009-2010, the number of smart meters in the U.S. is projected to rise from 14 million to 23 million. In California alone, from 2009 to 2012, the number of smart meters is estimated to rise from about 3 million to close to 10 million.

Theoretical concerns have become practical realities, as a number of exploits involving smart grids and power complexes have taken place. Although gaining relatively little publicity, cyber attacks have already occurred across the world: on sewage treatment plants, natural gas and petroleum pipelines, nuclear power plants, hydroelectric power facilities, and electricity transmission infrastructure.

In 2009, the Wall Street Journal reported that cyber spies from China, Russia, and other nations had used the Internet to map electrical grids in the United States. Moreover, they had left behind software apps on the grids that could be activated later to disrupt parts of the electrical infrastructure. In 2008, the CIA reported, hackers disrupted the power systems of multiple cities in several, unidentified foreign countries.

A notorious attack occurred in Maroochy, Australia in 2000. Using pilfered radio gear, a disgruntled former employee of a water treatment plant wirelessly hacked into the plant’s supervisory control and data acquisition (SCADA) system. Issuing multiple radio commands, the hacker triggered the release of 800,000 liters of untreated sewage into local rivers and parks.

In 2009, in a simulated attack, technicians from the cyber security firm IOActive, Inc. designed a computer worm that could penetrate and infect interactive, wireless meters that make up part of an extensive smart grid. The worm “spread from one meter to another,” noted an IT consultant, “and then it changed the text in the LCD screen to say ‘pwned’.” Infrastructure security specialist Joe Weiss, formerly a manager with the Electric Power Research Institute, or EPRI, has compiled a database of more than 170 infrastructure cyber incidents.

A wealth of IT security organizations, such as the Computer Emergency Response Team, or CERT, exist. However, there are few organizations that deal with cyber security in electrical and other industrial infrastructure. At the same time, there is a great deal of information readily available on public infrastructure. Terrorists could gain most of the information required to mount an attack on a smart grid from public sources such as industry journals.

“The electric grid is highly dependent on computer-based control systems,” sums up House Committee on Homeland Security chairman Bennie Thompson. “These systems are increasingly connected to open networks such as the internet, exposing them to cyber risks. Any failure of our electric grid, whether intentional or unintentional, would have a significant and potentially devastating impact on our nation.”

The cyber risks that concern observers include many vulnerabilities that lead to inadvertent mishaps unrelated to malicious hackers or malware. A classic example of this was the 1999 explosion of a pipeline in Bellingham, Washington. There the computer monitoring systems failed to detect the buildup of pressure within the fuel line. The resulting explosion killed three, and the busted line spilled an ocean of gasoline into nearby creeks, resulting in $45 million of damage. A recent example was the highly publicized disruption of suspected nuclear weapons facilities in Iran via the Stuxnet worm, which was specifically designed to penetrate the Windows operating system that run the computer systems of the nuclear plants in question.

Many inadvertent problems stem from trying to graft traditional IT security solutions onto infrastructure systems for which such solutions weren’t designed. Penetration testing, a standard tool of white hat hackers, has been known to destroy the firmware or disrupt the control systems of infrastructure facilities. Maintenance of anti-virus software on such facilities has disrupted control devices and triggered denials of service. Installation of software patches has prevented shutting off the pumps of water utilities, while software for other infrastructure cannot be patched while the facilities are in operation. Inadvertent incidents have even forced nuclear power plants to fall back on auxiliary power.

These mishaps result in part from the lack of testing of, and experience with, cyber security tools applied to infrastructure systems. At the same time there is often a “culture gap” between the employees of IT shops and those of electrical and other infrastructure facilities. The two sets of personnel are simply not yet used to working together. Another gap exists among the infrastructure industry, the IT sector, and federal government regulators. While representatives of software and computer manufacturing firms are regularly invited to government conferences on cyber security, leaders from the infrastructure sector are usually an afterthought at best or forgotten at worst.

Fortunately, despite the exploits that have occurred, malicious or inadvertent, the cyber threat to the electrical grid and other infrastructure elements is still at its early stages. This fact hopefully will allow companies and government agencies the time to take countermeasures to minimize the threat. Most of the steps that have been proposed mirror those that have been taken to better secure the IT industry against malicious attack.

An important first step is standards. The North American Electric Reliability Corp., or NERC, is a non-profit organization of industry working groups and utilities that formulate some Critical Infrastructure Protection (CIP) standards.  The Federal Energy Regulatory Commission, an independent agency that regulates transmission and transport of electricity and energy commodities, provides oversight for NERC. NERC focuses on ensuring reliability of the power system in the U.S. and Canada. Although the standards are limited, and much else remains to be done, NERC and CIP have served to raise awareness of infrastructure security issues, and have provided the context for an increase in funding to bolster infrastructure cyber security.

The development of effective policy, procedures, and procedures for infrastructure security is vital. And, as with IT cyber security, risk management will play a key role. Risk management with smart grids has to do with threat assessment, vulnerability detection and identification, risk assessment itself, and drawing up of countermeasures. A realistic assessment of actual risks must be made, with resources apportioned rationally to deal with risks that are most likely and that could cause the most damage.

As a relatively new field, infrastructure cyber security must begin to embed security into it architecture, as part of the design process. Testing of security applications and of grid components must become more comprehensive and more rigorous. Security software and security threats are evolving continuously, and the test regime must change constantly to keep up.

Testing would be more effective and more credible if the infrastructure sector employed independent testing experts from outside the infrastructure realm. This would be particularly true of the testing of smart meters.

As a new field, infrastructure cyber security would benefit from organizational programs to raise security awareness among employees. A natural part of that would be training programs in security.

Further, the government must strive to bring representatives of the electrical and other infrastructure sectors into its conferences on IT security, along with representatives of the IT industry. And within an organization, management must ensure that the IT and infrastructure operations shops, which often work separately and at cross purposes, collaborate in aligning their functions to bring about better security.

In all of these concerns, the role of upper-level management is key. Management must make security for the electrical grid a priority, and ensure that the various divisions of an enterprise make it their priority as well.

Other Information:

Certified Information Systems Security Professional (CISSP)

Free CEH online course