Who Can Americans Rely on to Protect the Smart Grid?
September 14, 2015 • Blog Post • By Quartz Creative
Trillion-dollar commercial opportunities will attract hackers, too. Whose job is energy security?
While marketers are imagining thousands of new "smart home" products that will make use of the smart grid, hackers are already losing count of the security holes. Deploying new grid infrastructure with IT capabilities promises to generate up to $2 trillion in business opportunities, bringing just as many opportunities for malfeasance.
Since 2011, there have been more than 300 attacks on physical power stations in the U.S. While expensive to repair, these attacks arent far-reaching enough to cause outages. Software attacks, while still rare, promise to have larger-scale impact for pranksters and terrorists. Demonstrations at security conferences have shown that just one infected smart meter could shut off power to 15,000 homes within a single day.
Because a smart grid isnt protected by a single firewall, every single device that connects to its network is a possible entry point for malware. Energy companies were early adopters of Big Data analytics so theyre no strangers to IT security, but when the influx of new smart grid devices occurs, the security protocols that underlie legacy software and hardware will seem woefully inadequate.
The sudden vulnerability of the energy grid has everything to do with context. Today, grid sites are weakly secured because they offer little potential for vandals. Without software, damaging this equipment is limited mostly to the site itself.
On a smart grid, every piece of physical infrastructure has a "brain", which makes it vulnerable to a proximity-based hack. The same is true for substations, poles, meters and all the other gray boxes that adorn the closets in our homes and offices. In a tempest attack, a hacker might use physical proximity to measure electromagnetic radiation coming off a nearby CPU, extracting data that can later be analyzed and decoded. A "syringe" attack is so-called because the perpetrator sinks a probe into the wire trace of a circuit board in order to steal information.
Because smart grid devices provide a constant flow of information to and from the grid, they could also act as spying eyes once infected by a worm. That, in turn, might allow hackers to monitor and adjust their attack on the fly as automated security systems and human operators attempt to shut down compromised nodes.
Digitization is testing our electronic voting systems, ATMs, telecom networks and enterprises, too. In the U.S., several organizations are working on what to do about smart grid security. NIST's Cyber Security Working Group is writing best practices, to be deployed by the North American Electricity Reliability Corporation (NERC) and enforced by the Federal Energy Regulatory Commission (FERC). More recently, the State of California Energy Commission wrote its own threat in the so-called PIER report.
All of these documents list pages of vulnerabilities without specific solutions. Thats because so many of smart grids vulnerabilities are owed to side-channel attacks like the ones described above, perpetrated on far-flung utility equipment. In developing countries like India and China, similar problems are rooted in line loss and electricity theft. Until on-site security improves - perhaps through the use of drones - software will remain the only line of defense between a grids new IT brains and the malware that seeks to brainwash it.