Security has become an ever greater concern as smart grid technologies gain research and development funding and gradually get deployed. The broad outlines of smart grid-the electronic knitting that will link together power assets from the core of the network into homes and businesses-suggests how massive the potential risks are.
Tony Flick, the author of Securing the Smart Grid, takes a realistic view of the threats. The folks trying to protect the smart grid, Flick points out, must cover all possible vulnerabilities; the people launching attacks only need to find one entry point. It's not impossible to operate a safe grid. It just will take work. The question is whether the motivation is there. Says Flick, in this Q&A at Help Net Security:
An effective security program could mitigate most of the risk associated with a digital electric grid. The real question is whether every utility company and technology vendor involved with a smart grid will allocate the necessary resources to implement an effective security program.
The possible ramifications of failed smart grid security are serious-and scary. The fear leads to the theme of this story at The Energy Collective describing a GridWeek panel discussion in September. The panel was asked to identify their two greatest fears. The two that the writer outlined were lack of expertise-knowledgeable folks are retiring at a fast rate-and security.
The panelists' fear was no doubt exacerbated by the Stuxnet worm, which took aim at the Supervisory Control and Data Acquisition (SCADA) systems. These, according to the story, "monitor and control generation, transmission, and distribution operations in electric utilities." The story says that most organizations working in the energy sector understand the importance of open standards. The National Institute of Standards and Technology (NIST) has led the way.
Stuxnet certainly is a big deal. Here is Andy Bochman on the worm:
In short, no matter how solid an org's security policies, no matter the level of adherence to defense in depth principles and security best practices, no matter how much security technology was deployed and how up-to-date it was kept, it is very likely that Stuxnet would have found a way in.
It is an exaggeration-but perhaps not too much of one-to say that the cyber threats to date are child's play compared to what will happen once the Internet is deeply entwined with the nation's power infrastructure. We are well on the way to that entanglement. Hopefully, the industry will react appropriately to the dangers.