In the September issue, I discussed some of the claims that various organizations working on the smart grid have made in the two years since the Energy Independence and Security Act of 2007 passed. The act contained Title XIII, which has 10 characterizations of a smart grid.
(Note: Part 1 appeared in Security + Life Safety Systems. Find it here.)
It appears that a large number of people of mixed degrees of knowledge on the subject have focused on No. 5 as the weak link in the chain: “(5) Deployment of smart technologies (real-time, automated, interactive technologies that optimize the physical operation of appliances and consumer devices) for metering, communications concerning grid operations and status, and distribution automation.”
I am not sure which is the more troubling of the two camps—the ones making the claims of improved security or the ones making claims of increased vulnerability. Here are a couple samples from the latter side of the debate:
According to a CNET report, “Smart-grid Hackers Could Cause Blackouts,” cyber-security experts said some types of meters can be hacked, as can other points in the smart grid’s communications systems. IOActive, a professional security services firm, determined that an attacker with $500 worth of equipment and materials, and a background in electronics and software engineering, could “take command and control of the [advanced meter infrastructure], allowing for the en masse manipulation of service to homes and businesses.”
According to a Fox News report, “Electrical ‘Smart Grid’ Not Yet Smart Enough to Block Hackers”: “With smart grid, anybody with an eBay account and $80 can go and buy a smart meter, reverse-engineer it and figure out how to attack the grid,” said Josh Pennell, president and CEO of IOActive, who testified before the Department of Homeland Security.
And there are those who are convinced that just about everyone will want to get their hands on the smart meter data. Surprisingly, virtually no one seems to mention one of the primary reasons utilities are putting in smart meters: to be able to charge more based on time-of-use and real-time-pricing.
On the flip side, the National Institute of Standards and Technology (NIST) has announced the initial batch of the 16 interoperability standards that it has tagged to help ensure software and hardware components from different vendors will work together seamlessly, while securing the grid against disruptions. The standards cover applications ranging from advanced metering infrastructure (AMI) and smart grid end-to-end security, to information security for power system control operations, to cyber security standards and guidelines for federal information systems, including those for the bulk power system. There seems to be a lot of attention focused on the security of the information.
A Department of Energy (DOE) report, “A Systems View of the Modern Grid,” highlights the ability for the identification of threats and vulnerabilities and protecting the network. The result would be reduced system vulnerability to physical or cyber attack, with minimal consequences of any disruption, including its extent, duration or economic impact. In addition, security-related improvements would help optimize reliability, communications, computing, decision-making support and self-healing.
Let’s step back and inject in a small dose of reality. The proliferation of PCs and the Internet has already made the world a network with access into just about everyone’s home and business. All you have to do to see that plenty of people with wireless networks are still using them without authentication and encryption is to walk through your neighborhood with your laptop and a wireless card (but please don’t, as it is illegal in some jurisdictions).
But utility information is different. Consider that electric utilities have been using communications to protect the grid for years. Power line carrier, radio and microwave transmissions send signals that contain system protection information back and forth. Other countries have been using “mains signaling frequencies” to change tariffs in billing meters. There is plenty of data being collected by the Supervisory, Control, And Data Acquisition (SCADA) systems at the generation, transmission and distribution levels. And the information about how much a building consumes is on a computer with a network connected as well. It’s called your electric utility bill.
What about the physical security of the grid? Remember the last large-scale blackout in the United States in August 2003? It was contact between transmission lines and a tree that started the cascade of events. Yes, there were other factors involved, such as a generator being out for service, a faulty computer program and some human error thrown in as well. Rather than focusing all this energy on a disgruntled employee or terrorist who will bring down the grid by hacking into my smart meter and turning off my house, how about we pay just a bit more attention to the physical security of the 10,000 generating plants 157,000 miles of high-voltage transmission lines?
BINGHAM, a contributing editor for power quality, can be reached at 732.287.3680.