Risk of smart grid security breaches higher than ever

Utilities, regulators must work together

It's no secret that cyber security is an integral part of the smart grid, but utilities and regulators are continuing to grapple with the best way to fortify themselves against the expanding host of cyber threats.

As the smart grid grows, so does the need for cyber security. Credit: iStock

As the grid continues to expand – the Edison Foundation projects 65 million smart meters will have been deployed in the U.S. by 2015 – so does the need to secure not only the influx of data but also the increased number of intelligent electronic devices (IED) connected to the grid. And while cyber security is not new to the utility industry, the risks of a breach are higher than ever.

"There are all kinds of things that are reachable by external bad guys and internal bad actors," said Andy Bochman, Energy Security Lead at IBM.

Threats can range from malicious hackers to disgruntled employees working within a company, or a simple accident due to misuse of technology. But before utilities can act on an attack, they must first identify the risks.

"One of the biggest challenges is to determine if there is anything that is lying in wait out there to get us," said IEEE senior member Sam Sciacca.

Tackling these security challenges requires a marriage between utilities, regulators and third parties. Utilities can start the process by developing a holistic approach to cyber security.


"One of the biggest challenges is to determine if there is anything that is lying in wait out there to get us." - IEEE's Sam Sciacca

"Take that step back and think about and then plan for the future," said Christopher Behme, an energy and utilities partner for SunGard Global Services. "You may not know 100 percent, but you can still go back and build some of that infrastructure."

Researchers at the National Association of Regulatory Utility Commissioners (NARUC), who in a recent cyber security primer deemed grid integrity to be at a "critical juncture," shared similar advice.

"We and just about everyone else think that a risk-based approach to cyber security is the right way to go," said Miles Keogh, NAURC Director of Grants and Research.

This approach involves first performing a holistic assessment of potential cyber risks within a utility, and then drafting an action plan that prioritizes each security "hole" by focusing on the most immediate weaknesses. Regulators should make sure to communicate with utilities to make sure these sorts of assessments are taking place, Keogh said.

Alongside any in-house assessments, utilities are also bound by North American Electric Reliability Corporation (NERC) compliance standards. NERC provides a plethora of Critical Infrastructure Protection (CIP) standards, which regulate cyber security practices in order to maintain electric grid reliability. Examples of standards include: Sabotage reporting, identifying critical assets, establishing training programs and implementing software to manage security systems.