Information Age: News, analysis & insight for IT & business leaders

The adoption of Smart Grid technologies may expose energy infrastructure to fresh security threats

The security of the UK’s energy grid was back under scrutiny in October 2010 as the government ranked cyber- attacks on national infrastructure as a ‘tier one’ threat in its new security strategy.

Shortly after the strategy was published, Sir Malcolm Rifkind, head of the UK’s Intelligence and Security Committee, described the theoretical possibility of such an attack during a radio interview: “What we’re talking about is terrorists being able to actually use cyber methods, for example, to interrupt the National Grid to prevent proper instructions going to power stations, which are under computer control.”

This renewed interest comes at a time when the information architecture that supports energy infrastructure is being reinvented. A group of technologies, combined under the umbrella term of Smart Grid, promises to give utility suppliers greater insight and control over their infrastructure, from generation through distribution to the point of consumption.

Long discussed in the industry, Smart Grid is now becoming a reality. A study published by Oracle Utilities in October showed that 18% of energy companies have already completed rolling out of Smart Grid technology, while 56% of those that have not plan to do so within the next five years.

What the adoption of Smart Grid means for the security of energy infrastructure is a question that divides opinion.
One view sees the technology as a way to protect infrastructure more effectively: electronic sensors around the grid provide real-time data on the status of infrastructure, meaning that problems can be identified quickly and power flows rerouted to compensate for any disrupted sites.

The opposing argument, however, is that the IT systems required for this intelligence add a soft underbelly that is vulnerable to electronic attacks.

And while Smart Grid adoption seems to be going ahead, there are indications that security complications may be making it harder than anticipated. For example, a report by the World Economic Forum published earlier this year identified security, alongside customer privacy, as one of the critical challenges that utility companies are wrestling with as they deploy Smart Grid pilot schemes. “Breaches of data security can have a catastrophic impact on pilots,” the report found.

Exposing operations

Andy Bochman, editor of the Smart Grid Security Blog and energy security lead at IBM Rational, explains some of the security implications of the technology: “A lot of Smart Grid functionality depends on IT systems being connected to operational technology (OT) systems,” he says. “In security parlance, this greatly expands the attack surface.”
Bochman explains that hackers could penetrate an IT ‘soft spot’, such as a corporate network or web application, and from there move on to OT systems, which control grid hardware.

There are, says Bochman, three ‘classes’ of hacker that might target a Smart Grid. The first is a ‘kiddie scripter’, or curious individual who downloads Internet code and attempts to hack their Smart Meter, usually in an attempt to change their bill. “They’re not very dangerous threats, but on the other hand, they can certainly be a nuisance and cause trouble,” says Bochman.

Secondly, he identifies organised cyber gangs who want to disrupt the Smart Grid for commercial ends. He does not see too much scope for this at the moment. “They’re not really ideologically driven to attack the power sector more or less than any other sector. It all depends on where they think they can get the most money.”

Continued...