A number of proposals to build Smart Grid infrastructure in the US failed to meet the necessary security requirements, according to a report from the US Department of Energy’s inspector general.
Under its Smart Grid investment grant (SGIG) scheme, the DoE has awarded 99 grants worth between $400,000 and $200 million. However, according to the inspector general’s report, 36% of grant applications were missing at least one of the required cyber security elements.
Interesting Links
One application only referred to cyber security in general terms, the report explained. "The plan stated that the recipient used monitoring, logging, and alerting technologies to detect incidents and exploits, but did not detail how these systems worked in its specific environment."
Another plan lacked a formal risk assessment for the technology, prompting fears that weaknesses and threats to the smart grid system would go unnoticed.
Summing up, the report said: "The approved cyber security plans did not adequately address security risks or planned cyber security controls."
A recent report published by Pike Research in November last year described cyber security in the US utilities sector as "in a state of near chaos".
"After years of vendors selling point solutions, utilities investing in compliance minimums rather than full security, and attackers having nearly free rein, the attackers clearly have the upper hand," said Pike Research’s senior analyst Bob Lockhart.
"That said, Pike Research has observed a dawning awareness by utilities during the past 18 months of the importance of securing smart grids with architecturally sound solutions," he added. "There is hope."
In the UK, various consortia of suppliers are in the process of bidding to provide the IT infrastructure for the country-wide smart meter roll-out planned for 2014. Some consortia include security specialists – Logica and SAP have partnered with securiy contract Qinetiq, for example, while BT is partnering with BAE-subsidiary Detica. Another consortium is between Cable & Wireless and IBM, which recently created a dedciated security division.
