Smart Grid Security Inadequate, Threats Abound
As the Stuxnet attack shows, malicious hackers "clearly have the upper hand" over power grid systems, a new study says. A lack of strict standards and a hodgepodge of products have created today's chaotic state of utility cybersecurity.
Wed, January 04, 2012
CIO — Near chaos. That's the current state of security for smart grids, according to Pike Research. A recent report by the research firm finds that a lack of security standards, a hodgepodge of products and increasingly aggressive malicious hackers will make 2012 a challenging year for securing smart grids. (A smart grid uses IT and smart meters in an effort to make electric utilities more efficient, reliable and sustainable.)
"After years of vendors selling point solutions, utilities investing in compliance minimums rather than full security, and attackers having nearly free rein, the attackers clearly have the upper hand. Many attacks simply cannot be defended," says Bob Lockhart, an analyst at Pike Research.
But he adds: "There is hope." Lockhart says there's a "dawning awareness by utilities during the past 18 months of the importance of securing smart grids with architecturally sound solutions."
Smart-grid pioneer Andres Carvallo, a former CIO at Austin Energy and co-author of
Looking at the current state of affairs, Carvallo says "security from the application data center to the utility sub-station is pretty good." However, he says "security from edge devices back to the sub-station and/or data center needs a lot of work."
The hackers aren't waiting. "Development of cybersecurity solutions and standards has somewhat stalled, while the attackers are steaming ahead at full speed," Lockhart says. "While we do have lots of good point solutions available," he says, "they are just that: point solutions." The problem is that hackers find the gaps between those products.
Lockhart says that, outside of defense agencies, it's rare to find a utility with a well-planned smart grid security program that integrates those products into a working whole.
There's also a danger of overlooking the insider threat. "Most people believe smart grid security is for only viruses and worms from hostile governments and terrorist groups," says Joshua Flood, an analyst at ABI Research. "However, one of the main reasons for increased spending on smart grid security software and management systems is simply to make sure the correct people have access to the equipment and systems they should have access to." Among other things, this means protecting systems from disgruntled employees or others who might commit internal sabotage, Flood says.
Security Standards Need Teeth
The Pike Research report suggests that the lack of enforceable security standards or regulations for power distribution grids "leads to a scene of mass chaos in utility cybersecurity" and will cause utilities to take a wait-and-see approach to significant security investments.