The promise and perils of a smart grid

Featured eBooks
The State of Trust in Government
Cybersecurity in State and Local Government
Building Data Literacy in the State and Local Workforce
By William Jackson
 

Connecting state and local government leaders

By William Jackson

|

A smart, networked energy grid offers a host of energy- and money saving benefits, but it presents an enticing target to all sorts of miscreants. How to reap the good while avoiding the bad?

In addition to the DOE risk management initiative, NIST is developing standards for security and interoperability for voluntary adoption by FERC, the primary federal regulator of the nation's electricity system, and industry standards organizations, such as the Institute of Electrical and Electronics Engineers.

A smarter energy grid holds both promise and peril. Advantages range from more sophisticated energy management to significant savings. But the threats also are numerous, as a networked electrical grid almost certainly would entice all sorts of miscreants.

The Energy Department and National Institute of Standards and Technology are leading a coalition of government and industry organizations in building a cybersecurity framework that would protect the nation’s electrical grid.

The group has an aggressive schedule, with plans to produce guidelines for consistent risk management processes across the electric supply system by this fall.

“The goal is to begin moving the electricity sector stakeholders out of the compliance mindset and into a continuous monitoring mindset,” said Bill Hunteman, senior cybersecurity adviser at DOE’s Office of Electricity Delivery and Energy Reliability (OE).

Related stories:

Smart grid tapped to inspire alternative energy sources

Top 6 hurdles to securing a smart grid

Is U.S. sleeping on smart-grid security?

Cyber defense must be resilient, because it will never be invulnerable, former DOD official says

In addition to OE and NIST, coalition participants include the Federal Energy Regulatory Commission, the North American Electric Reliability Corp., the Homeland Security Department and a number of utility companies.

The program is part of a broader effort to develop cybersecurity standards for an intelligent energy grid, often called the smart grid, toward which the electrical industry is moving. A risk management framework for the smart grid is urgently needed, Hunteman said.

“All of the participants have acknowledged the need to get this going,” he said.

The American Recovery and Reinvestment Act has provided money for developing and fielding new electric grid technology, and the industry now needs standards to develop and deploy the technology. “You need to get security built in and not added on later," Hunteman said. "Everybody is supportive of the aggressive schedule.”

However, the process is not yet complete, and the Government Accountability Office said in a recent study that federal overseers lack the authority to require industry compliance.

The smart grid is part of the Obama administration’s economic recovery program, and it carries the  promise of creating jobs, contributing to energy independence and curbing greenhouse gas emissions.

An electrical industry group, the Working Group for Investment in Reliable and Economic Electric Systems (Wires), in a January report on smart transmission technology, said “major new investment in a stronger high-voltage transmission system is key” to meeting growing demands for electrical power and enabling more environmentally friendly energy sources.

“A strong transmission system must also be an intelligent system that employs the best available technologies and materials,” the report states. “It must be animated by advanced digital technologies in order to integrate those resources into the electric system in an economically and operationally efficient way.”

The high-voltage transmission system already is using smart networks to balance the flow of electricity from hundreds of power plants across multiple systems, Wires said in the report. The smart grid would use intelligent networking and automation to better control the flow and delivery of electricity to consumers, enabling a two-way flow of power and information between power plants and customers, in addition to all points in between. That could enable the more efficient generation, transmission and use of energy across a national grid.

An attractive target

However, those anticipated benefits are accompanied by the risk that increasingly intelligent, interconnected networks would be vulnerable to attacks that could interrupt power transmission and operations and result in widespread loss of electrical services. Potential problems include:

  • Increasing the number of entry points and paths that attackers could exploit.
  • Introducing new, unknown vulnerabilities.
  • Expanding the amount of customer information collected and transmitted.

Breaches of electrical supply systems already have been reported, and the emergence of the Stuxnet worm has illustrated the ability of a cyber threat to affect the control processes of physical systems.

DOE is leading the smart-grid program through the Energy Independence and Security Act of 2007, and NIST is developing standards for the smart grid. EISA also directs FERC to adopt standards for smart-grid security and interoperability.

“While EISA gives FERC authority to adopt smart-grid standards, it does not provide FERC with specific enforcement authority,” GAO said in the report on electricity grid modernization. “As a result, any standards identified and developed through the NIST-led process are voluntary unless regulators use other authorities to indirectly compel utilities and manufacturers to follow them.”

Regulation of the electrical power industry and system is divided among various regulators at the federal, state and local level, and FERC has no plans to monitor industry compliance with voluntary standards.

One system, 3,000 utilities

The electricity grid has historically relied on proprietary technology, which has helped isolate and protect individual systems. But that protection is not complete. “One of the big issues is that the grid is so tightly interconnected for reliability that we have to do the best we can to develop a consistent process across the more than 3,000 utilities,” Hunteman said.

The number of parties involved complicates the process of developing a security framework. “There are a lot of moving parts” in the standards and rule-making effort, said Erich Gunther, chairman and chief technology officer of EnerNex.

In addition to government regulators and private utilities, there are standards bodies such as IEEE, for which Gunther is chairman of the Intelligent Grid Coordinating Committee of the Power and Energy Society. “All of these entities have a role to play.”

The lack of a complete, coherent security framework is not because of a failure of that effort, he said. Instead, it is the result of the rapid evolution of the energy grid. IT security has been part of the grid for a long time, he said. “What’s new with the smart grid is its pervasive application in the power infrastructure.”

As a result, a lot of cybersecurity experts work separately on the effort without understanding the overall infrastructure they are trying to protect, Gunther said.

“Cybersecurity is a systematic problem," he said. "You’ve got to be aware of the business objective of what you’re trying to protect. A lot of the security folks don’t yet understand how all of the parts of the power infrastructure fit together.”

Within IEEE, several working groups are working to identify and craft standards for the power industry, including the organization's Power and Energy Society, Computer Society and Communications Society. Despite the complexity, the overall smart-grid security effort is working well, Gunther said.

“We’ve got the right people working on the right stuff, and there is a surprising amount of coordination,” he said. There is no obvious need for more centralized control of the process, he added. “You need a large community of experts freely exchanging ideas. That seems to be working.”

Grid interoperability

In upgrading to a smart grid, utilities want systems that easily work with technologies from different vendors. But there are no generally accepted security standards for the equipment. EISA directs NIST to coordinate development of a standards framework. The agency is identifying existing standards for interoperability and cybersecurity that can be applied to the smart grid, and it's also identifying gaps where it needs to develop new standards.

NIST published an initial framework for interoperability and security in January 2010, Special Publication 1108, “A Framework and Roadmap for Smart Grid Interoperability Standards, Release 1.0” In August, the agency released the first version of security guidelines, the three volume Interagency Report 7628, “Guidelines for Smart Grid Cyber Security.”

In its report, GAO said the guidelines include important elements, including a high-level strategy for developing an approach to securing smart-grid systems and identifying appropriate security requirements. FERC is reviewing the initial guidelines for adoption as voluntary standards, including five existing cybersecurity standards identified by NIST as ready for adoption.

The DOE/NIST and industry initiative aims to lay a foundation for those standards by establishing processes for risk management, which is the science of identifying and assessing risks so that they can be eliminated, mitigated or accepted. Within government, there has been an evolution toward continuous monitoring for risk management rather than using one-time or periodic snapshots that become out-of-date before appropriate security guidelines and controls are put into place.

“We are moving now to start implementing an effective cybersecurity program into the grid,” Hunteman said.

The initiative will build on existing risk management models, and the core development group will select models that apply to the utilities industry to provide an initial set of guidelines, possibly as early as this month. Iterations of the guidelines will be offered for public comment “until we have exhausted everyone’s comments,” Hunteman said. There is no firm deadline for completion, but a final version is expected by fall.

Regardless of how well received the guidelines are, they still will be voluntary. But Hunteman said that will be a strength.

“Voluntary guidelines will be effective in elevating the level of security in the electric grid,” he said. They will provide a common model but can be applied as appropriate by each user. Large multistate utilities have different needs than those of small rural cooperatives.

One indication of industry acceptance of the program is the level of interest in participation, Hunteman said. “One of the challenges has been keeping the core development team small enough so that we can quickly turn out the document.”

Despite the aggressive schedule for producing the risk management framework, there is no immediate endpoint for the broader security effort, Gunther said. “There is a lot to do. It will never be complete.”

NEXT STORY: 9 fraudulent digital certificates on the loose, Microsoft warns

X
This website uses cookies to enhance user experience and to analyze performance and traffic on our website. We also share information about your use of our site with our social media, advertising and analytics partners. Learn More / Do Not Sell My Personal Information
Accept Cookies
X
Cookie Preferences Cookie List

Do Not Sell My Personal Information

When you visit our website, we store cookies on your browser to collect information. The information collected might relate to you, your preferences or your device, and is mostly used to make the site work as you expect it to and to provide a more personalized web experience. However, you can choose not to allow certain types of cookies, which may impact your experience of the site and the services we are able to offer. Click on the different category headings to find out more and change our default settings according to your preference. You cannot opt-out of our First Party Strictly Necessary Cookies as they are deployed in order to ensure the proper functioning of our website (such as prompting the cookie banner and remembering your settings, to log into your account, to redirect you when you log out, etc.). For more information about the First and Third Party Cookies used please follow this link.

Allow All Cookies

Manage Consent Preferences

Strictly Necessary Cookies - Always Active

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Sale of Personal Data, Targeting & Social Media Cookies

Under the California Consumer Privacy Act, you have the right to opt-out of the sale of your personal information to third parties. These cookies collect information for analytics and to personalize your experience with targeted ads. You may exercise your right to opt out of the sale of personal information by using this toggle switch. If you opt out we will not be able to offer you personalised ads and will not hand over your personal information to any third parties. Additionally, you may contact our legal department for further clarification about your rights as a California consumer by using this Exercise My Rights link

If you have enabled privacy controls on your browser (such as a plugin), we have to take that as a valid request to opt-out. Therefore we would not be able to track your activity through the web. This may affect our ability to personalize ads according to your preferences.

Targeting cookies may be set through our site by our advertising partners. They may be used by those companies to build a profile of your interests and show you relevant adverts on other sites. They do not store directly personal information, but are based on uniquely identifying your browser and internet device. If you do not allow these cookies, you will experience less targeted advertising.

Social media cookies are set by a range of social media services that we have added to the site to enable you to share our content with your friends and networks. They are capable of tracking your browser across other sites and building up a profile of your interests. This may impact the content and messages you see on other websites you visit. If you do not allow these cookies you may not be able to use or see these sharing tools.

If you want to opt out of all of our lead reports and lists, please submit a privacy request at our Do Not Sell page.

Save Settings
Cookie Preferences Cookie List

Cookie List

A cookie is a small piece of data (text file) that a website – when visited by a user – asks your browser to store on your device in order to remember information about you, such as your language preference or login information. Those cookies are set by us and called first-party cookies. We also use third-party cookies – which are cookies from a domain different than the domain of the website you are visiting – for our advertising and marketing efforts. More specifically, we use cookies and other tracking technologies for the following purposes:

Strictly Necessary Cookies

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Functional Cookies

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Performance Cookies

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Sale of Personal Data

We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.

Social Media Cookies

We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.

Targeting Cookies

We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.