Integrating Communications

AN APRIL 2009 Wall Street Journal story said Chinese and Russian cyberspies penetrated the U.S. electric grid and left behind software programs that could disrupt its operations. As reported in the Journal of Energy Security two months later, security firm IOActive told the Department of Homeland Security that a hacker with a $500 piece of equipment could take over a smart grid's two-way communications system, disrupt service to homes and businesses and, potentially, cause a blackout. IOActive said it had "created a computer worm that could quickly spread among smart grid devices, many of which use wireless technology to communicate."

The energy act of 2005 gave the Federal Energy Regulatory Commission oversight for the electric system's security. In 2006, FERC made the North American Electric Reliability Corp. responsible for developing and enforcing security standards. In 2008, NERC issued the Critical Infrastructure Protection standards.

The standards' effect on improving grid security is marginal because what should be protected is unclear. Utilities used a narrow interpretation to identify the critical security perimeter and the assets covered. A January Department of Energy audit found that 81 percent of generation owners and 37 percent of transmission owners did not identify a single critical asset that needed to be protected. The majority of the other transmission owners and load-serving entities limited the perimeter to the primary and backup control centers where SCADA systems are located. The standards cover only a small number of transmission substations and no distribution substations. In addition, the standards' zero-tolerance audit process led utilities to focus more on strict compliance to procedures instead of minimizing the risk of security breaches.

Continued smart grid implementation will exacerbate the nation's security risk because smart grid operations systems incorporate information technology management and controls. Historically, the SCADA system would monitor the transmission and distribution network through direct one-way connectivity with substations; however, actions by system operators were largely done manually or by locally managed switches. Utilities had limited ability to monitor network conditions beyond the substations.

Distribution automation and smart grid applications monitor and control power quality, voltage, and electric demand and supply at the circuit and even the transformer or edge-device level. Smart applications will execute control through two-way communications using private and public networks, including the Internet. In addition, energy consumers are managing energy consumption, supply and demand response through Internet Protocol gateways that use public communications networks. Increasingly, software applications and communications networks that are not secure will monitor and make real-time changes to the network, opening new threats to power-system reliability.

The energy act of 2007 directed the National Institute of Standards & Technology to develop standards related to the smart grid's interoperability and cybersecurity. This year, the Government Accountability Office completed an audit of NIST and FERC efforts to develop and implement these standards. Issued in 2010, the initial NIST guidelines are voluntary and FERC has yet to adopt them. Further, the GAO report indicates that EISA has authorized no clear enforcement mandate. GAO noted "a lack of security features being built into certain smart grid systems." Traditional power system vendors will need to ensure that their grid optimization applications, networking and smart equipment are designed and deployed in a manner that supports compliance with the NIST and CIP standards. Given the evolutionary state of federal cybersecurity standards, utilities should consider three actions to improve transmission and distribution grid security:

Begin integrating IT with operations technology functions such that all OT systems are managed with the same disciplines as IT systems.
For your grid, develop a risk-based security strategy that not only ensures compliance with existing standards, but that also continually extends the security perimeter to cover all points where electricity power and voltage controls are executed.
Require that all new vendor systems purchased or upgraded comply with applicable NIST, CIP and company security standards.