Security is a top concern with smart electric grid

Security specialists are working to make sure the Obama administration's plans to develop a smart electric grid that relies on the Internet to supply and monitor power across the country will include security standards for reducing vulnerabilities to cyberattack.

President Obama spoke about "building a smart electric grid to deliver energy more efficiently" in his remarks on Friday about securing the nation's cyber infrastructure, noting that "protecting the [digital] infrastructure will be a national security priority." Nearly $3.3 billion will be invested in smart grid technology development grants and $615 million technology testing as part of the American Recovery and Reinvestment Act.

A smart grid would rely on real-time, two-way communication to allow power customers to connect directly with electricity suppliers. A report from the Global e-Sustainability Initiative, created by information and communications companies to foster economic growth through technology, said, "A smart grid would work the same way that the Internet does. The difference is that while the Internet optimizes the routing of information, the smart grid optimizes the routing of electrons."

Alan Balutis, director of the business solutions group at Cisco Systems and a former chief information officer at the Commerce Department, said, "A single technology platform can be developed that is secure, interoperable, manageable, reliable and scalable." The smart grid goes beyond "smart metering" of power usage, he said, to be "one application of an integrated, comprehensive smart grid network" that also automates monitoring and management functions, integrated maintenance and on-demand operations that reduce power consumption.

Smart grid development will require a high priority on cybersecurity to ensure hackers don't access the computer systems that control the power grid through the Internet and cause service outages or worse. The threat against the nation's power grid was first widely realized in March 2007, when researchers at the Idaho National Laboratory demonstrated to the Homeland Security Department how they could go online to hack into the programs that control a generator and manipulate settings so it would self-destruct. In April, sources from the intelligence community revealed that spies from China, Russia and other countries had penetrated computers that control the nation's power grid.

George Arnold, deputy director of technology services with the National Institute of Standards and Technology, said a smart grid actually would enhance security, because it would force modernization of outdated technology that was never meant to function in a networked environment. NIST is developing a Smart Grid Interoperability Standards Roadmap that will be issued in September.

"When you look at the systems deployed today, they stem from 30-year-old technology," Arnold said. "Nobody even thought about computer security. The smart grid represents an opportunity to enhance the security of the electric grid, as opposed to introducing vulnerabilities. ... Standards are not static; they need to evolve to accommodate new requirements and technologies."

NIST hosted two workshops in April and May with representatives from government, the IT community, and power plants to develop a first round of smart grid standards. In May, NIST released a list of 16 existing standards pulled from the Internet and telecommunications sectors that could be applied to smart grid development to promote security and ensure interoperability of software and hardware components from different vendors. Comments on the list can be e-mailed to smartgrid@nist.gov.

The agency is working with industry to identify vulnerabilities and potential threats and develop additional standards that enhance smart grid functionality and security. A wiki collaboration site provides access to technical documents developed in the workshops.

"We're determining how to overlay the telecommunications and Internet [security standards] to enable additional capabilities across the smart grid," said Annabelle Lee, senior cybersecurity strategist at NIST. "To do that, we need to look at existing equipment and figure out how we can ensure that security is maintained without telling every vendor to change out their equipment."

Once developed, the list of standards will be enforced by the Federal Energy Regulatory Commission, which is the rule-making body for most of the nation's power plants. As threats against critical infrastructure increase, so will the private sector's desire to comply with security standards, said Balutis.

"As older infrastructures move to an IP-based model, companies in the power-generation, transmission, and distribution business will require a level of comfort with the security of the network before they will agree to deploy," he said.

But some remain skeptical that a smart grid -- which relies on a networked environment -- can enhance cybersecurity.

"Smart grid moves security from really bad to not quite as bad," said James Lewis, director of the technology and public policy program at the Center for Strategic and International Studies. "Even if we're better off, we're not going to be 'secure.' I don't even know what that means."

"We're only beginning to think about the range of vulnerabilities that we will create with the development of the smart grid, and NIST is pulling the players together to sort it out," said Gregory Garcia, who served as assistant secretary of cybersecurity and telecommunications at DHS during the Bush administration and now runs his own information security consulting firm, Garcia Strategies. "This is an exciting 21st century evolution of the delivery of a basic need, but most are recognizing that the more interconnected we are, the more openings there are for exploitation."