Smart Grid Security: Why Internet Security and Infrastructure Security Aren’t Interchangeable

E-mail Rick Stephenson

A lot of money is being thrown at implementing intelligence in the national utilities grid with the aim to stimulate job growth. This need to create jobs is accelerating the pace of Smart Grid deployments and, in turn, standards are being overlooked and—in some instances—not implemented at all. As a result, things like interoperability between various grids are not being addressed adequately. The National Institute of Standards and Technology (NIST) is working on a cyber security standard for the Smart Grid, but its recommendations for regulation are still a work in progress. Similar to the development of the Internet, the Smart Grid is being approached with a "build it now, secure it later" philosophy.

Current electricity meters are a case in point. Individual tampering results in the theft of an estimated $6 billion of electricity every year. Installation of digital smart meters could eliminate that loss; but without encryption at the device level, electricity service providers may well face an even larger challenge when the number of connected smart devices and the quantity of data transmissions explode. The risk of hackers intercepting billing information or usage times or injecting malware increases, and in turn, so do costs to the public and to utility companies.

For example in Dallas, Texas, smart meters are being rolled out to roughly three million homes. Whereas a utility company's information network has traditionally been protected by an internal firewall, it's now being extended to three million additional nodes or wireless access points that could be compromised. In addition to communications between the meter and the utilities company, industry experts predict that future homes will have an average of 14 smart appliance devices speaking to the meter as well. On the surface, encrypting a smart washing machine doesn't seem crucial, however the machine is a vulnerability due to its connection to the rest of the information network. In Dallas alone that can potentially amount to as many as 42 million unsecure devices, each a vulnerable entry point into the electrical infrastructure system in Texas.

To ensure that better energy management efforts aren't futile, the topic of Smart Grid security needs to be approached from a multi-layered perspective. First of all physical security, information security, and individual sensor security must be integrated into a comprehensive approach. Because consumers will be unlikely to participate if they perceive the system to be unreliable or inaccurate, eliminating this concern requires incorporating authentication on the smart meter level, guaranteeing that the wireless smart meter communicates the correct information to the designated receiver.

While industry regulators are aware of these issues, they are approaching solutions from a computer security perspective. Unfortunately, this approach does not work when you consider that computers have a significantly higher amount of CPU power than microprocessor chips embedded in smart meters and small wireless devices. Currently, business transacted on the Internet is secured by fewer than 1.5 million Web server digital certificates. Now compare this figure to the estimated 42 million connected smart devices in Dallas. Despite the lower computational power and the larger number of devices that this number represents, regulators advocate that each node should be connected to the Smart Grid using the very same security that was implemented for the Internet. That would require almost 30 times more digital certificates than are used on the Internet in the Dallas region alone. On that level, security, and specifically key management, will be tremendously difficult to accomplish. Cryptography experts agree that public key encryption, utilizing digital certificates, is not scalable to the level that we see emerging in the national Smart Grid.

We can certainly think of many threatening scenarios in regard to Smart Grid security. However, it is more important to keep the focus on system operability, network sustainability, and the resilience of the Smart Grid. Today, we have the opportunity to design Smart Grid security by starting with the weakest links, which are the connected end-nodes. By facilitating a dialog between encryption experts, government regulators, electricity service providers and wireless operators, a comprehensive Smart Grid security standard can be well-researched and set in place before anyone has cause for concern. When it comes to our critical power infrastructure in this country, we cannot afford to be anything less than extremely "smart" about securing it.

Rick Stephenson is President and CEO of Revere Security, Addison, TX. Prior to joining Revere in 2008, Stephenson served in various capacities at Covisint, a technology start-up in 2000 (acquired by Compuware Corporation in 2004). His roles included vice president of Finance, managing director of European Operations, chief operating officer, strategic account manager and vice president of Partners and Alliances. Prior to joining Covisint, Stephenson was a 20-year finance veteran at General Motors. At GM, he held executive roles in International Finance and Corporate Finance. He also worked on the start-up of Saturn in the early '90s and, prior to that, the start-up of the Fort Wayne assembly plant. He can be reached at [email protected].