Cyber Security in the Age of Smart Grids

The World’s First Successful Attack on a Power Grid

It has been estimated that a major cyber attack on the U.S. electric grid could cause over $1 trillion in economic impact.

On December 23, 2015, hackers took control of utility systems in Ukraine and knocked out power to 225,000 customers across three distribution companies for several hours. More than the limited damage, the coordination and sophistication of the attack left utilities around the world very concerned.

The hackers were traced to Russia, based on the IP addresses of the computers that were used in the attacks. Spear phishing and malware gave them a foothold in the IT networks of the three utilities, from which they harvested credentials to access the utilities’ industrial control system networks. With that, they were able to seize control of the supervisory control and data acquisition (SCADA) systems, turn off substations and disable or destroy various IT infrastructure components. They also simultaneously executed denial-of-service attacks on the utility call centers, preventing customers from reporting and receiving important information.

The events of this cyber attack raised the stakes for grid security to a new level. A similar attack on the U.S. power grid would be highly disruptive, likely costing hundreds of billions of dollars in economic damage while threatening public safety in myriad ways.

So how do you balance investments in cyber security with investments in reliability and resiliency? The cyber security dilemma does not, nor should it, take place only within the IT team, particularly in an IoT (Internet of Things) world. IoT devices are being rapidly adopted and used everywhere by consumers, enterprises and governments. What if, instead of trying to hack a power plant, someone hacked millions of “smart devices” connected to a power supply, and used them to manipulate the grid? This would create spikes in local and regional power consumption that in turn could damage power transformation and carrying infrastructure.

A Comprehensive Security Approach

“Cyber Security is a serious risk to our country’s critical infrastructure, and must be taken very seriously,” notes Bob Smith, Senior Vice President of Power at Milhouse Engineering and Construction, Inc. in Chicago. “In addition to the economic impact, a major cyber attack would pose a significant threat to the safety and well-being of the general public.” Smith feels a multi-faceted, defense-in-depth approach is required to ensure the overall security of the smart metering system.

“The security solution,” according to Shane Jefferies, Director of IT at Milhouse, “should aim to protect the system against known and unknown attacks (day zero attacks), unauthorized access, physical tampering, information compromise, denial of service, eavesdropping and other threats. A set of preventive, detective and corrective controls should be implemented to ensure the security of the smart metering system, which includes end devices, management and monitoring systems, network infrastructure and payment environments.” Jefferies lists some of the key controls necessary to meet the smart metering security requirements:

• network segregation
• data encryption (in transit and rest)
• near real-time monitoring
• device/user authentication solution
• device registration/de-registration, etc.

Smith further explains, “The control environment needs to be supported by a governance framework, appropriate policies and procedures, continuous monitoring and a maturity model to ensure that the overall smart metering system is protected against known and unknown issues and effectively responds to the changing threat landscape.”

Customer data privacy and security are critical to ensure customer adoption of smart meters. The principles of “privacy by design” and “security by design” are required for the implementation of security and privacy, and efforts in this area must be well understood, documented and visible to support the credibility of the solution. It is important to note that the entire issue of consumer and citizen data protection has not been resolved. There are large differences in legislation between countries and regions, and businesses face the lack of universally-accepted technical or industrial standards.

Jefferies explains Milhouse’s approach to security, “We start with the National Institute of Standards and Technology (NIST) Cybersecurity Framework, a voluntary Framework consisting of standards, guidelines, and best practices to manage cybersecurity-related risk. The Cybersecurity Framework’s prioritized, flexible, and cost-effective approach helps to promote the protection and resilience of critical infrastructure and other sectors important to the economy and national security, helping Milhouse protect not only our own data, but that of our clients as well.”