Cyber Attack! - Smart-Grid Security


Intelligent power grids present vexing cyber security problems

Intelligent power grids present vexing cyber security problems

Fortnightly Magazine - January 2008

The night Benazir Bhutto came out of exile, the streetlights went dark.

When the former prime minister returned to Pakistan on Oct. 18, 2007, her homecoming caravan was bombed. Nearly 140 people were killed, including 50 of Bhutto’s guards. Afterward, she suggested the darkened streetlights were no accident, but were part of an assassination plot.

“We need to have an inquiry as to why the streetlights have been shut [off],” she said in a press conference in Karachi.

In a world where streetlights can be used as a weapon, controlling local utility networks becomes more than just a matter of public convenience and necessity. It becomes a matter of public safety and even national security. And in that world, the idea of an inter-networked, automated distribution grid poses troubling questions about cybersecurity vulnerabilities.

“As soon as you connect a device to the communication network, and you can read and remotely control it, it’s subject to cyber attack,” says Joe Bucciero, senior vice president with KEMA Consulting in Philadelphia, Pa. “The real unknown is the potential for misuse, to deny service or do things that impact the grid. For a house it’s not a big deal, but for a power station or a transmission substation it becomes a big problem.”

Of course, Karachi isn’t powered by a smart grid: If the power outage was part of a conspiracy against Bhutto, a human hand pulled a breaker somewhere to shut off the lights. But with an automated, IP-networked distribution system, such a hand could be located almost anywhere in the world. And it could wreak greater havoc.

Baked-In Security

Although U.S. utilities focus heavily on reliability and safety, in terms of legal compliance, distribution systems aren’t considered critical infrastructure (see “ CIP Goes Live ”). But distribution systems can be critical in terms of their effect on local populations and other vital infrastructure.

“If a city has water-treatment facilities served by a major substation, some utilities aren’t addressing that substation as a critical asset,” says Tobias Whitney, compliance and infrastructure-protection practice leader at Burns & McDonnell in St. Louis. “But major airports, refineries, large data centers and other shared infrastructure are high on a city’s priority list, in terms of criticality.”

Thus, security is becoming a more urgent priority as utilities build out the smart grid. And as distribution systems become more automated and networked, they become larger and more important targets for cyber attack.

“A metering system doesn’t look a lot like a SCADA system,” says Greg Stone, an IT manager with Duke Energy. “But once you start talking about in-home applications and direct control over distribution assets, it starts looking like a SCADA system. And all the concerns around protecting a SCADA system come into play” (see “ Aurora Attack ”).

Accordingly, security issues feature prominently in utility smart-grid RFPs. For example, in Duke’s Utility of the Future project, now in early phases of development,