In watching smart grid deployments early on I always wondered when the smart grid security flashing red light bulb was going to go on. Andy Bochman is an IBM Security Lead who hates security fear mongering but even he can’t deny the facts about a series of power grid security breaches this spring in a recent blog post. When U.S. Senators like Richard Burr start calling to slow down the implementation of smart grid technology you know you have a problem. I appreciate the recognition and concerns of power grid security issues but just stopping the smart grid isn’t an answer or even an option. We need to understand that even current legacy power grid networks have serious security flaws. In fact the only way to protect these current legacy grid designs from security breaches is to give these power grid components visibility through secure interactive network intelligence (the smart grid). So like it or not we need use these new smart grid technologies to add security even on our current power grids.
The threat recognized
When I fear monger I like quoting the greatest fear monger-er of them all, Richard Clarke. In his book, CYBER WAR: The Next Threat to National Security and What to Do About It, he warns of both present day legacy power grid vulnerabilities and future cyber attacks on the grid. From gas pipelines exploding to blinding the greatest military power in the world, Clarke defines just how catastrophic it would be to have an national power outage. A WIRED article earlier quoted Matthew Carpenter, senior security analyst of InGuardian in saying “The cost factor here is what’s turned on its head. We lose control of our grid, that’s far worse than a botnet taking over my home PC”. Its not like we are loosing a few family pictures. In fact there are reports that if we have a national power outage by day 8 we could loose as much as 30% of our GNP.
Hurry up wait and hurry up again
So what happened and why are we just now recognizing power grid security problems? Well it’s the old story hurry up and wait and hurry up again. We were in a hurry to gain the saving benefits of the smart grid so we start building it and putting security on the back burner. We then validated some security vulnerabilities and recognized that these potential security breaches in the power grid could be catastrophic. So we put a road map together for what we need to do to fix these security problems even for legacy and exiting smart grid networks already staged deployed. So why will they do something now? Because, if we don’t get security in the smart grid and fast we will loose a lot of money.
A trillion here and trillion there
In my article “Will security issues stifle smart grid investment?” I early on warned that if we did not address security first it could put the smart grid deployment and investment to a halt. So how important is this and how much money are we talking about. First let’s put the smart grid into perspective in both investment and return on investment. The Electric Power Research Institute (EPRI) estimated a fully developed Smart Grid costs could reach $476 Billion with benefits up to $2 trillion. These dollar amounts are no small potatoes and could effect the global competitiveness between one country and another.
CleanTechGrid lists hundreds of companies with thousands of employees that are currently working in smart grid industry. IBM gets it and predicts one trillion devices connected by 2015 and the smart grid is just one part of this massive market place. From smartphones, ATMs, retail kiosks, traffic systems, meters, buildings to sensors all these devices will be connected to all local wireless IP infrastructure and all will need security. With network infrastructure like Florida Power and Light FiberNet already in place, power companies could be the anchor tenant and supplier that municipal wireless networks have been looking for. The smart grid is the beginning of more intelligent wireless applications and we can’t afford to stop it now.
The road map is done
NIST has recently refined some guidelines as it pertains to smart grid security. In recent NIST Tech Beat release, Smart Grid Panel Agrees on Standards for Wireless Communication, Meter Upgrades lists a series of “Priority Action Plans,” or PAPs. PAP 2’s goal is to specify wireless technology performance that is “grid-worthy”. These seem to be realistic goals and requirements and at last puts smart grid vendors on notice that they need to fill important gaps to assure the interoperability, reliability, and security of Smart Grid components. Security is no longer just an after thought. It needs to be an integral part of their smart grid solution and deployed in every step along the way.
To get us back on track we need security solutions that offer grid worthy security that can be economically rapidly deployed. This solution has to be vendor agnostic and capable of working with both legacy and new grid networks. This security must also be able to work with multi-protocol hybrid network combinations. Last but not least these security technologies need to be fast, have low overhead and be scalable. Seems like a tough request but again and again I see the smart grid and many edge device security requirements point towards layer 2 security. A recent paper by the Grid-Interop Forum called Interoperability and Security for Converged Smart Grid Networks highlights these unique Layer 2 security capabilities that were approved by NIST for Federal systems and explains how useful these same capabilities could be in securing the smart grid. With a lot of money on the line and a lot of pressure to rapidly get the smart grid secured and up and running, we are left with few other alternatives. We need to start testing and investing in these layer 2 security solutions and get them deployed on the power grid. We can’t afford not to.
Larry Karisny is the director of Project Safety.org, consultant, writer and industry speaker focusing on security solutions for public and private wireless broadband networks supporting smart grid, municipal, critical infrastructure, transportation, campus, enterprise and home area network applications. Next speaking engagement, Smart Gird Virtual Summit June 29th-30th, “Securing the Emerging Smart Grid: A Panel Discussion”.