By Deborah Gage
Posting in Energy
We're all going to be on it one day, and securing it is a work in progress
Version 1 of a 400-page document on how utilities and vendors should secure the smart grid is due this summer, and the 450 volunteers at the National Institute of Standards and Technology's cybersecurity working group are girding themselves for the final push.
Some of them have been meeting this week at a smart grid conference in Silicon Valley and have had some intense discussions on what needs to be done.
By now most of us know that the emerging smart grid has some security and privacy problems. Smart Planet's Andrew Nusca has covered it, and 60 Minutes has covered it, and my predecessor John Dodge has covered it.
The folks I talked to this week don't deny these issues, which one utility executive -- Darren Highfill of Southern California Edison -- said range from "accidental misconfigurations of equipment to bored teenagers to a kid with a slingshot to nation states."
But Highfill and others also said that a) problems have been overblown by reporters who don't understand how the utility industry works, and b) that security is a never-ending work in progress.
They expect mistakes to be made, and they think they're on top of smart grid security -- so far. They also believe that if we don't build the smart grid, which one of them called "the energy Internet," we won't have enough power to meet our daily needs, which keep expanding and will soon include power-hungry devices like electric cars.
"Some of you are old enough to remember AOL and Prodigy and when we first started trying to do the Internet...there's no way we could have predicted the evolution of the Internet today," said Bill Hunteman, the DOE's former chief technology officer, who was brought out of retirement to advise the DOE on smart grid security.
“A lot of what's going on with these smart grid grants is that we're learning. We will look back in a few years and say, ‘My god, were we stupid to spend money on that.’ We may be causing meters to get installed too early. But it’s all part of the process of maturing where we’re trying to go, and we’ve got to do it so our children and grandchildren can learn from that.”
Here's George Arnold, the national coordinator for smart grid interoperability at NIST, on NIST's upcoming document. "It's an onion, this document, as big as it is -- 400 pages -- it's the first layer. But if you don't get the basics right you wind up with Windows, which is inherently difficult to secure."
Also, utility customers have been stealing electricity as long as there've been meters, several people said, but the idea is to prevent them from penetrating the grid.
Here are some things that were mentioned this week as still missing from the smart grid:
- The equivalent of an Underwriters Laboratory to certify smart grid components
- The ability to manage hundreds of millions of encryption keys, which the grid is likely to have when it's built out
- Standards to get better quality software code from vendors
- Good communication among participants on the grid and the freedom to operate as needed to deter attacks (e.g. shut down equipment without being considered out of compliance by federal agencies that regulate the power industry)
- Good communication with security researchers who find problems with the grid
- Better physical security at some utilities and substations
- Supercomputers to analyze all the data the grid will collect
- Public understanding of what the grid is and how it works
If you want to track the progress of NIST's work, you can go here. You can make comments on their work so far, which is published in the Federal Register, until next Wednesday.
May 28, 2010
The smarter they make it the more vulnerable it becomes. The smart grid is vulnerable to far more than hackers getting access and super encryption is not going to protect it except from direct access. Like any programming the more complex the protection becomes the more "side effects" that are likely to show up, giving access or creating vulnerabilities. The one thing it needs is a completely closed system which would be a very expensive undertaking. Unfortunately even closed systems can be physically accessed. Yes, creating smart appliances that do not create a lot of RFI is a start, but it'll take decades before enough smart appliances will exist to make much of a difference. Smart metering has been shown in some instances to create interference to radio reception and to be susceptible to interference from licensed transmitters.
While having the smart grid at the distribution level is great for utilities, the case for bringing it into the home just hasn't been made. Most of the benefits of a smart grid in the home can be done simply by metering based on time-of-day. If your utility puts a premium on plugging in your car in the afternoon on a hot summer day, then you'll learn soon enough to do it at night (and cars could have timer circuits that normally allow charging only at night). It would be the same for using other major appliances in the house. While home meters which keep track of electricity use by time-of-day are sometimes called "smart" meters, they are a far cry from the home meters proposed for a fully built-out smart grid. Those meters would be far more susceptible to hacking, and allow hackers to possibly take control of your appliances. And for what? Just what extra benefit would this capability give us? Are the incremental savings from being able to turn off a light accidentally left on from across the country worth the extra cost? How is putting smart grid capability into my refrigerator, washing machine, dryer, etc., going to significantly allow me to reduce their energy usage? All it would do is give me a report at the end of each month so I could feel guilty about what an energy hog I am -- when in reality there is not much I could do about it except spend thousands on new energy saving appliances that would take years to produce any actual net savings. Most of the possible savings are all time-of-day usage related. I've also heard of schemes that will tell you when the windmills are running so you can use your appliances when the electricity is generated by renewable resources, but who wants to run their life based on the unpredictability of the weather? We spent millennia isolating ourselves from the havoc caused by the randomness of the weather, now we want to go back to that? Just getting people to shift their usage patterns to nighttime will be as far as most of them will want to go without major resistance.