Version 1 of a 400-page document on how utilities and vendors should secure the smart grid is due this summer, and the 450 volunteers at the National Institute of Standards and Technology's cybersecurity working group are girding themselves for the final push.
Some of them have been meeting this week at a smart grid conference in Silicon Valley and have had some intense discussions on what needs to be done.
By now most of us know that the emerging smart grid has some security and privacy problems. Smart Planet's Andrew Nusca has covered it, and 60 Minutes has covered it, and my predecessor John Dodge has covered it.
The folks I talked to this week don't deny these issues, which one utility executive -- Darren Highfill of Southern California Edison -- said range from "accidental misconfigurations of equipment to bored teenagers to a kid with a slingshot to nation states."
But Highfill and others also said that a) problems have been overblown by reporters who don't understand how the utility industry works, and b) that security is a never-ending work in progress.
They expect mistakes to be made, and they think they're on top of smart grid security -- so far. They also believe that if we don't build the smart grid, which one of them called "the energy Internet," we won't have enough power to meet our daily needs, which keep expanding and will soon include power-hungry devices like electric cars.
"Some of you are old enough to remember AOL and Prodigy and when we first started trying to do the Internet...there's no way we could have predicted the evolution of the Internet today," said Bill Hunteman, the DOE's former chief technology officer, who was brought out of retirement to advise the DOE on smart grid security.
“A lot of what's going on with these smart grid grants is that we're learning. We will look back in a few years and say, ‘My god, were we stupid to spend money on that.’ We may be causing meters to get installed too early. But it’s all part of the process of maturing where we’re trying to go, and we’ve got to do it so our children and grandchildren can learn from that.”
Here's George Arnold, the national coordinator for smart grid interoperability at NIST, on NIST's upcoming document. "It's an onion, this document, as big as it is -- 400 pages -- it's the first layer. But if you don't get the basics right you wind up with Windows, which is inherently difficult to secure."
Also, utility customers have been stealing electricity as long as there've been meters, several people said, but the idea is to prevent them from penetrating the grid.
Here are some things that were mentioned this week as still missing from the smart grid:
- The equivalent of an Underwriters Laboratory to certify smart grid components
- The ability to manage hundreds of millions of encryption keys, which the grid is likely to have when it's built out
- Standards to get better quality software code from vendors
- Good communication among participants on the grid and the freedom to operate as needed to deter attacks (e.g. shut down equipment without being considered out of compliance by federal agencies that regulate the power industry)
- Good communication with security researchers who find problems with the grid
- Better physical security at some utilities and substations
- Supercomputers to analyze all the data the grid will collect
- Public understanding of what the grid is and how it works
If you want to track the progress of NIST's work, you can go here. You can make comments on their work so far, which is published in the Federal Register, until next Wednesday.