A cybersecurity coordination task force released a report this week that assesses various security and privacy requirements for the US Smart Grid , as well as strategies needed to address them.
The 256-page document was compiled by the task force, comprised of individuals from the government, industry, academia and regulatory bodies, and led by the National Institutes of Standards and Technology (NIST). Now open for comment, NIST will release a final version of the document in March 2010 describing a overall Smart Grid security architecture and security requirements.
The draft report highlights the need for planners to address threats that could potentially allow attackers to
penetrate the smart grid, gain access to control software, and alter load conditions to cause widespread disruptions.
Cybersecurity strategies for protecting the smart grid need to address not only deliberate attacks but also inadvertent compromises resulting from user errors, equipment failures and buggy software, the report said.
Released as part of the report was a Privacy Impact Analysis that examines some of the privacy implications of establishing a smart grid for power distribution.
A smart grid uses digital technology to transmit, distribute and deliver power to consumer in a more reliable and efficient manner than traditional electricity systems. A key component of the smart grid is the real-time, two-way communication it establishes between consumers and power distributors for tracking energy use and enabling smarter consumption and pricing. Current plans call for nearly 17 million two-way connected smart metres to be installed in US homes over the next few years.
While proponents of a smart grid have touted its potential to improve the electricity system, others have expressed concern about their susceptibility to cyber attacks and inadvertent compromises. Many are concerned that the software, wireless sensor networks and the Advanced Metering Infrastructure (AMI) networks that go into a smart grid present too many points of vulnerability into the network.
In June, security consultancy IOActive disclosed how its researchers had tested Smart Grid components for security vulnerabilities and had discovered several that could allow attackers to access the network and cut off power. IOActive researchers showed how attackers could spread malware through the network and remotely shut down power to consumers by taking advantage of flaws in the metering devices.
The NIST report is an attempt to assess such threats. The vulnerabilities that are listed in the report were gathered from existing research and security documents including NIST's own guide to industrial control systems security and the Open Web Application Security Project (OWASP) vulnerabilities list.
It looks at vulnerabilities that can arise during the operation a smart grid as well as on problems such as authenticating and authorising users to substations, key management for meters, and intrusion detection for power equipment.
The report also considers vulnerabilities arising from inadequate patch, configuration and change management processes, weak access controls, and lack of risk assessment, audit, management and incident response plans.
Vulnerabilities associated with bad software coding practices, including input validation errors and user authentication errors, can also pose a risk to the integrity of a smart grid, the report said.
The real-time, two-way communication between consumers and suppliers in a smart grid also raises several privacy concerns, the NIST report noted. One major issue that needs to be addressed is the data that will be collected automatically from smart metres. There needs to be more of an understanding of how that data will be distributed and utilised throughout the smart grid system, the report said.
"In the current operation of the electric grid, data taken from metres consists of basic data usage readings required to create bills," the report said. "Under a smart grid implementation, metres can and will collect other types of data," some of which could be personally identifiable information that needs to be protected with strong privacy controls it said.