SANTA CLARA, Calif. -- As the federal government pours billions of dollars into utilities and companies that promise to create an intelligent network that would provide renewable energy to billions of businesses and homes, standards bodies are working to secure the emerging grid so it doesn’t become a repeat of the PC industry -- where devices are still routinely penetrated and controlled by hackers.
Companies that get federal stimulus money related to the smart grid -- makers of smart meters and other products -- are required to submit security plans to the government as part of the Smart Grid Recovery Act. Those plans are being reviewed, and some of them need work.
At the same time, a group within the Commerce Department’s National Institute of Standards and Technology is diagramming interfaces for the smart grid network, known as AMI or the Advanced Metering Infrastructure, and developing standards to head off the security issues that will inevitably arise as more and more devices are networked together.
“We can no longer do cyberattack response at human speeds,” said Bill Hunteman, the Department of Energy’s former chief technology officer and now an advisor for cybersecurity at the DOE, at a conference here this week called Connectivity Week. “It’s too late if you have to have somebody think about it. An active defense says that when an attack occurs, there’s enough intelligence in your defective mechanisms to recognize it, and you’ve thought about the responses well enough to automate it.”
NIST’s Cybersecurity Working Group is one of the largest bodies working on grid security -- members expect to publish the first version of its standards in July. The group has 450 members, all volunteers, and includes academics, scientists, corporate executives, and government officials.
A draft of its work is published in the Federal Register and comments are due next week, on June 2. The group plans to meet face-to-face at Cisco’s headquarters in Herndon, Virginia, on that day to get started on the final document.
Another group, the National SCADA Test Bed program started by DOE and the Department of Homeland Security, is working with vendors to test and analyze control systems that go into the grid, Hunteman said. So far, 49 controls have been tested. The group has also trained 1,900 people to do penetration testing so they have the skills to keep on probing new systems for security weaknesses.
A third group, Trustworthy Cyber Infrastructure for the Power Grid (TCIPG), which includes utilities and vendors, is working on how to proactively defend the grid. And there are other groups as well.
Security is never perfect -- it’s a never-ending process, according to Annabelle Lee, the lead for NIST’s working group. “We know there are vulnerabilities in all these networks and we’re working on defense in depth -- we’re assuming that people will compromise meters and that people will make mistakes,” she said.
One utility executive said grid security has gotten better since last year because utilities and the appliance industry have started working together and working with customers. “The press says we’re sticking our heads in the sand, and it’s not true,” said Wayne Longcore, director of architecture and standards for Consumers Energy, a utility in Michigan.
But there are still some unsolved problems. There’s no equivalent of an Underwriters Laboratory (UL) for smart grid control systems, Hunteman said, and conflicts on how security information is classified and shared need to be worked out with the government.
Information on security issues and attacks, for instance, shouldn’t be shared with the public, but it does need to be shared across the grid.
“We have to be able to do attack detection, whether it’s at a local city, municipality, utility or regional level,” Hunteman said. “I’ve seen folks at DOE seize over 500 million probes or attacks per day, and those are the ones we know about. We have seen historical data, with the same source probing multiple locations spread out over time. They’re very good and they’re getting more advanced and persistent. We need wide-area situational awareness.”
Also undetermined is how security standards for the grid are going to be enforced. The title of NIST’s document has been changed from “requirements” to “guidelines” for cybersecurity because NIST not a regulatory agency, Lee said.