by Sambit Bisoi and Ashiss K. Dash, Infosys Ltd.
Much like the security challenges during the dot-com boom, the smart grid will have security and privacy issues.
The electric grid of the future will be much more complex and dynamic than the one supporting the business model of conventional utilities.
Traditional utility offerings will expand to include more consumer touch points and decentralized generation options enabled by an increased flow of information.
A larger pool of stakeholders will witness intense engagement from every frontier.
Features, possibilities and expectations will transform the role of utilities in the economy.
A growing number of potential stakeholders, highly engaged customers, large infrastructure, distributed failure points and a huge volume of data will present levels of security concerns.
The main problems include hacking, data stealing, privacy breaches, meter fraud and compromise of physical security.
Utilities must streamline their processes, distribute responsibilities and increase resilience to such incidents.
Initially, there will be a need for clarity around the following data parameters:
- How much data should be collected?
- Who will own the usage data?
- Who will secure it?
- Who will have access?
- How will private parties access customer data?
- Will customers trust utilities with their data?
- Whose responsibility will it be to educate end users?
These technological advancements are owned by the utilities, and they will remain the primary point of contact for all other stakeholders, at least during the infancy of the grid.
Second, customers trust utilities to safeguard their privacy and security more than other private companies.
Finally, with access to the massive volumes of data, utilities will be able to perform valuable pattern analysis to prevent, detect and neutralize malicious attempts throughout the grid.
It will be the responsibility of utilities to nurture the smart grid and ensure security for all constituents.
Cybersecurity never has been the core strength of utilities. In the recent McAfee report “In the Dark: Crucial Industries Confront Cyberattacks,” authors Stewart Baker and Natalia Filipiak write that 40 percent of the 200 information technology security executives from critical electricity infrastructure enterprises believed that their industry has been more vulnerable to security issues than before.
Thirty percent believed their companies were not prepared for a cyberattack although more than 40 percent expected a major cyberattack within the year.
Meanwhile, the energy sector increased its adoption of security technologies by a percentage point to 51 percent.
In the McAfee report, Baker and Filipiak note that former Director of Central Intelligence Jim Woolsey was quoted as saying that more than 90 percent of people working on the smart grid are not concerned about security and see it only as a last box they must check.
Utility information technology divisions and executives must take a cue from industries such as banking and elevate cybersecurity to the top of the agenda.
Secure it by Design at Every Phase, Layer
Advanced metering infrastructure (AMI) will have multiple security touch points provided by parties requiring various integration types.
Security will not be treated as a separate layer in smart grid architecture; rather, it will be an integral part of every layer and phase of the program.
Security road mapping and planning will begin at the design phase and will be evaluated in an iterative model until the integration phase.
Seamless coordination must be orchestrated among business units and information technology divisions within utilities. Even after implementation, it is essential to run lightweight integration pilots continuously to ensure that security levels are not compromised by the introduction of new devices, end points (e.g., smart appliances) or network protocols or upgrades introduced to any components.
Protocols that provide backward compatibility to new and potentially unsecure end points such as retrofit appliances will require special attention.
Utilities must bridge the gaps between integration points using special cryptographic approaches that prevent data from being hacked, even if hackers are utility employees.
Stay Prepared for Inevitable—Detect Early, Minimize Damage, Vaccinate Grid
Even the best security algorithms have indefinite effectiveness, so utilities must assume that security breaches such as meter bots, distributed denial of service, man-in-the-middle attacks, meter viruses and other malware are certainties.
Utility servers will house the master grid database. With significant data volumes, artificial neural network-based intelligent software can be deployed to monitor the grid for any anomalous behavior.
These artificial intelligence (AI) components will be able to identify unusual behavior in the grid by doing a pattern analysis.
These AI programs instantly will alert utilities as the grid is hacked or affected by virus.
For example, if a hacker starts issuing turn-off requests to home users, the smart AI programs can sense the unusual increase in turn-off requests and alert security engineers.
Once a security breach is detected, it is important to access the breadth of the damage.
Preplanned processes to isolate the infected part from the rest of the grid must be in place.
In case of an attack or detection of a loophole, it is extremely important to patch it, just like a typical Windows patch or antivirus update.
Because of various hardware and software deployments, patching these disparate systems might require changes at numerous points including smart meters, intermediate firmware, smart appliances and core AMI software.
To ensure continuous service to the grid architecture, hardware, software and firmware processes should be designed to ensure a hassle-free, cost-effective resolution.
This will be impossible if security is treated as a different layer or phase of the smart grid program.
Engage, Educate Customers
With the broader adaption of the smart grid, utilities will need to focus on securing the new realm of customer interactions and information exchange.
Customers will use the continuous grid connectivity home area networks, smart appliances and Web applications provided by private partners.
This likely will lead to serious security vulnerabilities.
Once these smart appliances and websites are connected to the grid, they can provide valuable information to utilities, consumers and hackers.
The hackers can collect information on customers’ energy usage and control home appliances such as home security cameras, creating havoc for customers.
To avoid security breaches at the customer end, utilities must have a focused, effective plan for customer engagement, education and drills.
Customers must be updated periodically on new processes and best practices to keep themselves safe.
Because customer awareness will be ongoing, designing a targeted, sustainable and cost-effective customer education framework is important.
Engage the Industry, Coordinate Among Stakeholders
The smart grid will have valuable features that appliance manufacturers, retailers, appliance service firms, regulators and other industry stakeholders will embrace.
Everyone would like to gain access to some part of customers’ data for “the benefit of the customer,” but unless access is controlled through proper authorization, it can spell doom for consumer privacy.
Raw, disjointed data might not always look vulnerable.
The issue arises when important data points are connected and then mined by analytic programs.
Parties can have different sets of customer data, but if some of these data sets are combined and analyzed, they can reveal potentially private information about customers.
These tactics are already used by search engines analyzing user search patterns to generate pop-up ads.
Utilities must consider security approaches such as Secure Sockets Layer, digital signature and encryption to come up with a robust authorization and authentication framework to protect customer data.
There must be some legal or regulatory framework to ensure nondisclosure and secularity of data.
For this to happen, utilities must engage stakeholders, ensure vendor integration and clarify the security direction for the private players.
Play Smart, But Stay Safe
Potentially, the smart grid can bring simplicity to the grid.
Today, for example, a home appliance manufacturer collects feedback on a device through manual or Web-based surveys.
With a smart grid in place, the manufacturer can fit in the device a microcontroller that can gather the detailed data and send it back to the manufacturer.
The manufacturer could receive accurate data such as frequency of usage, consumption details, average load and heat emission. But this process needs customer approval.
If not managed properly, it can be a privacy issue for customers.
Utilities will play a pivotal role between appliance manufacturers and customers to ensure the smooth implementation of such smart processes.
In return, utilities have access to another revenue source. It is important to provide a secure interface to external players and win customers’ confidence.
Learn to Isolate, be Prepared
As a result of tighter interconnections, the smart grid will be brought down by security breaches.
The security model must be designed in such a way that isolation of a house, street, circuit or any common denominator in a short time is possible.
This will help utilities avoid the cascading effect of such a breach and will help detect problems faster.
Security breaches will range from casual geek hackers to malicious hackers with agendas.
Utilities must be able to isolate incidents quickly, detect issues and fall back to Plan B quickly to maintain grid reliability.
Smart grid security should not be treated as a product or protocol. It is more than implementing a set of hardware and software solutions on the grid; rather, it is important to design the grid in such a way that all security measures involving people, processes and hardware and software work together.
Utilities must ensure that consumers and the smart grid are safe and secure.
Once utilities learn the rhythm of continuous improvement in keeping the smart grid secure, other industries will learn the tenets of security from utilities.
After all, securing the largest machine invented by mankind is not child’s play.
Sambit Bisoi works as a technical lead for Infosys Ltd. based in India. He has a bachelor’s in information technology and a master’s in software systems and more than six years of experience providing information technology solutions to one of the largest U.S. utilities. Reach him at firstname.lastname@example.org.
Ashiss K. Dash is assistant vice president of utilities and head of the smart grid practice at Infosys Ltd. He has a bachelor’s in chemical engineering and more than 17 years of information technology experience. He has published several articles on business analytics and how it enables strategic decision support for enterprises. Reach him at email@example.com.