When I was a kid, one day I saw a strange man lurking around the side of our house. I was home alone after school, and as my mother trained me, I picked up the phone and called her at work to let her know about this dangerous stranger peeking around the property. She slammed down the phone, jumped in her car and sped home. But when she got here, she heaved a sigh of relief when she realized the stranger was simply an electrical utility technician reading the electrical meter.
Today, electrical utilities have an entirely new way of capturing, sharing, analyzing, and reporting on electrical usage. Smart electrical grids, comprised of smart meters and a variety of computers, communications networks and software tools, increasingly have become the method of choice for collecting electrical usage data. In fact, the global market for smart grid solutions is expected to reach $60 billion by 2024, with ambitious rollouts of new systems and expansion of existing ones taking place around the world.
But just because we don’t have to worry about strangers lurking around our property doesn’t mean there isn’t the potential for substantial risk—cyber risk, that is. For all the benefits of smart grids—more accurate usage information, timely billing, customer visibility into energy trends, less reliance on manual activities—any network of smart devices can and will be susceptible to attack.
For instance, in 2015 Russian hackers subverted a smart power grid in the Ukraine, interrupting power to nearly a quarter-million customers, and two years later Irish electrical utilities and then U.S. public utilities—including a nuclear power plant—were victims of cyberattacks.
And it’s easy to understand the potentially devastating impact of cyberattacks rippling throughout vital aspects of our critical infrastructure, from traffic management systems to hospitals’ power-generation facilities.
But there are many other negative impacts of cyberattacks on our smart grids; they may not be as life-threatening as turning off power to dialysis machines or heart monitors, but problems like “stolen” power, incorrect billing information, and unplanned downtime have the potential for massive economic, operational, compliance, and brand reputation damage to utilities and their customers.
“Fortunately, electrical utilities already have a pretty heightened awareness of the importance of cybersecurity, because they understand they are high-visibility targets for hackers,” noted Del Rodillas, director of product marketing for industrial and IoT cybersecurity at Palo Alto Networks. “They are usually very sensitive to being ‘internet-safe,’ and they intuitively realize that adding smart meters and systems like advanced metering infrastructure to their grids has the potential for real downside if security is not planned for and properly deployed.”
Rodillas pointed out, however, that like IoT devices, smart meters and other elements of smart electrical grids pose very real and potentially significant cyber risks. “They’re typically running an embedded operating system, with low resources to devote to memory and other functionality,” he said. “Smart meter designers are not going to want to implement security on those devices—and in many cases, they simply don’t have the physical ability to do so.”
“They also have to confront the need to have services running on those devices as long as possible without disruptions, which reduces their ability to do routine security patching. This makes these devices inherently insecure. You have to assume they are going to be exploited, because they are going to have vulnerability gaps for prolonged periods of time. That’s why smart grid designers and operators need to account for cybersecurity from the inception of their projects.”
And the impact on utilities goes far beyond customers wanting to “steal” energy without being billed for it. For instance, if hackers attack these vulnerable endpoints, they can go upstream to a central control point and compromise a server and manipulate the rest of the network to disrupt energy transmission or generation. We’ve already seen that it’s easy for hackers to pivot from a utility’s business network into their operating technology networks, and it can happen just as easily by entering through sensors or smart meters, then penetrating business networks.
This is where having a cybersecurity platform, rather than a series of security point products dedicated to smart meters or sensors, makes a lot of sense because it provides a comprehensive security “blanket” that can more easily by updated, patched, scaled, or re-tasked depending on vulnerability status.
Automation also is critical here as more and more smart meters and other smart grid component come on line—thus expanding the number of threat vectors. Utilities—like every other type of organization—face significant cybersecurity skills gaps that can’t be filled solely by hiring more security technicians. Only through the use of machine learning algorithms and other automation tools can utilities keep pace with the bad guys.
For business leaders involved in the planning, rollout, and ongoing management of smart grids, there are a few key points to keep in mind, according to Jamison Utter, director of IoT business development at Palo Alto Networks.
“First, don’t count solely on the security integrity of the devices,” he said. “They are cheap, because they need to be, and they’re not going to have sufficient security built into them.
“Second, build a strong overall cybersecurity architecture that is platform-based and highly automated. Third, be honest with yourselves and acknowledge that you will have to deal with highly targeted cyberattacks, and plan accordingly. And finally, think of cybersecurity is a critical safety issue for your organization and your people. Just as utilities take great pains to ensure that on-the-job accidents don’t jeopardize linemen and other technicians, you need to be sure that cyber threats don’t bring down your networks, compromise your customers’ privacy and identity, or disrupt your revenue streams.”
Mike Perkowski, co-founder of New Reality Media, is an award-winning journalist who founded, led, or helped develop some of the most successful and influential high-tech media properties over the past several decades.