Power Hackers: The U.S. Smart Grid Is Shaping Up to Be Dangerously Insecure
Achieving greater efficiency and control requires hooking almost every aspect of the electricity grid up to the Internet, making it more vulnerable to cyber attacks
Magazine or Newspaper Article, Scientific American
Author: Melissa Hathaway, Senior Advisor, Explorations in Cyber International Relations
Belfer Center Programs or Projects: Explorations in Cyber International Relations
President Barack Obama's talk about the need for a "smart grid" sounds, well, smart. What's not to like about the idea of an electricity grid that can work at top efficiency? By wrapping power transmission lines in advanced information technologies and the Internet, a smart grid would enable us to integrate alternative energy sources such as rooftop solar panels and local wind turbines into the power supply, balance supply with demand and optimize the flow of power to each consumer-even down to the level of individual appliances. It would vastly improve the reliability, availability and efficiency of the electric system. As currently envisaged, however, it's a dangerously dumb idea.
The problem is cybersecurity. Achieving greater efficiency and control requires hooking almost every aspect of the electricity grid up to the Internet-from the smart meter that will go into each home to the power transmission lines themselves. Connecting what are now isolated systems to the Internet will make it possible to gain access to remote sites through the use of modems, wireless networks, and both private and public networks. And yet little is being done to make it all secure.
The grid is already more open to cyberattacks than it was just a few years ago. The federal government has catalogued tens of thousands of reported vulnerabilities in the 200,000-plus miles of high-voltage transmission lines, thousands of generation plants and millions of digital controls. Utilities and private power firms have failed to install patches in security software against malware threats. Information about vendors, user names and passwords has gone unsecured. Logon information is sometimes unencrypted. Some crucial systems allow unlimited entry attempts from outside.
As the power industry continues to invest in information technology, these vulnerabilities will only get worse. Smart meters with designated public IP addresses may be susceptible to denial of service attacks, in which the devices are overwhelmed with spurious requests-the same kind of attacks now made on Web sites. Such an attack could result in loss of communication between the utility and meters-and the subsequent denial of power to your home or business.
The smart grid would also provide hackers with a potential source of private information to steal. Just as they use phishing attacks to elicit passwords, credit-card numbers and other data stored on home computers, hackers could find ways of intercepting customer data from smart meters. A sophisticated burglar might use these data to figure out when you're away on vacation, the better to rob your house.
Customer data could also give hackers a way to bring down the grid. Smart meters injected with malware, for instance, could disrupt the grid just as networks of PC botnets-home computers hijacked by viruses-now disrupt the Internet. A network of drone smart meters could cause a swath of the grid to power down, throwing off the grid's electrical load. The imbalance would send large flows of electricity back to generators, severely damaging them or even blowing them up.
A smart grid isn't a bad idea if we build cybersecurity into it from the start. But we're not doing that. Under the smart grid funding programs, part of the fiscal stimulus package, the government has released $3.4 billion for a nationwide smart grid and plans to spend more than $4 billion more, but the Department of Energy has only recently begun to address the security requirements. So far utilities have been so focused on tamping costs that they haven't been willing to pay for robust across-the-board security measures. Regulation alone won't be enough.
What we need is a partnership among the standards setters, the regulators and industry to build security into the system from the ground up. These measures would include procedures for assessing the security of smart grid devices and other systems, for certifying personnel and business processes, and for compensating power companies for their security investment. We also need more research into improving the security of computer chips and other hardware that gets installed in the grid. We need a plan to deal with grid failures. We need international cooperation and research into forensic technology to deal with attacks from abroad. The energy sector could take a page from financial firms, which do a good job of ensuring that Internet-based transactions are secure. We do not need to abandon the idea of a smart grid. But we need to be much smarter in planning it-with cybersecurity as a key element, not an afterthought.
For more information about this publication please contact the Belfer Center Communications Office at 617-495-9858.
For Academic Citation: