The four layers of Smart Grid Security
Globally one of the energy topics atop many electric utility executive’s minds is what we are all calling the “Smart Grid.” Of course what constitutes the Smart Grid can mean many different things from new digital meters on someone’s house to advanced Flexible AC Transmission Systems (FACTS) to new sensors on transmission lines and substations. Regardless of the exact deployment for an electric utility, a key consideration – something on my agenda every day – is the security of the Smart Grid deployment.
What exactly does “security” mean? What does it include? That’s what I’d like to explain.
First of all, a very simple axiom for security is the “CIA” model. That is, security means that we need to protect the equipment and information so that the necessary Confidentiality, Integrity, and Availability of the system in question are maintained. For instance you can hide that information from view through encryption thus maintaining its confidentiality. Integrity means that the information cannot be changed without one realizing it was modified. And of course the term availability means that the system or information or equipment is there and usable when it is needed.
So, for the Smart Grid we need to keep the CIA in mind. However, what are the next things we need to worry about?
This brings me to the Four Layers of Smart Grid Security.
Security of the Smart Grid can be defined and segmented into four layers of concern that require the electric utility’s attention. These layers include:
• Physical protection
• Cyber security and defense
• Privacy protection, and
• Data management and storage
Physical Protection
First and foremost you need to protect your smart grid assets from theft, vandalism and modification by miscreants. You also need to protect your assets from the weather, earthquakes, floods, and cyclones. You take these actions to reduce equipment replacement costs and to protect against someone breaking into your smart meters or sensors and loading a cyber worm or virus that can attack your system.
An interesting thought experiment about this concern was demonstrated by a Seattle information security company called IOActive at the Black Hat Conference in Las Vegas in 2009. At this conference IOActive showed how they had disassembled a smart meter, learned how it worked from a cyber perspective, and then imagined what would happen if a smart meter in a Seattle neighborhood had a cyber malware/worm installed. IOActive showed that their work could result in 15,000 meters being infected and dysfunctional in a matter of 24 hours. This exercise was examined by many cyber experts and the consensus was that such an attack is very viable.
Hence, this is a good reason to figure out ways to protect your smart meters and sensors and keep the attacker from gaining physical access to the inside of the meter.
Cyber Protection
Because the smart meters, smart sensors and advanced communications devices are essentially all computers and microprocessors they can all be subject to cyber attacks ranging from denial of service to “man-in-the-middle” injects to reading (stealing) or changing the data in transit.
Just think of the implications of any of these attacks. Essentially these attacks can seriously impact your “CIA” management and could result in angry customers and failures in your smart grid system.
For your cyber protection you need to consider such techniques as encrypting and/or “tunneling” the data in transit to keep someone from reading / stealing the information. Also, you may want to consider such techniques as “hashing” the data so that you can immediately identify if your data has been changed while in transit.
Privacy Protection
In many places of the world privacy of personal information is truly an operational imperative. For instance in the European Union and Canada the privacy dialogue is at the forefront. Privacy of smart grid data is becoming an important issue in the EU and Canada but also is becoming a key point of review in California and Ohio in the U.S.
Why is this even being discussed?
Smart grid data – especially from smart meters at individual homes and apartments – contains information that could be used to actually determine the lifestyle of the individuals living in the metered house. There have been studies done to show that smart meter data taken every 15 minutes could reveal such information as when a person arises in the morning and retires at night. When they turn on the oven or stove and when they use their washer and dryer. In fact you could also determine if someone is home – which a potential burglar would be very interested.
Because of this data, electric utility executives need to realize that this data needs to be protected. Unauthorized release of this “personal data” could be considered a “data breach” subject to litigation and possible law suits. Hence, the privacy of this data is one more layer to be addressed.
Data Management and Storage
As the smart grid concept evolves one new surprise for many utility executives is all the data that will be generated by the smart meters and intelligent devices. For instance Austin Energy in the United States state of Texas is one of the pioneers in the smart grid domain. For instance, with Austin Energy moving their meter data collection from monthly to hourly readings will increase their data handling by over 730 times. Austin Energy also notes that with their Phase 1 Roll Out of 500,000 meters would result in their yearly data storage requirements increasing from 20 TerraBytes (TB) to 200 TB inclusive of disaster recovery redundancy.
This massive change in the data management and storage requirements for utilities is considerable. Utility executives will need to put their arms around this issue before data is lost, damaged or stolen.
By the way, 200 TB is nothing when you look at other utilities reporting that they may have over 100 PetaBytes of data accumulated over 10 years.
Ernest Hayden, Managing Principal, Verizon Business