Not Too Smart: Cyber Security Flaws in the Smart Grid

When the power goes out in many parts of the United States, utilities aren't aware of the blackout until a customer picks up the phone and tells them. That's inefficiency.

Contrast that with an outfit like Wal-Mart, where HQ in Bentonville knows when a freezer door has been open for too long at the supercenter half a continent away in Massapequa and contacts store personnel to stop letting all those Btu's go to waste. That's efficiency.

The smart grid - the integration of modern IT with the electric power system - is supposed to kick the utility industry's efficiency performance up more than a few notches. If the promises hold true, smart grid will improve system reliability, reduce the frequency and scale of blackouts, reduce the need for emissions-spewing "peaker" power plants for meeting peak loads, and facilitate integration of renewable power plants and even electric cars into the network.

Everything is a tradeoff. All the fancy IT connected to the Internet will exacerbate a vulnerability of the modern age - the threat of cyber attacks, from "script-kiddies" with too much time on their hands to deadly serious cyber criminals and state-sponsored cyber spooks who know all the tricks for burrowing into an IT system.

Last week, the Center for Strategic and International Studies (CSIS) and McAfee, Inc. released a cyber security report that reported what a big, juicy target electric power systems are for the cyber attack set. "One of the more startling results of our research is the discovery of the constant probing and assault faced by these critical utility networks," the report noted. "Some electric companies report thousands of probes every month."

A 2010 report by the North American Electric Reliability Corporation (NERC), which under federal law enforces reliability standards for the "bulk power sytem," listed several ways that sophisticated cyber attackers could take a virtual 2 x 4 to the grid: distributed denial of service attacks, rogue devices that feed false data to system operators, and malware - malicious code like the Stuxnet virus that sabotages automated control systems and which, rumor has it, was released to throw a monkey wrench into Iran's nuclear weapons development program. According to the CSIS-McAfee report, 46 percent of the power industry respondents whom the study authors spoke to said they had found Stuxnet in their systems.

What could sophisticated cyber attackers do to a power system gussied up with smart grid technology? They could order the system to cause blackouts. How? Several ways.

At a 2007 test carried out at Idaho National Laboratory, researchers penetrated a control system for a generator, tampered with its operating cycle, and threw it out of control. "A video of the incident shows the target generator shaking, smoking, and grinding to a stop," the CSIS-McAfee study said.

In 2009 testimony before a House subcommittee, the Federal Energy Regulatory Commission's (FERC) reliability director said attackers could "order metering devices to disconnect customers, order previously shed load to come back on line prematurely, or order dispersed generation sources to turn off during periods when load is approaching generation capacity, causing instability and outages on the bulk power system."

Here's a scenario that illustrates what the FERC guy was talking about - a utility equipped with smart grid runs a demand-response program in which industrial plants agree, for a payment, to have some of their equipment switched off remotely during periods of high demand, when the power system is stretched to the max. It's a hot summer afternoon with air conditioners blasting all over the city. The demand-response program is supposed to order pumps, motors, and other power-consuming gear at those industrial plants to power down. But nothing happens. A cyber attacker has penetrated the demand-response program and sabotaged it. The overloaded grid sags and the city goes dark.

The federal government is well aware of the potential dangers, but potential solutions are stuck in the molasses of bureaucracy, turf battles, and inertia.

FERC has final say-so over reliability standards for the "bulk power system" - interstate transmission lines, for example. FERC, however, wants reliability jurisdiction over local distribution systems where FERC's remit currently does not run. Distribution utilities and the state commissions that regulate them, however, are wary of letting a federal reliability sheriff muscle into town.

Leaders of the Senate Energy and Natural Resources Committee have released a bipartisan "discussion draft" bill that would beef up FERC's authority to impose cyber security standards across the grid. That is likely to precipitate a turf battle. The committee plans hearings in May.

The experts and politicians will have to get cyber security right. All of the cost reduction and clean energy promises of the smart grid would come to nought if the technology that promises so many benefits were too easily used to cause harm.