Smart Grid Privacy And Security Risks Loom For Agencies

NEW YORK - - The effort to modernize America's electric grid is well underway, with nearly $8 billion in federal funding since 2009 and states across the country hastening to deploy everything from electronic smart meters for homes to regional sensors capable of detecting and responding to power outages.

But major privacy and security problems for the smart grid effort could be on the horizon and present a host of challenges to federal agencies, according to multiple smart grid technology and policy experts.

The issue of smart grid privacy is already being addressed on the west coast as the California Public Utilities Commission CPUC recently issued a bill that will standardize privacy measures and price and usage data security for all major California electrical utilities. Read the full story: Customers Claim Top Priority In California Smart Grid.

Funding and deployment during what some call the "smart grid gold rush" has vastly outstripped the federal government's ability to develop meaningful privacy and security standards and regulations within one of the nation's most critical infrastructures.

And efforts in Congress to put one agency, such as the Department of Homeland Security, in charge of securing the grid could add to the chaos surrounding security and privacy.

"There's a lot of hand-wringing going on at the federal level, especially in Congress, because there's concern that nobody really owns the security of the electric grid," said Ernie Hayden, Managing Principal for Energy Security at Verizon Business. "Nobody is in charge of electric grid security holistically."

"No one was really thinking about security during the early days of technology deployment." - Usman Sindhu

Usman Sindhu, Senior Research Analyst at IDC Energy Insights, said it would be impossible to pinpoint one particular agency that is responsible for smart grid security standardization.

"At this time there are many organizations trying to achieve the same thing in different ways," he said.

According to the National Institute of Standards and Technology NIST, the smart grid effort will ultimately result in the nationwide networking of sensors throughout the bulk electric transmission and distribution systems, industrial control systems, back-office networks, millions of smart meters at homes, businesses and government agencies, and devices within homes that will be able to communicate and share data directly with the grid.

This futuristic model of electricity supply and demand has monumental implications for security and privacy.

The Not-So-Secure Grid

The uncertainty about what agency is responsible for securing the grid comes as smart grid technology deployment continues at breakneck pace. At least 25 states have already adopted smart grid policies and started deployments of electronic smart meters for homes, businesses and major metropolitan areas. And this so-called smart grid "gold rush" has already encountered several significant security breaches.

In 2009, for example, Seattle, Washington-based IOActive Inc., successfully reverse engineered a smart meter--known as Advanced Metering Infrastructure AMI--and demonstrated the ability to inject a worm into the grid that would grant a hacker full control over the grid devices. The tests also revealed that the worm could spread like wildfire throughout the grid, potentially allowing the hackers to shut down massive portions of electricity to major cities, critical infrastructures and government agencies.

Verizon has also discovered problems with some smart meters being sold on the market. In one case, a smart meter developer claimed their device was encrypted but Verizon's tests showed it was protected only by a basic authentication mechanism, said Hayden.

"You've got meter and component vendors building equipment and claiming it is secure, but they're not secure against any one particular standard," he said.

Hayden added that this is a major concern from a homeland security perspective, as flaws in the smart grid devices being deployed could easily allow other nations or terrorist groups to shut down the grid in advance of other attacks.

"No one was really thinking about security during the early days of technology deployment," said Sindhu. Some companies, for example, discovered that they needed to upgrade the firmware on the smart meters but "had no way to do it unless the meters were left unencrypted for days and sometimes weeks."

The Not-So-Private Smart Grid

Privacy concerns are another aspect of the smart grid plan driving security. Although many states are beginning to put pressure on technology developers and local utilities to ensure they meet certain security standards for protecting personal data, there has been little or no effort at the federal level to ensure compliance.

Part of the reason for this, said Hayden, is because there are still no national standards for smart grid security or privacy.

"I don't know if there's ever been any accountability on that," said Hayden. "And no one has any oversight of security for distribution. Vendors can tell you they're going to do all this stuff, but nobody is holding them accountable."

With increasing volumes of personal data in electronic form today, building privacy into the smart grid is an important issue for both agencies and citizens. Read more about what utilities are doing to address privacy concerns in How To Keep Privacy From becoming A Smart Grid Show-Stopper.

The massive amount of data being collected by smart grid components and the need to store that data, is partly what is driving new, but disparate, security and privacy regulations at the state level.

"In the old days, electric meters were capable of collecting one data point per month," said Hayden. "With the smart grid, they're talking about accumulating data ever 15 minutes," he said. "Utilities are not known for being very good at managing storage. So now you have to worry about security, privacy and data mining issues."

Who Will Take Charge?

George W. Arnold, the National Coordinator for Smart Grid Interoperability at NIST, said in a recent paper published by the Institute of Electrical and Electronics Engineers IEEE, that there are currently more than 20 technical standards development organizations working on smart grid. Adding to the confusion are the cross-border requirements to interoperate with Canada and Mexico, and the attempt to engage hundreds of technology companies and governments around the world, including Europe, Japan and China.

Despite all the potential security and privacy issues that could arise from smart grid rollouts, the US continues to wrestle with the notion of central accountability for securing the grid.

Members of Congress have introduced competing legislation, with some favoring DHS and others arguing authority should fall to the Federal Energy Regulatory Commission FERC. Confusing matters further is an effort by the Department of Energy to form a so-called Advanced Metering Infrastructure Security Task Force with 11 utility companies.

Sindhu said regional level committees established by the North American Electric Reliability Corporation NERC have been focusing largely on compliance for the transmission of bulk electricity.

"But what is different here is that smart grid focuses on the distribution side of the grid," he said. "So whatever NERC mandates will still focus on bulk transmission, leaving local distribution without any legislation or regulation."

But the question of who has jurisdiction remains up for debate.

"FERC has no jurisdiction over distribution and NERC has no jurisdiction," said Hayden. " The only real jurisdiction over the distribution level is nominally the public utility commission [at the local level]."

So far, the efforts by both NIST and FERC have come into question. In a January 2011 report by the Government Accountability Office GAO, the investigative arm of Congress, investigators criticized both NIST and FERC for dropping the ball on security.

While NIST had failed in its guidelines to address physical and cyber attack risks to the smart grid, the FERC continues to lack enforcement authority and "has not...coordinated with other regulators to monitor whether industry is following the voluntary smart grid standards it adopts," the GAO concluded.


in Year