The EU’s 27 member states have pledged to collectively get to the point of using 20% renewable energy, reduce CO² emissions by 20% and increase energy efficiency by 20% by, you guessed it, 2020. However, to get there requires the migration of the aging legacy utility grid to an IP-based, connected “smart grid” system that can optimize energy production and distribution according to actual consumption requirements. The problem, of course, is the potential for opening the doors to critical infrastructure systems to hackers.
The European Network and Information Security Agency (ENISA) is rushing to be proactive with an exhaustive study entitled, “Appropriate security measures for smart grids: Guidelines to assess the sophistication of security measures implementation.”
“The development of an efficient, reliable and sustainable environment for the production and distribution of energy in the future is linked to the use of smart grids,” ENISA noted in the report. “Various market drivers, regulatory or standardization initiatives have appeared or gained importance as tools to help involved stakeholders to be prepared against smart grids security vulnerabilities and attacks.”
The perception and the approach taken on this topic differ among stakeholders, ENISA noted, which is prompting it to tackle the creation of a common approach to addressing smart grid cybersecurity measures.
The ENISA propositions fall into 10 research areas: Security governance and risk management, management of third parties, secure lifecycle process for smart grid components/systems and operating procedures, personnel security, awareness and training, incident response and information knowledge sharing, audit and accountability, continuity of operations, physical security, information systems security and network security.
ENISA also noted that advanced ICT systems are at the core of an effective smart grid implementation. Also industrial control systems (ICS) and related operational technology (OT) need to be taken into account, and all processes across the whole value chain are heavily based on these infrastructures and technologies.
“Smart grids give clear advantages and benefits to the whole society, but the dependency on ICT components (e.g. computer networks, intelligent devices, etc.), ICS (e.g. supervisory control and data acquisition systems, distributed control system, etc.), OT (e.g. firmware, operating systems, etc.) and the internet makes our society more vulnerable to malicious attacks with potentially devastating results on smart grids,” said ENISA. “This can happen in particular because vulnerabilities in smart grid related communication networks and information systems may be exploited for financial or political motivation to shut off power to large areas or directing cyber-attacks against power generation plants.”
Some say that the US could take a page from the EU’s approach, particularly in the wake of the discovered SCADA vulnerabilities that make industrial info-infrastructure a startlingly vulnerable area.
“It's a pretty much common knowledge among IT professionals that the state of security within US critical infrastructure systems is laughable,” noted Threatpost blogger Brian Donahue. “So the EU's intention to implement security into its smart grid as it is expands is praiseworthy. For our part though, the Federal Energy Regulatory Commission (FERC), America's energy watchdog, announced the creation of a new office in September, the Office of Energy Infrastructure Security (OEIS), tasked with identifying, communicating and advising on risks to FERC facilities stemming from cyber attacks and physical attacks.”