The US utility industry has already invested massively in smart grid technology but has failed to make a similar investment in cybersecurity for that technology, judged Bob Lockhart, senior analyst with Pike Research.
The American Recovery and Reinvestment Act “created a gold rush mentality” with utilities and vendors submitting requests for smart grid funding without considering cybersecurity requirements, Lockhart noted.
Supervisory control and data acquisition (SCADA) systems for the smart grid are particularly vulnerable.
"Many SCADA systems were deployed without security in the belief that SCADA would always be isolated from the Internet. But it's not, and even when it is, attacks such as Stuxnet can circumvent the isolation by using USB memory sticks to spread”, commented Lockhart.
“SCADA security has different objectives than IT security. The familiar 'confidentiality, integrity, and availability' is replaced with 'safety, reliability, and integrity.' This is nearly impossible to accomplish with the infrastructure-only approach taken by most information security products", he added.
Security vendors have taken one of three approaches to entering the smart grid market, explained the Pike Research analyst. Some have focused on ICS security since their founding. Newcomers to ICS security have hired long-time energy industry veterans to run their energy business. Others have simply rebranded existing products as “smart grid ready” and sold them based upon the widespread adoption of their products in IT environments, he observed.