Comment: Effective Smart Grids Require Multiple Layers of Security from the Outset

Michelle Lewis discusses the potential vulnerabilities of 'smart grids'
Michelle Lewis discusses the potential vulnerabilities of 'smart grids'

Smart grids are set to become the most significant change to the world’s electrical grid in 100 years. In the UK alone, the government wants a smart meter in every home by 2020, and experts are further predicting a 70% deployment by 2015 in Western and Northern Europe.

In the next 10 years, over 100 billion smart devices and sensors will be installed across the globe. This marks an era of greater transparency and fairer pricing by offering utility companies an economical way of measuring energy consumption, allowing them to introduce different prices for consumption based on the time of day and the season.

However, we need to think carefully about how we secure smart grids. Given the sheer scale of these grids there are a number of issues that need to be addressed, and we need to balance the benefits that the smart grid offers utility companies and consumers with the potential vulnerabilities it introduces.

Like any connected infrastructure, it is extremely important to factor in multiple layers of security from the outset, including the right policies, processes, partners and products. The landscape of security threats has evolved since the uncovering of the infamous Stuxnet, Duqu, and Flame worms, and new levels of complexity and sophistication are being experienced when we look at how attackers are currently approaching their targets.

A system’s defenses need to be capable of protecting against highly sophisticated, targeted and well-planned attacks borne of political pressures or industrial espionage, rather than previously protecting against attackers who were perhaps only seeking peer recognition, fame, or money. If it doesn’t, critical elements of your infrastructure could become visible to – or more seriously – breached by a hostile third party.

Secondly, you need to look at securing individual elements within the infrastructure, such as individual smart meters or communications hubs, to help protect your system against data or device compromise. This might involve ensuring only authenticated devices are part of the infrastructure or that all communication between the devices and back end systems is encrypted.

From a privacy perspective, smart meters potentially generate vast amounts of personal or sensitive data for utilities to manage and protect. In addition to ensuring security, authentication and privacy, we must manage the data that meters and back-end systems create.

A typical smart grid comprising 10 million smart meter end points for a single utility handles in the region of 28 petabytes of data. All this data needs to be backed up while ensuring that all auditing and compliance demands are met. Things are complicated by the fact that many utility companies work on a multi-national basis and national governments have different laws and compliance regulations, meaning grids need to comply with a number of different legislative regimes.

Due to the large amount of data generated, and the need to preserve the integrity of the data collected for long periods, specialist data retention, storage and backup strategies need to be developed. The robust strategies currently in use must be reassessed to determine whether they are fit for the smart grid environment.

It is also critical that any sensitive information is encrypted and the IT infrastructure is secure. In short, a network should have built-in security. But in building a secure system, it is also vital that it remains open and scalable. My best advice to companies is to look at what other organizations are doing. The global ‘smart grid community’ includes utility companies, service providers and manufacturers, and I’ve often found that everyone is willing to share their experiences, and all parties learn from one another.

In addition, there are new ecosystems in other markets, such as consumer electronics, that are facing the challenge of securing devices to enable new services to consumers. Because of the sheer volume of devices in these ecosystems, highly scalable security solutions supporting millions of devices have been developed and are already in use. These are worth looking at to gain insight into large-scale deployments.

The security challenges in the ‘smart grid’ age are considerable, but they are not insurmountable. The key thing to remember is that you need to develop a security strategy from the outset to minimize risk to a system, and that means every part of the ecosystem must have security built into it. Once it is, we can start to take advantage of the benefits of smart grids without jeopardizing the integrity of organizations’ critical infrastructure, customer relationships, brand reputation or revenue.

Michelle Lewis leads the Device Authentication business in EMEA for Symantec. She joined the business in mid-2010, bringing with her 25 years of experience in the IT industry, and 15 years specializing in information security and risk. Having worked for and with a number of large IT security organizations, in management and operational roles, Lewis has a wealth of experience working in both the EMEA and Asia-Pacific regions up to C-level.

What’s hot on Infosecurity Magazine?