Security and Privacy

While distributed computing may have brought us the Internet, it also ushered in a new age of security and privacy headaches. The same will hold true for the smart grid—only worse.

“Security is a huge issue with the smart grid; it’s on such a scale that it makes security within IT look simple,” says Ralph Martinez, chief scientist at BAE Systems, a defense, security and aerospace contractor.

Certainly the stakes are higher. Last April, The Wall Street Journal reported that spies from China, Russia and other countries had penetrated the U.S. electrical grid, leaving behind software that could be used to disrupt the system. “The Chinese have attempted to map our infrastructure, such as the electrical grid,” a senior intelligence official told The Journal. “So have the Russians.”

Scaremongering? There’s precedent to think not. According to the Government Accountability Office, in 2002, 70 percent of energy and power companies experienced some kind of severe cyber-attack to their computing or energy management systems. (Read “A Systems View of the Modern Grid,” a report published in 2007 by the National Energy Technology Laboratory for the U.S. Department of Energy.)

The big question then is, “What level of cyber-security is needed for various types of smart grid technologies, especially AMI?” asks consultant Silverstein. “To what degree is extending the two-way communications perimeter extending the grid’s vulnerability to attack?”

IT pros know that answer firsthand: substantially. At the 2009 BlackHat conference, Mike Davis, a senior security consultant at IOActive, a Seattle-based research company, demonstrated a proof-of-concept attack in which a malware was designed to propagate from meter to meter, enabling attackers to remotely shut down meters.

Assuming the same meters at each home, within one day, the malware could infect 15,000 residences. Such an attack could open the way to service disruptions and extortion attempts against the service providers.

Implicit in the concern over the security of the meters is also how the information gathered from them will be used. Smart meters gather detailed time-of-use information on customers. This concern will only grow as smart devices enter the home, providing detailed insight into the home’s power usage.

Confidentiality and privacy are critical—and not just when there are security breaches. IT vendors, such as Google and IBM, are creating applications for managing and using data from smart meters. With Google PowerMeter, for example, users can add a Home Energy gadget to their iGoogle home page and receive historical data and forecasts for energy spending.

The Big Brotherish implications are apparent. To its credit, Google says that with PowerMeter, “No personally identifying information will be shared between Google and the user’s utility.” Clearly, though, standards and consistent privacy practices need to be enacted if consumers are to be protected.

Perhaps the greatest risk that privacy and other technology challenges pose to the development of smart grids isn’t the actual loss of information. It’s the risk that utilities will continue to be overly cautious, reverting to their age-old practices of closed, secured systems.

At the Smart Grid Summit in September, the question turned to open or closed AMI interfaces. Fears about the security and privacy concerns surrounding AMI led EnerNex’s Gunther to say that he would not recommend having an open AMI interface.

To which SIP pundit Shockey retorted, “If the DoD [Department of Defense] can use open standards, then why not with the AMI?”

Shockey isn’t alone. In a recent editorial, Bob Metcalf, the inventor of Ethernet, urged consumers to petition the Federal Communications Commission to get involved in creating an open smart grid.

The shift toward a truly open and effective smart grid will hinge on people listening to experts like Shockey and Metcalf. If we, the consumers and businesses, are going to foot the bill for this new Internet revolution, then we might as well reap the full benefits of that investment.