Watchdogs sniff out six critical cybersecurity challenges facing the electrical grid

As the country's electricity grid undergoes a transformation and moves toward a more intelligently networked, automated system, it faces an increasing amount cybersecurity issues.

Watchdogs at the Government Accountability Office today said while the increased use of smart grid systems may have a number of benefits, "including improved reliability from fewer and shorter outages, downward pressure on electricity rates due to the ability to shift peak demand, an improved ability to transmit power from alternative energy sources such as wind, and an improved ability to detect and respond to potential attacks on the grid," many challenges remain.

For more: U.S. backs 10 Smart Grid projects with $34M to bulk up cybersecurity

From its report, the GAO identified the following six challenges that are key to ensuring the cybersecurity of the nation's electricity grid.

• Lack of information: Consumers are not adequately informed about the benefits, costs, and risks associated with smart grid systems. Specifically, there is concern that consumers are not aware of the benefits, costs and risks associated with smart grid systems. This lack of awareness may limit the extent to which consumers are willing to pay for secure and reliable systems, which may cause regulators to be reluctant to approve rate increases associated with cybersecurity. As a result, until consumers are more informed about the benefits, costs and risks of smart grid systems, utilities may not invest in, or get approval for, comprehensive security for smart grid systems, which may increase the risk of attacks succeeding.

• Lack of focus: Utilities are focusing on regulatory compliance instead of comprehensive security. The existing federal and state regulatory environment creates a culture within the utility industry of focusing on compliance with cybersecurity requirements, instead of a culture focused on achieving comprehensive and effective cybersecurity. Specifically, experts told the GAO that utilities focus on achieving minimum regulatory requirements rather than designing a comprehensive approach to system security. In addition, one expert stated that security requirements are inherently incomplete, and having a culture that views the security problem as being solved once those requirements are met will leave an organization vulnerable to cyber attack. Consequently, without a comprehensive approach to security, utilities leave themselves open to unnecessary risk.

• Lack of security features: There is a lack of security features being built into smart grid systems. Security features are not consistently built into smart grid devices. For example, our experts told us that certain currently available smart meters have not been designed with a strong security architecture and lack important security features, including event logging and forensics capabilities which are needed to detect and analyze attacks. In addition, the GAO stated that smart grid home area networks — used for managing the electricity usage of appliances and other devices in the home — do not have adequate security built in, thus increasing their vulnerability to attack. Without securely designed smart grid systems, utilities will be at risk of not having the capacity to detect and analyze attacks, which increases the risk that attacks will succeed and utilities will be unable to prevent them from recurring.

• Information sharing: The electricity industry does not have an effective mechanism for sharing information on cybersecurity and other issues. The electricity industry lacks an effective mechanism to disclose information about smart grid cybersecurity vulnerabilities, incidents, threats, lessons learned and best practices in the industry. For example, the GAO stated that while the electricity industry has an information sharing center, it does not fully address these information needs.

According to the GAO, information regarding incidents such as both unsuccessful and successful attacks must be able to be shared in a safe and secure way to avoid publicly revealing the reported organization and penalizing entities actively engaged in corrective action. Such information sharing across the industry could provide important information regarding the level of attempted cyber attacks and their methods, which could help grid operators better defend against them. If the industry pursued this end, it could draw upon the practices and approaches of other industries when designing an industry-led approach to cybersecurity information sharing. Without quality processes for information sharing, utilities will not have the information needed to adequately protect their assets against attackers.

• Measure success?: The electricity industry does not have metrics for evaluating cybersecurity. The electricity industry is also challenged by a lack of cybersecurity metrics, making it difficult to measure the extent to which investments in cybersecurity improve the security of smart grid systems. The GAO noted that while such metrics are difficult to develop, they could help compare the effectiveness of competing solutions and determine what mix of solutions combine to make the most secure system. Furthermore, our experts said that having metrics would help utilities develop a business case for cybersecurity by helping to show the return on a particular investment. Until such metrics are developed, there is increased risk that utilities will not invest in security in a cost-effective manner, or have the information needed to make informed decisions on their cybersecurity investments.

• Regulation issues: Aspects of the current regulatory environment make it difficult to ensure the cybersecurity of smart grid systems. In particular, jurisdictional issues and the difficulties associated with responding to continually evolving cyber threats are a key regulatory challenge to ensuring the cybersecurity of smart grid systems as they are deployed. Regarding jurisdiction, experts expressed concern that there was a lack of clarity about the division of responsibility between federal and state regulators, particularly regarding cybersecurity. While jurisdictional responsibility has historically been determined by whether a technology is located on the transmission or distribution system, experts raised concerns that smart grid technology may blur these lines. For example, devices such as smart meters deployed on parts of the grid traditionally subject to state jurisdiction could, in the aggregate, have an impact on those parts of the grid that federal regulators are responsible for — namely the reliability of the transmission system.

There is also concern about the ability of regulatory bodies to respond to evolving cybersecurity threats. For example, one expert questioned the ability of government agencies to adapt to rapidly evolving threats, while another highlighted the need for regulations to be capable of responding to the evolving cybersecurity issues. In addition, our experts expressed concern with agencies developing regulations in the future that are overly specific in their requirements, such as those specifying the use of a particular product or technology. Consequently, unless steps are taken to mitigate these challenges, regulations may not be fully effective in protecting smart grid technology from cybersecurity threats.

Follow Michael Cooney on Twitter: nwwlayer8

Read more about wide area network in Network World's Wide Area Network section.

Join the CSO newsletter!

Error: Please check your email address.

Tags firewallssecuritylegalcybercrime

More about LAN

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Michael Cooney

Latest Videos

  • 150x50

    CSO Webinar: Will your data protection strategy be enough when disaster strikes?

    Speakers: - Paul O’Connor, Engagement leader - Performance Audit Group, Victorian Auditor-General’s Office (VAGO) - Nigel Phair, Managing Director, Centre for Internet Safety - Joshua Stenhouse, Technical Evangelist, Zerto - Anthony Caruana, CSO MC & Moderator

    Play Video

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

More videos

Blog Posts

Market Place