Security Now

Security Now

August 07, 2009

Paul Korzeniowski

Across the country, energy providers are prepping for dramatic changes to their distribution networks. Information will automatically be relayed to back office systems, so that power companies can monitor demand and avoid buying from the spot market.

In addition, customers will be able to program their air conditioning systems to raise temperatures during times when energy pricing is high. And they may even be able to communicate with everyday consumer devices. That is the good news.

But as Sir Isaac Newton observed more than 300 years ago, the bad often comes with the good. Smart grids open up energy networks to outsiders. The intelligent devices stationed in individuals' homes can also be used to gain access to energy networks. In some cases, the threats are similar to those in other industries, such as identity theft. More ominously, the challenge can come from terrorists or foreign governments focused on knocking power out for as long as possible and adversely impacting life in the United States.

So as these smart grids are rolled out, the question arises: Can energy suppliers keep their networks safe? "If the power goes down, the cascading effects quickly manifest themselves, and they can be devastating," said Michael Chertoff, former secretary of the Department of Homeland Security. During natural disasters, the lack of power means that goods cannot be moved and businesses cannot open.

Because energy is such an important cornerstone for businesses and consumers, utilities have to maintain a delicate balancing act as they embrace smart grids. They want to extend their reach into customers' homes and businesses but they need to make sure it is done in a secure fashion.

That challenge is difficult because recently the profile of typical hackers has changed. "Hacking has become an appealing career to many career criminals," noted Pete Lindstrom, research director at Spire Security. Spamhaus, an organization that monitors spam activity, identifies the world's Top-10 spammers. Its list usually consists of Eastern Europeans associated with the Russian mafia.

The crooks have devised an ever-expanding array of scams, many much more devastating than knocking individual PCs out of commission with viruses. Now they infect users' computers and turn them into drones that send out unwanted bulk mailings.

The mass mailings are designed to line the crooks' pockets. A common scheme is pretending to be a legitimate site and asking individuals for personal data, such as bank account or credit card data. This data is then used to perpetrate identity theft. Another scam involves crooks sending out bulk mailings touting the value of inexpensive penny stocks. Unsuspecting individuals respond and drive the price of the stock up. The crooks then sell the stock, it plummets, and the consumers are left with worthless stocks.

Organized Onslaught

In addition, energy networks must overcome a few unique challenges. Terrorists and foreign governments have been trying to infiltrate energy networks.

"We need to recognize that we are working against organized, armed groups that operate in the shadows and move quickly," said Michael Assante, chief security officer of the North American Electric Reliability Corp. Because energy is so vital to Americans, these groups have been trying to break into these networks, knock out power for as long as possible, and cripple the nation's economy.

Unfortunately the older systems, designed decades ago, lack modern security features. So as they extend their networks, energy companies need to take steps to make sure their networks are not open to any of these possible intrusions. A common practice now is to put in security products, such as firewalls, that act as barriers between outsiders and corporate computer systems.

One innovation: Energy companies are relying on the ZigBee wireless network standard to connect devices such as smart meters to their networks. That includes a few important security functions that include sending encrypted information and if a hacker compromises a meter, the network should lock him out of a utility's control systems.

However, development of these next-generation devices is still in a nascent stage and all the nooks and crannies have yet to be ironed out. Take Itron, which went back to the drawing board with OpenWay Collection Engine smart meters. The product was overhauled so as to improve the processing power, memory and intelligence of the chips embedded in its meters.

"Once energy companies know what the main vulnerabilities with (information) systems are, they can incorporate that information into requirements on their procurement documents," noted Alan Paller, director of research, of the SANS Institute.

Smart grids offer energy providers many potential benefits, however, they are also fraught with possible danger. But according to experts, the utility industry has done a lot of work already to decrease those potential risks. If it continues to remain diligent, then utilities can help deliver a smarter grid that is also safer.