As the “smart grid ecosystem” continues to grow in size, functionality, and sophistication, it is becoming a, high-profile target for cyber attacks that could lead to virtual chaos, according to a report just released by Boulder, Colorado-based Pike Research (News - Alert).

Pike forecasts that assaults on the grid will, in all likelihood, sabotage large industrial control systems,where adversaries can get “the most bang for the blitz,” not individual smart meters at customer endpoints.

The white paper, "Utility Cyber Security," cautions that the energy industry still is unprepared for such incursions; although the security vulnerabilities of the electrical grid have been a major topic of discussion worldwide, as utilities forge ahead with smart grid deployment initiatives.

"Utility cyber security is in a state of near chaos," commented senior analyst Bob Lockhart. "After years of vendors selling point solutions, utilities investing in compliance minimums rather than full security, and attackers having nearly free rein, the attackers clearly have the upper hand. Many attacks simply cannot be defended. That said, Pike Research has observed a dawning awareness by utilities during the past 18 months of the importance of securing smart grids with architecturally sound solutions. There is hope."

From Lockhart’s perspective, cyber security solutions remain challenging to implement, especially as attackers gain awareness of the holes between point solutions. He believes that the utility cyber security market will be characterized by a frantic race to gain the upper hand against the attackers, while at the same time strong competitors attempt to outdo each other.

The Pike report identifies seven key trends in smart grid cyber security that will be major issues for the industry over the next few years:

1.     One size does not fit all: Cyber security investments will be shaped by regional deployments — The smart grid cyber security threat is clearly a global issue, with potential attacks coming from virtually anywhere, targeting anyone, and for a wide range of possible intents. But the underlying technologies differ by region, by segment, and by segment within a region. To cite examples at the extremes, smart meter adoption rates in North America have been quite a bit more aggressive than electric vehicle (EV) adoption rates in the Middle East and Africa, representing different cyber threat surfaces. Both adoption rates are likely to change, as new markets open or reach saturation.

2.     Industrial control systems, not smart meters, will be the primary cyber security focus —ICS security will grow faster and will generate more investment than smart metering security. There will be more investment in smart grid control systems — transmission upgrades, substation automation, and distribution automation — than in smart metering.  In turn, those investments will drive cyber security installations.

3.      Assume nothing: “Security by obscurity” will no longer be acceptable—The discovery of the Stuxnet virus during the summer of 2010 demonstrated that control networks are no longer secure simply because they are isolated from enterprise networks. Stuxnet also demonstrated that motivated attackers are willing to learn arcane technologies, such as the control sequences for a specific model of centrifuge. Stuxnet was a mission and not simply a piece of malicious code. It was not detected until after it had accomplished its purpose and, most likely, evaded detection for more than a year after its release. Few utilities, vendors, or analysts are willing to discuss that even more sophisticated attacks may now be in process, which, so far, have completely evaded detection. However, that must be considered a probability, not merely a possibility. Utilities, and especially their operations teams, have become more skilled and aware of control system cyber security issues during the past 12 to 18 months. Operations managers are now asking security vendors pointed questions. Pike believe that this will result in the appearance of more control systems security products and in more investments in security through the end of 2018.

4.     Chaos ahead? The lack of standards will likely hinder action — No enforceable smart grid security standards exist anywhere in the world for power distribution grids. The greatly discussed U.S. NERC CIP standards only apply to generation and transmission, although some of this has leaked into stimulus-funded distribution network projects. Other regulations or legislation may apply to specific situations, such as data privacy laws or payment card industry standards. This lack of enforceable requirements leads to a scene of mass chaos in utility cyber security. Many utilities — as with large companies in any industry — only will invest in cyber security when financial punishment for not investing is threatened. Conversely, utilities and vendors that would like to take action now to produce secure smart grids face a quandary: Which guidelines are going to survive? This lack of clarity is causing a number of utilities — and cyber security vendors — to take a wait-and-see posture.

5.     Aging Infrastructure: Older devices will continue to pose challenges —Smart metering systems are of recent enough vintage that all support modern communications protocols that protect information confidentiality and integrity. However, some supervisory control and data acquisition (SCADA) systems have been in place much longer than smart metering and may still have many devices running serial protocols, such as MODBUS, which has no built-in security features. It is nearly axiomatic that SCADA devices will be replaced when their service life expires, not sooner (although possibly later). Security assessments are unlikely to result in a large-scale technology refresh, simply to replace old devices with better-defended modern devices. It is possible that a large-scale disaster caused — or not prevented — by inadequate cyber security could result in an earlier technology refresh. However, it is more likely that these older devices will be around until they are retired. SCADA networks must support a mix of old and new, possibly for another 30 years until all the old devices’ service lives have run their course. This coexistence of modern and legacy devices presents unique architectural and security challenges.

6.     System implementation will be more Important than component security — It is possible to have a system in which 100 percent of the components are secured, but the system as a whole is not secure at all. Cyber security works to protect a whole entity and attackers look for holes. The strongest adversaries are not going to waste time attacking a component device that is known to be a fortress. One cyber defense expert said, “Do not fear hackers. Fear engineers who hack.” Security is only as strong as its weakest link and the best attackers know instinctively to look for that weak link.

7.      The Top Five Most Promising Smart Grid Cyber Security Technologies—The report provides insights into the cyber security technologies that are most likely to work in a future scenario. Among them are: multi-factor authentication, control network isolation; application whitelisting, and data encryption.

Finally, the report points out that “the definition of home energy management (HEM) solutions and the required home area networks (HANs) was in disarray as this paper was written.” It is not clear what HAN

approaches will prevail — whether customer data will travel via advanced metering infrastructure (AMI) wide area networks (WANs), consumers’ Internet service providers (ISPs), or even dedicated HEM networks. This lack of standards makes selecting the right security solution for HEM an exercise in risk management and investment protection. “It is not clear how to select an HEM security solution with any confidence that it will still be around in two years,” said the authors.

The paper, which includes commentary and predictions about the state of smart grid cyber security in 2012 and beyond, is available for free download on Pike Research's website.