nCircle 2012 Smart Grid Cyber Security Survey
nCircle, the leader in security and compliance auditing solutions, partnered with EnergySec, a DOE-funded public-private partnership that works to enhance the cyber security of the electric infrastructure, to sponsor a smart grid security survey of over 104 energy security professionals. The online survey was conducted between March 16 and March 31, 2012.
When asked, "Do smart meter installations have sufficient security controls to protect against false data injection?" 61% said "no".
Power grids connect electricity producers to consumers through interconnected transmission and distribution networks. In these networks, system monitoring is necessary to ensure reliable power grid operation. The analysis of smart meter measurements and power system models that estimate the state of the power grid are a routine part of system monitoring. False data injection attacks exploit the configuration of power grids by introducing arbitrary errors into state variables while bypassing existing techniques for bad measurement detection.
Patrick Miller, the founder, CEO and president of EnergySec noted, "Smart meters vary widely in capability and many older meters were not designed to adequately protect against false data injection. It doesn't help that some communication protocols used by the smart meter infrastructure don't offer much protection against false data injection either. Together, these facts highlight a much larger potential problem with data integrity across the smart grid infrastructure. Because our nation relies on the smart grid to deliver robust and reliable power, we need to make sure that all systems that process usage data, especially those that make autonomous, self-correcting, self-healing decisions, assure data integrity."
Elizabeth Ireland, vice president of marketing for nCircle, noted, "A false data injection attack is an example of technology advancing faster than security controls. This is a problem that has been endemic in the evolution of security and it's a key reason for the significant cyber security risks we face across many facets of critical infrastructure. Installing technology without sufficient security controls presents serious risks to our power infrastructure and to every power user in the U.S."
When asked, "Has the hype around privacy issues associated with smart meter consumer data been overblown?" 53% said "yes" and 47% said "no".
"Smart Grid meter privacy is still a new area," said Patrick Miller, CEO of EnergySec. "State regulations are inconsistent and sensitive customer details in smart grid data vary from utility to utility. I expect to the smart grid industry to struggle with several challenges around who ultimately 'owns' customer data. There are several grey areas that impact how smart grid customer data will be used as the industry attempts to maximize revenue potential. Even seemingly innocuous customer data has significant value -- just ask Facebook or Google."
- 75% of energy security professionals believe smart grid security has not been adequately addressed in smart grid deployment
- 72% of energy security professionals believe smart grid security standards aren't moving fast enough to keep up with deployment
"Security has been addressed to varying degrees in many smart grid deployments, however it is going to be a challenge to keep pace with the constantly changing security landscape," said Patrick Miller, CEO of EnergySec. "The analog and mechanical devices installed in most utilities were designed for a very different maintenance model than newer digital equipment being designed and installed today."
Elizabeth Ireland, vice president of marketing for nCircle noted, "It's pretty clear that information security professionals in the energy industry are uncomfortable with standards currently available for smart grid technology. Defining and implementing meaningful security standards is always a challenge but without standards, adoption of critical security controls across the smart grid industry is likely to be uneven at best."
When asked, "What part of the smart grid infrastructure is most vulnerable to cyber attack?" 29% said "smart meters", 41% said "metering infrastructure including transport", 20% said "utility energy management systems" and 10% said "energy management, such as phasor measurement units".
According to Patrick Miller, CEO of EnergySec, "The enormous range of technology in the smart grid presents many points of potential vulnerability, and we are moving at the speed of light to insert even more technology 'shims' into the existing network structures of the smart grid. This ever-increasing rate of complexity and hyper-embedded technology will be very difficult to secure."
"The complexity of SCADA technology combined with the range of results from survey respondents on this issue indicates that we don't have any single section of the smart grid fully secured," said Elizabeth Ireland, vice president of marketing for nCircle. "It's not surprising that energy industry security professionals deem metering infrastructure as the highest area of risk. Individual partners in any complex supply chain often have very limited visibility into the security for the entire process."
When asked, "Should regulatory oversight for smart grid distribution be transitioned to the Federal government," 40% said "yes" and 60% said "no".
According to Patrick Miller, CEO of EnergySec, "The modernized grid encompasses new digital components all the way from the toaster to the turbine. It spans local, state and federal regulatory lines. In an environment where innovation is paramount, a federal one-size-fits-all approach may significantly slow down progress. On the other hand, potential inconsistencies in regulatory approaches may introduce complexity and risk smart grid landscape. Either model, whether state or federally regulated, comes with pros and cons. I see the regulatory oversight of the smart grid as one of our biggest challenges with the least obvious solution."
According to Elizabeth Ireland, vice president of marketing for nCircle, "It's likely that the division of opinion on this topic reflects, at least to some degree, fundamental political beliefs. Some security professionals probably see government regulation in industry as beneficial, and some feel we should minimize the role of government in industry as much as possible. The majority of energy security professionals believe the energy industry will police itself."
When asked, "Have the American Recovery and Reinvestment Act of 2009 grants awarded to smart grid projects adequately addressed security," 67 % of respondents said "no" and 33% said "yes."
According to Patrick Miller, CEO of EnergySec, "Cyber security was a component of the ARRA grant efforts and many have implemented adequate measures. The biggest challenge is gaining any degree of consistency in those measures, given the sheer number of grants processed. Ensuring that the security measures are designed for long-term security is central to their future success."
According to Keren Cummins, director of federal markets for nCircle, "A one-time, short turn-around grants program should produce good results in some specific projects. Propagating those results effectively across the entire industry will require long-term commitment and institutional change, and that's not something a one-time infusion of government money can deliver."