Navigant Research Blog

Smart Grid Cyber Security Moves From Hype to Hard Work

Bob Lockhart — December 6, 2013

Smart grid cyber security gets a lot less hype than it did 2 years ago – and that’s a good thing.  The reason for less hype: people have stopped talking so much about it and actually started doing something about it.  Securing a smart grid is incredibly difficult work, as this blog has noted many times.  Not only are we dealing with perhaps the most critical of critical infrastructures, but some of the devices to secure are decades old with decades of service life remaining.  It’s not for the faint of heart.

The people who are talking about smart grid cyber security nowadays are the people who are actually securing the grids.  The people in the trenches.  So it’s no surprise that conferences full of security vendors with solutions for the world’s ills are fewer and farther between.

As evidence, the IEEE SmartGridComm conference in Vancouver included a full afternoon workshop on smart grid cyber security.  The speakers embodied the progression from hype to hard work in utility cyber security:

The panel was chaired by Dr. Hassan Farhangi, director of research at the British Columbia Institute of Technology.  The presentations progressed from utility business drivers down to extremely technical talks on hacking smart grids inexpensively, and then back out to cyber incident response.

The heart of my talk was observations on the current state of cyber security in utilities.  In a nutshell:  there is good technology to protect control networks, but it is rarely deployed as an integrated whole.  There are few legal requirements driving cyber security – cyber security at any given utility is only good if the executives want it to be.

Cheap & Dangerous

I had hoped that my comments would be scary enough to grab the audience’s attention for the rest of the afternoon session.  Turns out, I was the optimist of the bunch.

Justin Clarke was his usual entertaining and frightening self.  To be fair, he’s entertaining; it’s his comments that are frightening.  He displayed some easily available tools for attacking smart grids.  An inexpensive device to hack smart meter optical maintenance ports even qualifies for free shipping with Amazon Prime.  He displayed a $120 open-source Bluetooth monitoring and developing platform – in other words, a hacking tool.  Bluetooth appears increasingly in control devices such as reclosers, so that lineworkers don’t have to physically access those devices during a thunderstorm.  That is a fantastic safety advance, but if Bluetooth is not properly secured, then the price to compromise that recloser is $120.

Patrick Miller reminded us that attackers have three things that cyber security departments rarely have: time, people, and money.  The more creative attacks against control networks – Stuxnet, Duqu, Night Dragon – were clearly the work of organizations with effectively limitless resources.  Contrast that with day-to-day fights for spending budgets that is the life of a chief security officer.

Finally, Frank Turbide discussed the activities of the CCIRC.  Incidents run from sophisticated denial-of-service attacks to poor implementations that have control devices linked directly to the Internet.  The CCIRC issues alerts on current threats and vulnerabilities to its member organizations, of which the most common are malware and phishing attacks.  During the past 3 months, energy and utilities have been the second-most attacked industry after telecommunications.

There are still lots of attackers out there, and useful attack tools are dropping quickly in price.  And yet, there are good guys looking at more efficient and thorough ways to protect a control network.  There is still hope for protecting our control networks, so let us remain vigilant but optimistic.

2 Responses to “Smart Grid Cyber Security Moves From Hype to Hard Work”

  1. Bogdan says:

    Interesting indeed. What about a Pareto based approach ( )?

  2. Bob Lockhart says:

    Thanks, Bogdan. I looked at the paper quickly and it is interesting, although it is a bit more of a reliability approach than a cyber security approach. Then again there is a lot of overlap between the two topics. And yes the Pareto principle works for cyber security too. Effective cyber security begins with a good security architecture, which prioritizes the most important risks to mitigate. The security architecture may not always get a utility to the 80/20 situation but it will come closer to ensuring that the utility addresses the right risks first.

Leave a Reply

Blog Articles

Most Recent

By Date


Clean Transportation, Electric Vehicles, Energy Storage, Policy & Regulation, Renewable Energy, Smart Energy Practice, Smart Energy Program, Smart Grid Practice, Smart Transportation Practice, Utility Innovations

By Author

{"userID":"","pageName":"Smart Grid Cyber Security Moves From Hype to Hard Work","path":"\/blog\/smart-grid-cyber-security-moves-from-hype-to-hard-work","date":"8\/23\/2014"}