Government report finds smart grid cyber security has many gaps
SUBNET Solutions Inc | Friday, July 20, 2012
Members of the electric industry have not consistently included strong cyber security components into their smart grid deployments, and at the same time, arguments over certain agencies' jurisdiction have led to limited government action, a new report from the U.S. Government Accountability Office (GAO) suggests.
The report stated that current smart grid networks are riddled with cyber security vulnerabilities, which are especially pronounced in smart meters and industrial control systems. The GAO also detailed complaints from utilities investigated by the FBI in which hackers allegedly broke into systems and changed the devices that monitor and record power consumption settings.
The report highlights Industrial Control Systems Cyber Emergency Response Team (ICS-CERT) and its work done on identifying malware at one electric bulk provider and electric utility. The malware was reportedly introduced through phishing tactics performed by a "sophisticated threat actor."
Even though these vulnerabilities have been documented, the report states that many members of the industry have not taken the appropriate steps to mitigate the risks that come with these access points.
"Experts told us that certain currently available smart meters had not been designed with a strong security architecture and lacked important security features, including event logging and forensics capabilities that are needed to detect and analyze attacks," the GAO explained.
The report added that expert investigations showed that many smart grid technologies used to manage electricity were not outfitted with appropriate cyber security, and was such that it would increase the system's vulnerability to attack.
"Without securely designed smart grid systems, utilities may lack the capability to detect and analyze attacks, increasing the risk that attacks will succeed and utilities will be unable to prevent them from recurring," the agency stated.
There has also been a lack of work done on smart grid cyber security due to jurisdictional disputes between state-level regulators and federal agencies. Historically, the responsibility of certain jurisdictions has been dependent on whether the device is located on the transmission or distribution line, but smart grid devices could potentially smear this distinction.
"For example, devices such as smart meters deployed on parts of the grid traditionally subject to state jurisdiction could, in the aggregate, have an impact on those parts of the grid that federal regulators are responsible for – namely the reliability of the transmission system," the report concluded.
SUBNET products help utilities adhere to strict NERC CIP regulations, which were developed to protect critical infrastructure from cyber attack.
Substation Cyber Security