Getty Images

How secure are smart energy grids?

The improved efficiency of smart grids need to be weighed against the cost of security - presenting a unique opportunity for the tech sector and a new market for security companies

As the UK’s energy infrastructure becomes more network-connected and Smart meters are adopted in homes, Smart grids are becoming an increasingly viable form of energy infrastructure. Smart grids are energy supply networks that intelligently integrate the actions of all connected users to efficiently deliver sustainable electricity supplies.

Not only do smart grids improve efficiency for energy companies, but they also form part of the European Union’s energy strategy. The EU aims to replace at least 80% of electricity meters with smart meters by 2020, wherever it is cost-effective to do so.

But there remains distinct uncertainty over the security of smart grids and the potential damage that could be caused if they were disrupted. Potential threats against smart grids range from criminals being able to detect when no one is home, through to the possibility of terrorists or extortionists switching off the power.

There have been varied reports regarding the effectiveness of security for smart grids. For example, some experts claim smart grids are at risk of cyber attack, while the National Cyber Security Centre’s (NCSC) technical director Ian Levy says: “Components of the smart metering system all interact in planned ways in order to contribute to the overall security of the system.”

Rather than replacing the existing energy network, smart grids build on the existing power grid communication protocols – which already have a number of known vulnerabilities – as well as adding new communications networks to the transmission and distribution grid.

“Any additional communication with existing infrastructure offers more doors to attackers to hack into the power grid,” says Zoya Pourmirza, a postdoctoral research associate at Newcastle University.

There have been recent incidents where the power supply from a conventional power grid has been interrupted. One of the most recent was when multiple regional distribution power companies in Ukraine were hacked in December 2015, resulting in substations being switched off and tens of thousands of people left without electricity. 

Compounding the incident, the attackers also targeted call centres through telephone distributed denial of service (DDoS) attacks. This meant that not only were customers without electricity, but they were also unable to report their loss of power or find out what was happening.

Read more about smart grids

  • Scottish Power picks Vodafone to manage smart electricity grid.
  • Can utility companies tie UC technology to a smart grid system? Expert Carrie Higbie explains how they already have.
  • Rob McNamara from SmartGrid GB talks to Computer Weekly about one of the highest-profile IoT applications – smart energy grids and the UK’s smart meter roll-out.
  • Singapore is the Asean smart city project that stands out, but Thai and Malaysian initiatives are gaining credit, according to IDC study.

Smart grids are, by their very nature, designed to be flexible and able to adapt to any difficulties that may arise with power distribution. However, the more connections there are in a network, the greater the number of threat vectors that would need to be considered.

A spokesperson for the Department for Business, Energy and Industrial Strategy (BEIS) said: “We are working with the NCSC, as well as with industry partners, to ensure that all threats and risks to the energy sector are understood and mitigations are established. Plans are in place to ensure the appropriate resilience of power supply in the event of major disruption.”

Previously, energy networks did not have to focus on the potential damage that could be caused by hackers penetrating the energy grid, as much as they need to do today. As smart grids are built on the existing energy infrastructure, they inherit this focus.

“In normal IT systems, confidentiality had the highest priority, compared to data integrity and availability,” says Pourmirza. “In a smart grid system, it is data availability and integrity that has the highest priority.”

In any power grid, knowledge of power demand is important. This relates to data availability (ensuring the information is available in a timely manner) and data integrity (trusting the data is transmitted properly). However, when more information is transmitted through smart grids, data confidentiality must be considered, because this data contains sensitive information about businesses and people’s routines.

As the country’s energy infrastructure becomes digitally connected and carries more information, there is a chance that this information could be misused if it were to fall into the wrong hands. This increase in data, and the information that could be extrapolated from it, means energy suppliers now need to incorporate data confidentiality into their day-to-day operations.

Given a smart grid’s importance as the country’s energy infrastructure framework, it becomes a significant target. “There are a number of different attackers and they will have different incentives to hack into the system,” says Pourmirza.

Categories of attacker

These attackers can be broadly subdivided into these categories:

  • Terrorists attacking another country by switching off the power grid.
  • Rogue states manipulating the energy market to destabilise the country.
  • Criminals monitoring power usage to determine when homes are empty.

There is also the potential for corporations to manipulate the billing systems of their competitors, which is an attack type more likely to be carried out in some nation states than others.

The network infrastructure of smart grids will now incorporate connections by anyone involved in the energy sector, from communication service providers to price comparison websites. Any of these could potentially, and inadvertently, provide an unauthorised access point into a smart grid.

The interconnected nature of smart grids means data communication companies (DCCs), which form part of the automated metering infrastructure (AMI), also become potential targets for hackers. Communication service providers could also become targets, as well as third parties associated with the smart grid, such as price comparison organisations. All these organisations will need to ensure they are secure against attack.

One of the problems of securing the smart grid against an attack is that digitally connecting such a piece of critical infrastructure naturally makes it a highly desirable target. In his article for the NCSC, Levy says that setting a high security standard bar for each component would make the system unaffordable.

Instead of securing each separate component, smart grids have been developed to be secure by design. The smart grid has been designed so that each competent works in conjunction with each other. “An attack against the AMI system is not as easy as people think – but it is possible,” says Pourmirza. 

Messages sent to and from smart meters carry with them both a message identifier and a component identifier. Sending two messages to the same meter means each message has a different authentication code, and sending the same message to two meters results in different authentication codes. If either of these does not match the records, then the network is designed to ignore the messages, based on the assumption that any invalid messages would be generated by attackers.

The Department of Energy and Climate Change (DECC) and GCHQ assume that nothing connected to the internet is 100% secure. However, smart grids are designed to mitigate the risk of an attack happening and to lessen the damage that can be caused should hackers penetrate a smart grid’s network security. A potential target is only a concern if it can be exploited by attackers.

Read more about smart meters

For example, the DCCs would automatically perform anomaly checking, since the network is designed to detect anomalous commands. In the case of disconnect commands, which are not generally sent on a daily basis, if the DCC detects that too many being sent, the system raises an alarm and blocks the messages.

But these security techniques, which are focused on avoiding power disruptions, do nothing to address unlawful data collection by malicious third parties. Knowledge of when and how home-owners and businesses use their supplies is useful information for burglary and industrial espionage.

A spokesperson for the Energy Networks Association (ENA) said: “Through the BEIS Energy Emergency Executive Committee task groups and ENA’s Cyber Security Working Group, network companies have established ways of identifying, assessing and responding to long-term cyber security threats in a cross-industry, strategic fashion.

“This work includes undertaking regular industry standard benchmarking, developing common standards for specific areas of infrastructure, and ensuring that those people working for network companies and their supporting supply chain understand the role they play in managing threats.”

Although nothing is 100% secure, there are still known inherent vulnerabilities in smart grids. More studies and further research need to be performed in this field, because there is a distinct gap in the market for security technology suitable for smart grids.

“The cyber security technology for secure networks is available, we know that, but these technologies may not be appropriate for real-time monitoring of smart grids,” says Pourmirza. “We need to have security companies and academia to work together to investigate the gap, find the vulnerable points and then prioritise them.”

It appears that it is only through industry and academia working together that solutions can be found to achieve the necessary balance between security, affordability and availability. 

The ongoing development of smart grids also provides an opportunity for security companies to offer their expertise in adapting or developing security technology to meet the unique needs of the energy sector, and this potentially represents a new revenue stream.

Read more on Hackers and cybercrime prevention

Data Center
Data Management