The Dark Side of the Smart Grid

The smart grid offers great promise to transform the electric system, enabling two-way communication between providers and consumers over the network, and allowing new services that can save electricity and reduce costs. It gives consumers more control over how and when they use power—but it has a dark side.

The smart grid, now some 15 years in development and still far from mature, offers potential benefits to utilities, electric generators, and customers. But the smart grid also has a dark side, born of the interconnected nature that is also the source of its promise.

Two-way communication among generators, transmitters, and customers is the smart grid’s key. That kind of mutual intelligence offers solid benefits, including energy management, increased reliability and resilience, and integration of intermittent renewable energy generation and storage. It also accommodates distributed power generation and microgrids, enhances the value of electric vehicles, and gives customers greater choices of how and when to use electricity.

Electric energy pioneer and visionary Nikola Tesla in 1926 said, “When wireless is perfectly applied the whole earth will be converted into a huge brain… and the instruments through which we shall be able to do this will be amazingly simple compared with our present telephone. A man will be able to carry one in his vest pocket.”

The Interconnected Smart Grid

The best definition of the smart grid comes from the European Union Commission Task Force for Smart Grids: “A Smart Grid is an electricity network that can cost efficiently integrate the behavior and actions of all users connected to it—generators, consumers and those that do both—in order to ensure economically efficient, sustainable power systems with low losses and high levels of quality and security of supply and safety. A smart grid employs innovative products and services together with intelligent monitoring, control, communication, and self-healing technologies …”

The down side to this vision is how those interconnections—driven by modern computer technologies, data flow, and information management—interact with each other. Do they, by their nature, offer cybersecurity threats, those opportunities for malevolent forces to intrude, disrupt, or destroy?

The threat is not confined to electric systems. It applies to much of interconnected modern society. Hackers have proven adept at infiltrating and altering myriad systems, including industrial, institutional, and governmental computer-driven networks (and major political campaigns). Threats to the electric power structure are particularly high-profile, given the ubiquity and importance of electricity to modern civilization.

Ineffective Government Action

The Trump administration in May 2017, in Executive Order 13800, called for government agencies to put the highest priority on protecting critical infrastructure (Figure 1) from cyberattacks, designating the Department of Homeland Security (DHS) as the lead agency in the action.

1. The federal government recognizes that critical infrastructure of the U.S. power grid, including transmission lines, needs to be protected from cyberattacks. The Trump administration has designated the Department of Homeland Security to take the lead on cybersecurity. Source: U.S. Geological Survey

Yet, a recent survey by The Network, unveiled in early March in San Francisco at the annual RSA Conference, one of the cybersecurity community’s annual gatherings, found skepticism about the executive order. According to The Washington Post, “More than three-fourths of digital security experts” polled said the nation is no safer from cyberattacks today than when the order went into effect two years ago. The Network, said the newspaper, “is a panel of more than 100 security experts from government, academia and the private sector” who vote in an ongoing survey of cybersecurity issues.

Those surveyed for the most part did not accuse the government of falling down on the job, but said threats are arriving faster than the means to combat them. The Post article said, “Anup Ghosh, a managing director at Accenture Security and a former [Defense Advanced Research Projects Agency] official, said that threats against critical infrastructure—especially against energy utilities—are proliferating ‘and the industry is playing catch-up.’ ”

2. Protecting the U.S. electricity grid means keeping the country’s cybersecurity efforts ahead of those who would try to compromise the electricity network. But locking out adversaries is challenging as malicious entities increase their level of sophistication. Courtesy: Creative Commons / QYYZ

“Attack surface” is a prominent phrase in current cybersecurity (Figure 2) discussions. As interconnections proliferate, the opportunities for attacks increase even faster. Susanne Spaulding, a former DHS cybersecurity chief, said that improvements have occurred and the agency and industry have been doing good work. “But our adversaries,” she said, “are moving ahead with malicious capabilities more quickly than we are advancing our defenses.”

3. Martin Libicki, chair of cybersecurity studies at the U.S. Naval Academy, has said most of the nation’s critical power infrastructure is privatized, making it difficult for government to take sufficient cybersecurity measures. Source: U.S. Naval Academy

Martin Libicki (Figure 3), who chairs cybersecurity studies at the U.S. Naval Academy, said, “Cybersecurity largely results from the interaction of defenders’ sophistication [which is rising], attackers’ sophistication [which is also rising], and the size of the attack surface [which keeps expanding]. When it comes to non-government systems [most of the critical infrastructure is in private hands], government is on the outside looking in.”

Attack Surfaces Grow

For the electric smart grid, Tobias Whitney, technical executive for cybersecurity at the Electric Power Research Institute (EPRI), told POWER that the advance of the smart grid does enlarge the attack surface. More interactive systems come into play, both at the individual customer level, and outside the home, industry, or business, to the level of distributed resources, aggregated distributed resources, microgrids, and other emerging trends in the power industry, all assisted or enabled by a smart grid.

Whitney identified “two levels of concern about cyber vulnerabilities from the smart grid.” The first is the bulk transmission system. The other is at the distribution level. Both can interact with each other.

For distribution, the threats are often “one consumer at a time,” and largely involving privacy and individual safety concerns, geared to the arrival of the Internet of Things. Just one example, Google’s Nest smart thermostat, which provides energy management capabilities, can be hacked (see sidebar), providing a detailed view of an individual’s energy usage. “There are a whole bevy of risks for home Wi-Fi and broadband connections,” Whitney said, and “that’s always going to be a challenge.”

Hacking the Nest Smart Thermostat

At the Black Hat USA 2014 conference, a team of white hat cybersecurity hackers took a look at Google’s highly touted Nest thermostat (Figure 4). It is able to read your energy usage patterns, communicate with the distribution grid supplying electricity, and provide information to the local electric supplier. It can be controlled by a smart phone from anywhere. The general view was that the Nest was a “way cool” application of smart grid technology.

4. The Nest thermostat from Google reads energy usage patterns and can communicate with the power grid. It can be controlled by a smart phone—and researchers also say it’s a prime candidate to be hacked and could disrupt a home’s electricity. Courtesy: Google

The security researchers, including experts from the University of Central Florida, Computerworld reported, were able to hack into the Nest in 15 seconds and have it display a message: “I know that you and Frank were planning to disconnect me, and I am afraid that is something I cannot allow to happen.”

It was a graphic demonstration of the risks the Internet of Things can bring to the interconnected world. It was also homage to the 1968 Stanley Kubrick film “2001: A Space Odyssey,” where the computer HAL 9000 takes over and says to the human commander, in response to a command, “I’m sorry, Dave, I’m afraid I can’t do that.”

Black Hat is a group of computer scientists working on cybersecurity that holds conferences around the world to examine security issues. The group published a presentation about the Nest thermostat titled “Smart Nest Thermostat, A Smart Spy in Your Home.”

Google has since upgraded the security of Nest and its family of products that include smart home security, a smart doorbell, a smart camera, and a smart smoke and CO sensor and alarm. All are connected to the internet and there is no guarantee that the security upgrades can survive attacks by serious hackers.

Kevin Markey, a Denver-area computer scientist and retired Oracle executive, told POWER, “The security has improved with two-factor authentication two years ago. And all of the hacks I’ve read about require physical access to the unit.” But Markey said he remains skeptical, noting that used Nest equipment could be resold, providing a pathway into the previous owner’s home, adding, “How many people do you know who keep up on security updates?”

Poudre Valley REA—a large rural electric cooperative in Fort Collins, Colorado—is offering deals on Nest thermostats if customers agree to allow the co-op to use them for air conditioning load management. “A great innovation and lots cheaper than some of the old devices, which may have been less secure because they don’t have the resources for security that Google/Nest has,” Markey said. Nonetheless, Markey said he declined the offer because his passive solar heated and cooled home doesn’t need air conditioning.

Then there are broader risks and vulnerabilities where distribution systems and the bulk transmission system interact. For years, the Federal Energy Regulatory Commission (FERC) and others in the electric industry have tried and failed to make a distinction between transmission and distribution, for regulatory and business reasons. In terms of physics, it’s a false dichotomy. Electricity travels over the high-voltage system, to lower-voltage lines, and to useful voltages into the home. The electrons don’t recognize government or industry lines of demarcation.

“Distributed generation technology is becoming more and more mature,” EPRI’s Whitney said. That includes the development of smart inverters that can easily integrate direct current—produced from solar photovoltaic systems and stored on-site in batteries—with the grid into alternating current two-way transactions.

Distributed generation and energy efficiency programs, microgrids, and distributed energy resource (DER) aggregation pose a challenge, said Whitney. “Who is responsible for the microgrid? Given that it is sometimes driven by the customer—a commercial customer in some cases—or a utility customer, or something in between. It’s not so much a technical question,” he said, but a management issue.

With aggregators, Whitney noted, “The interface is changing between distribution and transmission. That’s one of the challenges we need to face. The model is changing.” Managers of these aggregated DER systems—involving electric vehicles, solar generation, and storage—are not the consumer and not the utility. “At the same time,” he said, “aggregators have great ability to impact the system,” with control over hundreds to thousands of megawatts. He said there is a need to “better articulate what these organizations are, and model their impact on the grid.”

Smart Grid Origins

Smart grid concepts have been around for many years, starting with metering. Utilities have long sought to reduce the costs of traditional meter reading, with humans arriving at the meter and recording the usage readings. It’s costly and subject to human errors (and sometimes intentional nefarious acts). Automated meter reading began in the 1980s for large industrial and commercial customers.

In the 1980s, some utilities were already thinking beyond the meter and into the home. Southern California Edison, which then had one of the industry’s largest research programs, was promoting the idea of a “smart home” that used beyond-state-of-the-art communications technologies to control energy use.

In the 1990s, the industry moved to “advanced metering infrastructure,” then to smart meters in the new century. These interactive devices would cut utility costs and generate useful information for the utility. There have been headwinds in installing smart meters, as the benefits seem to flow mostly to the utility, while the utility wants the customer to pay for the new meters.

After a widespread blackout in the U.S. Northeast in 2003, Kurt Yeager, then EPRI’s CEO, began advancing the idea of a smart grid that would be more resilient than the conventional grid. He rolled out EPRI’s approach to the smart grid in 2004 and then retired after 30 years with the group. He then joined the startup Galvin Electricity Initiative, founded by former Motorola CEO Robert Galvin, honcho of modern cell phones, to promote smart grid technologies and policies.

The seeds Yeager and Galvin sowed bore fruit. In the 2007 Energy Independence and Security Act, the last comprehensive U.S. energy policy legislation, Congress authorized $400 million in federal spending through 2012 to help roll out smart grid capabilities. The new law also directed the National Institute of Standards and Technology, and FERC, to develop and implement smart grid standards, a process that is ongoing.

Grid cybersecurity was not high on the agenda of Congress or the executive branch when they took up the smart grid concept in 2007, but it didn’t take long for security concerns to arise. In April 2009, The Wall Street Journal reported somewhat breathlessly, “Cyberspies have penetrated the U.S. electrical grid and left behind software programs that could be used to disrupt the system, according to current and former national-security officials. The spies came from China, Russia and other countries, these officials said, and were believed to be on a mission to navigate the U.S. electrical system and its controls. The intruders haven’t sought to damage the power grid or other key infrastructure, but officials warned they could try during a crisis or war.”

Since then, grid cybersecurity has grown into a top government and industry agenda item, with the recognition that the more interconnected the grid becomes, the greater the attack surface. In its “Quadrennial Energy Review” issued in late 2017, the DOE warned: “Cyber threats to the electricity system are increasing in sophistication, magnitude, and frequency. The current cyber security landscape is characterized by rapidly evolving threats and vulnerabilities, juxtaposed against the slower-moving deployment of defense measures.”

New Approaches to Grid Security

Conventional approaches to protecting the grid, involving hardware firewalls, layers of encryption, and multiple authentication, have dominated the response to the security weaknesses. But there may be newer and better ways to approach the topic.

Pat Gelsinger, CEO of VMware, a Dell Technologies subsidiary and a leading firm in cloud computing services, offered a provocative and unconventional approach to cybersecurity at the March RSA Conference. “The biggest threat to security today,” he said, “is our hyper-focus on threats. Most innovations have centered on finding and dealing with attacks. By contrast, very little has been done in how we shrink the attack surface. That domain needs to be a topic to achieve big gains in security.”

Said Gelsinger: “The most important security product won’t be a security product in the future. It’s got to be built-in, not products outside the system.” He said it is necessary to “build more security systems into our infrastructure, into the storage, into the network operations of our end-users.” He promoted the idea of “simplifying—consistently reducing the attack surface.”

To that end, said Gelsinger, the trick is to “leverage the power of the cloud to secure the cloud,” which involves “reconsidering the basic notion of a firewall.” He advocated, not so subtly touting his company’s wares, a “service-defined firewall, done fully in software, a firewall for the cloud era.” This, he said, is the key to “dramatically reducing the attack surface.” ■

Kennedy Maize is a long-time energy journalist and frequent contributor to POWER.