There's also a danger of overlooking the insider threat. "Most people believe smart grid security is for only viruses and worms from hostile governments and terrorist groups," says Joshua Flood, an analyst at ABI Research. "However, one of the main reasons for increased spending on smart grid security software and management systems is simply to make sure the correct people have access to the equipment and systems they should have access to." Among other things, this means protecting systems from disgruntled employees or others who might commit internal sabotage, Flood says.
Security Standards Need Teeth
The Pike Research report suggests that the lack of enforceable security standards or regulations for power distribution grids "leads to a scene of mass chaos in utility cybersecurity" and will cause utilities to take a wait-and-see approach to significant security investments.
So far, most utilities are focusing on the North American Electric Reliability Corp.'s critical infrastructure protection program (NERC CIP), which applies only to generation and transmission and is the only current standard that has "the teeth to result in fines for noncompliance," the report says.
But utilities should look beyond regulatory compliance and take a more holistic, risk assessment approach, analysts say. Utilities need to establish (and continually refine) an "organization-wide risk management program, policies and processes to prepare for, react to, and recover from adverse cybersecurity events," says Marianne Swanson, senior advisor for information system security at the National Institute of Standards and Technology (NIST).
NIST and other government agencies have written useful documents about power grid security and risk management, but the Pike Research report notes that they are merely recommendations.
To complicate matters further, there are differences between the security standards in the U.S. and the rest of the world, Flood says.
"We need similar standards worldwide, and although organizations such as the European Union's Smart Grid Coordination Group are working with NIST closely, we still need greater progress in Europe on smart grid security," he says. "However, with current economic problems in the euro zone, less effort and time will be spent on the smart grid than needed."
Securing industrial control systems such as SCADA (supervisory control and data acquisition) also remains a challenge for utilities, according to Lockhart, but there is little agreement about what to do about it.
A major factor, Lockhart explains, is that many SCADA systems were deployed without any security whatsoever in the mistaken belief that SCADA would always be isolated from the Internet.