In November 2011, market analysis and consulting provider Pike Research released a report examining the current state of utility cyber security.
The report was entitled Utility Cyber Security – Seven Key Smart Grid Security Trends to Watch in 2012 and Beyond and concluded that although a great deal of attention has shifted to protecting systems that govern infrastructure, utilities have a long way to go in protecting critical networks. The primary headline from the report was:
“Utility cyber security is in a state of near chaos. [emphasis added] After years of vendors selling point solutions, utilities investing in compliance minimums rather than full security, and attackers having nearly free rein, the attackers clearly have the upper hand. Many attacks simply cannot be defended.”
The principal author for the above mentioned report was Robert P. Lockhart. In 2013, Mr. Lockhart wrote a Foreword for a book titled “Applied Cyber Security and the Smart Grid,” by authors Eric Knapp, Raj Samani, and technical editor Joel Langill. Publication date, April 2, 2013. In the Foreword to the recently published book, Mr. Lockhart writes, reflecting on his statements in 2011:
“If anything, the situation has deteriorated since then. [emphasis added] Experts tell me during interviews that they see little innovation in cyber security. … the majority of Smart Grid cyber security offerings are recycled financial or health care offering with new glossy brochures. … Smart Grid security standards progress slowly, when they progress at all. One insider described standards-building meetings as poisonous. … Vendors attend to protect their turf. Utilities send lawyers to limit the scope of their commitments. … many utilities define their security program as bare minimum compliance with enforceable regulations, which is far removed from actual protection.” [emphasis added]
“To summarize, innovation is on sabbatical while standards advance glacially. Those who would attack our grids must barely be able to believe their luck. [emphasis added] While we argue about scope and vote on terminology, attackers — subject to neither standards nor laws — sail full steam ahead. … Who controls the grid, controls the economy. Each utility has a role to keep that control in the right hands. The time to act is now.”
Despite the boldly worded and grim outlook, Mr. Lockhart did state that “there is hope.” Actually I didn’t see many hopeful words in the Foreword written by Mr. Lockhart, but he did say it, so I wanted to throw that in just to ensure that I am not accused of taking statements out of context. He was basically saying that although the situation has deteriorated since 2011, it wasn’t because of the lack of capabilities. He attributes the chaos to “no clear path from investment to protection.” Utilities need to set the proper priorities and focus on what is most important. The biggest challenge relates to control systems which involve a mix of old legacy systems and newer devices. Mr. Lockhart further stated that there is no perfect solution to cyber security threats and that the best solution is sometimes the “least worst” choice. … For me, this was not very comforting.
How does the above critical assessment given by Mr. Lockhart compare with the typical propaganda disseminated by the utilities or smart grid advocacy groups?
From the Smart Grid Consumer Collaborative (SGCC): “The performance of security measures are tested and reviewed regularly to guard against unauthorized access to systems. Moreover, utility companies are working with federal agencies, such as the Department of Homeland Security, the Department of Energy, and the National Institute of Standards and Technology (NIST), to strengthen privacy and security standards to provide even more safeguards for consumer protection.”
From Florida Power & Light Company (FPL): “The data recorded by your smart meter is encrypted and transmitted to FPL via a secure wireless network that complies with the industry’s highest standards for cyber security.”
Basic motherhood statement from the City of Naperville, Illinois: “A utility cyber security plan, designed to protect the smart grid’s critical computer infrastructure that may be a potential target of criminal threats, terrorism acts, industrial espionage and/or politically motivated sabotage, will guide and govern all security policies and practices that apply to user and energy information.”
Although Mr. Lockhart was blunt in his language, we need only look at a couple of other government reports to obtain similar assessments:
GAO Report #GAO-11-117, “Electricity Grid Modernization”
“Utilities are focusing on regulatory compliance instead of comprehensive security. … Consequently, without a comprehensive approach to security, utilities leave themselves open to unnecessary risk. … There is a lack of security features being built into smart grid systems. … Without securely designed smart grid systems, utilities will be at risk of not having the capacity to detect and analyze attacks, which increases the risk that attacks will succeed and utilities will be unable to prevent them from recurring.”
Congressional “Markey” Report, released May 21, 2013, entitled, “Electric Grid Vulnerability, Industry Responses Reveal Security Gaps”
Finding 1: The electric grid is the target of numerous and daily cyber-attacks.
Finding 2: Most utilities only comply with mandatory cyber-security standards and have not implemented voluntary NERC recommendations. Note: NERC is an acronym for the North American Electric Reliability Corporation.
“Grid operations and control systems are increasingly automated, incorporate two-way communications, and are connected to the Internet or other computer networks. While these improvements have allowed for critical modernization of the grid, this increased interconnectivity has made the grid more vulnerable to remote cyber attacks.”
For more information on the Markey report, refer to link: http://skyvisionsolutions.org/2013/06/12/electric-grid-vulnerability-new-report/
As stated by GAO Report #GAO-11-117, “Until consumers are more informed about the benefits, costs, and risks of smart grid systems, utilities may not invest in, or get approval for, comprehensive security for smart grid systems, which may increase the risk of attacks succeeding.” With this in mind and with what has been presented in this website posting, it appears near criminal (if not actually criminal) that consumers continue to be provided misleading propaganda by the utilities and the smart grid advocacy groups … and that consumers are rarely permitted to freely refuse the installation of risky smart grid technology that is clearly not yet ready for prime time.
Website Moderator Note
As of this website posting, the newly published book foreworded by Mr. Lockhart is available for purchase at amazon.com at the link below. Plus, at least portions of the Foreword may be viewable as a “Look Inside” at the amazon.com website without purchasing the book.