Smart grids, upgraded versions of electricity networks with two-way digital communication, should make the European energy system more efficient. But their dependency on computer networks, applications and the Internet makes society more vulnerable to malicious cyber attacks with potentially devastating results, European Network and Information Security Agency said in a report published on Tuesday.
Smart grids are built to enhance the communication between the power supplier and consumers to ensure a sustainable power system with low losses and high quality, security of supply and safety. However, connecting energy supplies as consumer solar panels and small wind turbines as well as smart meters to the regular power net creates extra risk, because extra entry points to the power system are created, ENISA said in a report on European smart grid security.
ENISA is a European Union body that helps the European Commission and E.U. member states to address network and information security problems.
The threats to the electricity grids are real. Criminals have been able to hack into computer systems via the Internet, enabling them to cut power to several cities in the U.S., the CIA unveiled in 2008. The hacks were followed by extortion demands, and in at least one case the disruption caused a power outage affecting multiple cities, according to the CIA at the time. In 2009, the Wall Street Journal reported that cyberspies from Russia, China and other countries had penetrated the U.S. electricity grid.
Intrusions like these prove that software and hardware used for smart grids are high risk targets, ENISA said, adding that reducing barriers to information sharing is vital for the success of smart grids.
While cyber security is almost always considered an important topic in any smart grid project, it is often ignored because of project budgets, scarce funding and lack of expertise when it comes to a practical implementation, according to the report. Therefore it is necessary to have a robust and resilient grid infrastructure that is able to overcome potential attacks, especially denial of service (DoS) attacks, ENISA said.
An end-to-end security approach is needed from the lowest levels where the smart meters are to the upper layers that include application systems and integrations with corporate systems, ENISA said. Devising a standard centralized architecture for smart grids in the E.U. is a basic requirement to secure the system, ENISA said.
ENISA said an incident detection system for smart grids is also needed. That system should have security monitoring sensors using signature-based software distributed across the grid, able to process data in a centralized and decentralized manner, ENISA said.
Furthermore, a central monitoring center for data collection and analysis is on ENISA's wish list, as well as monitoring centers that could perform research, write new signatures and study new threats. Those recommendations for secure smart grids should also be considered when discussing the creation of a pan-European entity to manage large-scale cyber incidents, ENISA said.
In total the report contained 10 recommendations to make European smart grids more secure. Besides solving technical difficulties, the European Commission and the member states should provide a clear regulatory and policy framework on smart grid security on a national and European level as this is currently missing, ENISA said. The Commission should also collaborate with ENISA and the private sector to develop a minimum set of security measures for smart grids, ENISA said.
The implementation of these recommendations is considered urgent because the smart grid, which is being built at the same time as it is being defined, is the greatest revolution of the electricity power grids since their creation, the organization said.
Loek covers all things tech for the IDG News Service. Follow him on Twitter at @loekessers or email tips and comments to firstname.lastname@example.org
Join the CIO Australia group on LinkedIn. The group is open to CIOs, IT Directors, COOs, CTOs and senior IT managers.