The efficiency of smart grids must be weighed against the cost of security. The greatest pitfall of revolutionizing the energy grid with distributed energy sources, smart meters and renewable energy technologies is the risk associated with cybersecurity.
The AEE Institute and 21 CES Initiative
The Advanced Energy Economy Institute mission is to raise awareness of the public benefits and opportunities of advanced energy. They do so by providing critical data that drives policy discussions on key issues.
The AEE Institute's recent white paper, “Cybersecurity in a Distributed Energy Future,” evaluates progress made on the 21st Century Electricity System (21CES) Initiative. The initiative was developed to accelerate the transition to a high-performing, customer-focused electricity system that is secure, clean and affordable. The three primary activities of the 21CES are to convene forums, participating in key regulatory proceedings and facilitating collaboration among stakeholders.
Development of Smart Grids
A significant change to the energy grid is being driven by new technologies, evolving customer needs, environmental imperatives, regulatory drivers and an increasingly complex set of requirements. It is foreseen that the grid of the future will incorporate more interconnected distributed energy resources and it is pivotal that these systems are connected in a secure manner throughout the transition period as they form what is referred to as a smart grid.
Smart grids and distributed energy sources prevent or limit widespread electric grid outages. They are indicative of enhanced power quality and have the capability to isolate problematic components. On the back end, progress is driven by new modes of communication and interaction between increasingly diverse and numerous participants and devices, which in turn exposes security vulnerabilities.
Cybersecurity Dangers to Consider
Cybercrimes that involve fraud and theft for monetary gain are most prevalent, followed by attacks designed to disrupt or destroy physical assets. Hackers have exploited interconnected devices by identifying those security vulnerabilities such as unchanged factory default passwords. They have also exploited flaws in a protocol such as those used by Windows operating systems when sharing files.
Alongside these broader trends in cybercrimes, there has been an increase in the number of attacks that are designed for espionage and physical damage targeting national governments and critical infrastructure. These attacks either focus on information technology (IT) and the gathering of sensitive data, or operation technology (OT) where they aim to manipulate industrial control systems.
Edge devices such as distributed energy systems are most vulnerable to cyber threats. This is because they are numerous and are typically troubled by limited bandwidth, memory and storage space.
The risk of service outages resulting from a breach of the smart grid can be minimized or even eliminated by establishing best practices and deploying protocols with a proven track history. The AEE Institute has recommended future actions as well as defined best practices that help protect advanced grids from cyber attacks in their recent white paper.
Device manufacturers typically supply new devices with factory-set passwords — by simply changing these passwords users significantly improve the security of their hardware. The AEE is suggesting that device manufacturers should incorporate technology that requires passwords to be changed when a device is first connected.
In addition, standard operating procedures should include proper password maintenance actions. To prevent passwords from being compromised it is important to remove access from users who should not need it as well as update them upon employee termination. Proper maintenance of passwords is a strong line of defense against unauthorized access and while it is largely a manual process some automated methods that have had proven success include password timeouts, shared directory functions and locking out infrequent users.
Updating malware and software protection is another important task. Software fixes are distributed to fix bugs and in some cases security flaws. Allowing automatic updates ensures operating systems are up to date minimizing vulnerability to cyber attacks.
Other factors to consider include message encryption and firmware deployment. Encryption solutions should follow the latest NIST standards and endpoint devices should not share any secret or private keys. Devices should be loaded with firmware that has been designed by the device manufacturer to help improve its cybersecurity and interfaces should be disabled at the operating system level.
Distributed energy resource management systems (DERMS) are also being developed. They facilitate the integration of new energy sources in a secure environment. Implementation of these platforms also requires the incorporation of strict requirements to address the handling and storage of data.
The isolation of the smart grid from the internet is an increasingly difficult task. In a world of cloud computing, being up to date and compliant with applicable security standards is imperative. There is also a dire need to undergo periodic security assessments and monitoring as these standards are in their infancy and are subject to change when new flaws are surfaced.