A majority of energy-security practitioners do not believe economic stimulus-funded smart grid projects sufficiently protect the nation against cyberattacks, according to findings reported on Monday by an Energy Department-funded public-private partnership.
The 2009 American Recovery and Reinvestment Act has paid out $2.5 billion to modernize the U.S. electric system by digitizing the way power is distributed to consumers, according to Energy Department financial submissions. Program plans from June 2009 stated that one goal of the initiative, which will disburse $4.5 billion, was to “enhance security and reliability of the energy infrastructure.”
When asked if smart-grid projects adequately addressed security, 67 percent of participants surveyed by the public-private group EnergySec said no. The March 2012 survey questioned 104 energy security professionals.
EnergySec Chief Executive Officer Patrick Miller speculated that security specialists and businesses may have different perceptions about the lasting effect of today’s security controls. “It’s not as if the vendor is approaching this irresponsibly,” he said. “What may have been implemented -- though it could be considered good security, will it stand the test of time?”
Hackers are innovating as fast as smart-grid suppliers. “There was a flood of government money that came in,” Miller said. “And innovation is a good thing. But it’s very hard to keep pace with security when you are innovating this fast.”
Energy officials said all recipients of smart-grid investment grants were required to develop cybersecurity plans explaining how they would identify risks, resolve them, and ensure a stable cybersecurity posture.
“The Energy Department takes very seriously the responsibility of managing and overseeing its smart-grid grants to protect taxpayer funds and ensure that projects are moving forward effectively to modernize our nation’s electric grid,” Department spokeswoman Keri Fulton said in a statement.
Officials added that the Obama administration has proposed cybersecurity legislation that would establish a rulebook for enhanced cooperation between the government and energy operators nationwide. “This will clarify ways in which government and industry can share information about cybersecurity threats more effectively and strengthen the criminal penalties for those who take action to disrupt the grid,” Fulton said.
The survey also found that most professionals -- 60 percent -- did not think the federal government should regulate the smart-grid industry. Miller wrote in the report that in digital power delivery, which spans local, state, and federal regulatory lines, “a federal one-size-fits-all approach may significantly slow down progress.” But he acknowledged that “potential inconsistencies in regulatory approaches may introduce complexity and risk smart-grid landscape. Either model, whether state or federally regulated, comes with pros and cons. I see the regulatory oversight of the smart grid as one of our biggest challenges with the least obvious solution."
Privacy invasions, energy theft, and terrorist-induced power outages are a few of the concerns surrounding the new technology. Miller said, “I don’t think any of those are cataclysmic or catastrophic kinds of risks.” Manipulating widespread outages through the smart-grid infrastructure would be enormously difficult to do, he added.
Most security experts surveyed, 53 percent, said the hype about invasions of privacy associated with smart-meter consumer data is overblown. “I expect the smart grid industry to struggle with several challenges around who ultimately owns customer data,” Miller wrote in the report. “There are several gray areas that impact how smart grid customer data will be used as the industry attempts to maximize revenue potential. Even seemingly innocuous customer data has significant value -- just ask Facebook or Google."
Cybersecurity compliance firm nCircle partnered with EnergySec on the survey. Energy officials were not immediately able to comment.