The maturity of the smart grid security in Europe could be evaluated as medium to low; that is what our study demonstrated. We are still trying to find out how to implement the smart grid on our electricity power infrastructure, after which we would conceive how the security should be applied. This is not a good approach, we need to define what instruments we should use (requirements for smart grids) in the smart grid before any other action can be taken into account.
SMART GRID SECURITY: A PAN EUROPEAN PERSPECTIVE
Dr. Konstantinos Moulinos | European Network and Information Security Agency - ENISA
What is a smart grid?
A smart grid is an upgraded electricity network depending on two-way digital communications between supplier and consumer that in turn gives support to intelligent metering and monitoring systems. That is as simplified, brief definition. Many organizations have however provided us with different definitions of the smart grids (i.e EC, NIST, US DOE), but there is in fact no single, authoritative definition yet.
Why do we need a secure SG?
Smart grids will substantially improve control over electricity consumption and distribution and this is to the benefit of consumers, electricity suppliers and grid operators. They give clear advantages and benefits to the entire society, but the dependency on computer networks and the Internet into future grids makes our society more vulnerable to malicious attacks with potentially devastating results. Vulnerabilities of communication networks and information systems may be exploited for financial or political motivation to shut off power to large areas or directing cyber-attacks against power generation plants. This was demonstrated for instance in 2009 at the US Black Hat conference by Mike Davis, an IOActive security consultant, who proved the weaknesses of the whole metering architecture, and in particular of smart meters that were being deployed on those days. By means of a proof-of-concept he demonstrated that a cyber-attack could be used to get remote control of about 15,000 out of 22,000 homes in 24 hours.
What is the current situation in Europe?
The maturity of the smart grid security in Europe could be evaluated as medium to low; that is what our study demonstrated. We are still trying to find out how to implement the smart grid on our electricity power infrastructure, after which we would conceive how the security should be applied. This is not a good approach, we need to define what instruments we should use (requirements for smart grids) in the smart grid before any other action can be taken into account. Of course there are countries which are considered to be more advanced, and yet other EU Member States, which have not been involved in the development of the smart grids so far. However, the stakeholders (i.e. the European Commission, ENISA, the energy regulators, the industry) have already undertaken initiatives to improve the security of the European smart grid. But we have a long way to go.
What corrective actions are needed?
Some of these initiatives overlap and take place in an uncoordinated and unstructured manner. For this reason, actions should be taken to improve coordination, cooperation and harmonization among the different EU Member States. The first step towards this direction is the creation of a reasonable and comprehensive legal framework around the security of the smart grids which will promote and harmonise the development of the smart grids. At the same time it will provide the different stakeholders with ‘carrots’ i.e. incentives to motivate them to continuously work on the improvement and better adoption of the smart grids.
What are the problems with standardization?
Standardisation is a tool towards harmonization and it contributes to the smooth operation of the market. However, at this moment, we do not have a smart grid standard and we do not have a complete European grid which is smart. However the idea of what will be adopted by the market and what will not be adopted is already in place. The evolution of the business is fast, but not as fast as the evolution of threats. At this moment the evolution of the standards is not in line with the evolution of the business or threats. Because of the several activities domains, there are several actors that participate in the smart grid. For this reason, already defined standards need to be reviewed on a regular basis to ensure that they are in line with the evolution of the smart grid.
What is the next step for ENISA?
ENISA recent report on the smart grid security is addressing 10 high level recommendations to all involved stakeholders for a more secure pan European smart grid. This year ENISA is working on the definition of the different maturity levels in regards to the security of the smart grid and a set of minimum security requirements assigned to each maturity level. This work will underpin harmonisation efforts in the EU. We consider that the definition of these requirements will provide a measurement tool or a framework that could be used by National Regulatory Authorities (NRAs) for:
- Allying the varying levels of security and resilience of the market operators with a consistent minimum national framework;
- Providing an indication of a minimum level of security and resilience in the Member States, by avoiding the creation of the “weakest link”
- Ensuring a minimum level of harmonisation on security and resilience requirements across Member States and thus reducing compliance and operational costs;
- Setting the basis for a minimum auditable framework of controls across Europe;
- Facilitating the establishment of common preparedness, recovery and response measures and pave the way for mutual aid assistance across operators during crisis
- Contributing to achieve an adequate level of transparency in the internal market.
So what it the timeline for ENISA?
ENISA will conclude its report towards the end of this year.
Dr. Konstantinos Moulinos
Moulinos is the manager of ENISA's smart grid security project. He he has worked for more than 10 years as an information systems auditor. Moulinos has been awarded a diploma in informatics, a master of science in information systems and a Ph.D. in privacy enhancing technologies. He has more than 20 peer-reviewed publications covering areas such as information and network security, data protection and privacy-enhancing technologies.
This post does not have any comments. Be the first to leave a comment below.
Post A Comment
You must be logged in before you can post a comment. Login now.