Keeping smart grids safe
Gary Peters speaks to Dr Sujeet Shenoi* about cyber security for smart grids and how to make sure a digitised electric power infrastructure isn't exposed to any risks that can cause a power outage.
Tell me about your background and career to date.
I'm a professor of computer science and of chemical engineering. For the past 25 years I've been looking at attacks on infrastructure and coming up with defences. You have to push the frontier of attack techniques – I don't mean actually attack infrastructures (although we do this some of the time), but develop attacks and come up with tactics [to fight them]. Then, go ahead and build the defence methods.
Your work must have changed over those 25 years?
Yes – it is becoming more sophisticated. My students and I look at any and all techniques, so nothing is out of scope.
You recently did research on how smart grids are vulnerable to cyber attacks – what was the inspiration for this?
Let's start with some background. The first technology that humans exploited was farming and the wheel. Because of that, we could control large swathes of land. The next was maritime technology, when a small country like Britain could rule the waves.
The sea was so important because you could move a lot faster than on land. The next domain was air and, starting in the 1960s, we exploited space, moving at 18,000mph, with more advanced technology.
Then, 20 years later, we began to exploit cyber space. Cyber space, for me, truly is one domain to rule them all. This is why it is so important. Everything that we do involves cyber space in some way.
Cyber devices permeate the critical infrastructure. If these devices are attacked, assets go down. If it's a large-scale attack with long-term outages, we're in trouble.
Your findings suggest that attacks against smart infrastructure are a clear and present danger – can you expand on that?
There are specific infrastructures that are important. The most important is the electric power infrastructure – we cannot survive without it. You can't manage in metropolitan areas [without electricity] – we would see mass migration.
Next is the information and telecommunications infrastructure. There's a famous ice hockey player who played in North America, Wayne Gretzky. When he was asked how he scored so many goals, he said he skated to where the puck will be, not where it is. If you look at skating to where the puck will be, the critical infrastructure that is most advanced is information and telecommunications. These technologies are rapidly adopted by the other infrastructure sectors. Therefore, understanding the attacks on these technologies and defending against them helps protect the entire critical infrastructure.
Also important is the financial infrastructure. It shows the types of attacks that could target other sectors in the future.
There are two major groups that launch cyber attacks – governments [as in nation states], and organised crime. Nation state attacks are generally very hidden, whereas organised crime attacks you can get access to. I've been able to see attacks by criminals in my career, which has given me an insight into what might be over the horizon.
Do you predict that is very likely that attacks will hit the smart grids and power infrastructure of the future?
Yes – if you're the number one critical infrastructure, you are a very attractive target. Attackers want maximum mayhem. As defenders, we must be prepared to handle the worst.
Are people ignoring the threat or are they putting in place defensive measures?
They are trying to but there is not enough money in the universe to pay for all of it. All you need is one attack.
Look at the smart meter and why it is important. We are going to have smart devices and, with the Internet of Things, your smart washing machine could communicate with the power grid to find out when the price of electricity is low. All of this can be done using the smart grid.
People are also going to generate their own electricity. In a grid you have to balance demand and supply, if you don't, you get blackouts. Balancing electricity demand and supply in real time is difficult, so you need intelligence. The first phase of the smart grid is the smart meter infrastructure. There will be billions of smart meters worldwide.
The problem is, there could be millions of points of failure. In Ohio, USA, in 2003, a few points of failure grew and grew. The cascading failures led to what we call the Great North American Blackout.
Smart meters are problematic. Take a big city, with about six million smart meters. What happens if you send a worm or virus that ‘bricks’ the meters, which makes them no more useful than bricks? Let's say two million meters go down. The companies I know make about 10,000 a week, but you want to replace two million. How are you getting those meters?
This is what I am worried about – millions of points of failure.
What can be done to protect smart meters?
The first thing is diversity [of vendors] – this way one attack will not ‘brick’ them all. Then we need to tackle the problem head on. We should stop implementing things just because we need them – we also need an understanding of what can go wrong, and to build in security from the ground up, starting with the design phase.
You can obviously have technological fixes and also laws and policy. But what I would like to see is something like a Geneva Convention for cyber space. Countries should get together and say, you know what, we don’t use poisonous gas, now let’s make sure that we do not target cyber space and the critical infrastructure.
We could start taking nation states out of the equation [of attacks].
How feasible is something like that – surely it would take time?
Not really, if my students and I can figure out attacks, lots of people could do it.
Think about it, a smart meter can either be 'bricked' with the current on or off – it's nothing more than a switch. If it's on, you continue to get current, if it's off, you won't. If the meter fails with the switch on, you won't have a power outage, so that’s a fail safe. But, God help us if hackers break the fail-safe measures. Let's manage the risk.
What's next for you in your work?
We are continuing to look at these problems. The smart meter infrastructure is a massive manifestation and an enabler of the Internet of Things.
Do you know of any examples of attacks against smart meters?
Yes, I have seen some examples. Everyone talks about attacks – we need to talk about defences and look at defending these things and we should start a dialogue with everyone – the utilities, governments and the public.
I passionately believe countries need to get together. They need to put their feet down. They need to make sure that the electricity infrastructure and other critical infrastructures are not attacked. [An attack] could harm millions of innocent people.
Dr Sujeet Shenoi* is the Walter Professor of Computer Science and Professor of Chemical Engineering Sciences at The University of Tulsa, USA. His recent research, published in International Journal of Critical Infrastructure Protection, looks at how smarter electricity distribution can be protected against cyber attacks.