+1-202-802-9399 (US)

Thycotic’s Cyber Security Publication

What is a smart grid and why should I care about it?

September 16th, 2014

In the United States, we depend on the electrical grid to power our homes, our businesses, and several leisurely pastimes (late-night soccer, anyone?). Today, that grid is “smart,” which is a catchy way of saying it uses modern technology for operation and automation, a technology trendseen in everything from consumer gadgets to datacenters.

Just as companies have to protect their networks from internal and external cybersecurity threats, the smart grid has to be secured from rogue forces seeking to disrupt the safe distribution of power.

Are utilities secure enough to withstand attacks?

In March 2014, the North American Electric Reliability Corporation (NERC) released the results of its GridEx II exercise, a two-day drill testing the grid’s preparedness to withstand both physical and cyber-attacks. The report revealed that nearly all 2,000-plus utilities that participated were deemed “insufficient.” And in May 2014, the Department of Homeland Security (DHS) confirmed a cyber-attack against an undisclosed U.S. public utility succeeded in compromising its control system network.

How serious are cyber threats to the smart grid?

In 2013, the Industrial Control Systems Cyber Emergency Response Team (ICS-CERT), a division of DHS, responded to a total of 256 cyber incident reports against federal systems. More than half of these attacks were aimed at assets in the energy sector. That is nearly double the agency’s 2012 caseload. While there was not a single incident that caused a major disruption with the smart grid, there is clearly a trend at work among cyber criminals, and the law of averages suggests that the more attempts are made, the more likely one of them will succeed. The energy sector will need to rely on IT security best practices to decrease those odds and keep the positive energy flowing.

What does this mean for your company?

You need a backup plan. Unless your company operates off the grid with solar, wind, or geothermal power (and a major battery storage system to slowly release that energy), you are dependent on the electrical grid. There are three separate electrical grids powering the US: an east coast grid, a west coast grid and a central grid in Texas. If you are enterprise enough to have multiple office locations nationwide, we suggest having an office in each grid section to silo your data security– if one grid is compromised chances are the others will remain unharmed.Since most companies are limited to where they can have offices, at minimum, make sure you have off-site datacenter backups stored in a section of the grid that is different from where your company is located.

How can utilities and power providers protect their assets?

Electricity providers shouldn’t be strangers to cybersecurity practices. In other words, they need to know who has been granted access to systems that install, upgrade, and manage the smart grid technology. They also need to check regularly to ensure the networks controlling these devices are not breached, and must select high-quality technology with built-in protections. There are risks and benefits to rolling out systems that can automatically and seamlessly communicate with each other. The benefit is that it creates a smoothly operating grid. But remember that smart grids are digital, and if best practices such as password protection aren’t followed, weak points in the grid can cause far-reaching problems.

The energy industry uses contractors heavily, both for office work and for installation, upgrades, and maintenance to the infrastructure itself. Numerous data breaches in the enterprise and government sectors have demonstrated that contractors can often be a weak security link. Contractors need to be properly vetted and trained and must adhere to the same security practices as full time staff, with controls in place to restrict access to necessary systems. Most importantly, their access to network architecture and systems must be revoked immediately when their work or contract period is finished.


The following two tabs change content below.

Thycotic Team

We deploy smart, reliable, IT security solutions that empower companies to control and monitor privileged account credentials and identities.

Leave a Reply