Protecting the power grid
By Tiaan van Schalkwyk
Senior Manager: Risk Advisory
Johannesburg, 16 July 2013 - The environment of power utilities has become more complicated as utilities embrace digital forms of interchanging information with stakeholders, and because of supply and demand optimisation enabled through smart meters for consumers. However, with this comes the added responsibility of ensuring that cyber-security requirements are met in order to avoid the potential malicious disruption of power supply that could cripple the economy of a country.
In South Africa, load shedding remains an on-going concern - more so because the country is still left with several weeks of winter. What the utility and municipalities do not need is to have added complications around cyber-security attacks compounding any potential issues that may exist around the availability of power.
Smart metering enables better participation of the consumer in the drive to reduce consumption but provides an easy access point for potential malicious users. The smart meter sits at an individual’s house or at an office, and ordinarily has very little in terms of security around the device (physically and digitally). Historically, utilities had closed networks that could better protect it. Today, unprotected smart meters are more open to attack since use is made of internet communication protocols for transmitting information to the provider.
Adding to the threat is the rise of hacktivism in which cyber-attacks (hacking) are not for financial gain but are politically motivated. There is a real possibility that these hacktivists could align themselves to labour or other socio-political causes and target the smart metering system.
If cyber attackers, or any other malicious individuals or groups affect the smart metering eco-system in South Africa then there is a very real risk to the reliability of electricity supply that could have a significant detrimental economic impact on the country and the region. Fortunately, there are protective measures to take to protect electricity supply from cyber attackers. As a starting point consideration must be given to extant and emergent international security standards that have originated as a direct result of cyber threats. These standards include the North American Electric Reliability Corporate Critical Infrastructure Protection (NERC CIP), the Electric Subsector Cybersecurity Capability Maturity Model (ES-C2M2), and the ISO/IEC 27032 Guideline for Cyber-security.
Utilities worldwide need to be aware that while the physical threat remains, the digital one is just as significant. This is especially true when looking at the growing use of mobile devices by service engineers in the field and the use of USB storage devices. While convenient for collecting and submitting information, the issue arises in that it is an external device which is as vulnerable to attack as any other. Thus not only do the physical parameters need to be protected, but also the network and the mobile devices.
To be truly effective, utilities need to be prepared to be sufficiently aware to know immediately when someone is attempting to hack into their systems. The level of preparedness must empower the utility to contain, monitor and repair any damage on the same day. While the identity of the attacker or group of attackers might not always be determinable, the question is how resilient the organisation is and how quickly operations can be restored to a desirable state, damage limited and remedial action taken.
Furthermore, with the age of smart meters, utilities are not only protecting themselves from attack but are also protecting the information of their customers. This information could be used to determine behavioural patterns, such as when consumers are not at home. In many jurisdictions, and soon to include South Africa, this information poses a significant risk from a legislative protection of personal information perspective.
Utilities therefore have an important role to play to not only protect themselves, but also the economy of the country. An important step is to acknowledge that there is a need for cyber-security and then determine what forms of attack are being perpetrated by malicious individuals or groups. By doing so an internal skill-set can be built to counteract the threat.
Ultimately, standards and regulatory compliance that consider cyber-security in its entirety need to be put in place. The consequences of not taking security seriously are too significant to ignore.