Engineering News Spring 2016
Don't Fear the Smart Grid
During her sabbatical last quarter, JoAnne Holliday, associate professor of computer science and engineering, stepped out of the classroom where she teaches courses on information security, wireless and mobile networks, and distributed computing, and stepped into the world of smart grid and industrial control systems (ICS) security. "When I started looking into this," she said, "I was a little dismayed because it is so complex. I come from the IT realm and am used to thinking about computer security. But this is an entirely different category."
Before the smart grid came about, Holliday said, electrical system vulnerabilities were mostly due to weather—a tree falling or instability in the grid from natural causes—or vandalism to a piece of equipment. Generally, the disruption was isolated to a particular area, power was rerouted, and the problem was solved. But with the advent of the smart grid comes a vast array of concerns.
"The smart grid connects the staid world of public utilities to the wild and diverse world of the Internet," Holliday said. "Systems operators need to know how to match the generation of power with its usage. It's a real balancing act; if more power is produced than is being consumed, you get electrical instabilities, circuits get out of whack, and the imbalance must be corrected within a few milliseconds or you have real problems."
Monitoring equipment handles these issues to avoid brownouts and blackouts, she explained, but it must react quickly. On the Internet a two-second delay while a user downloads a webpage results in no harm, but in a more complicated system like the smart grid vulnerabilities arise. "Especially in computer systems," Holliday said, "the more bells and whistles, the more things can go wrong. Add to that complexity the possibility of intentional foul play and you can have real problems."
An industry this new lacks standards. "In IT over Internet, we're used to assuring all systems are patched with the latest software updates," she said. "In the ICS industry so many levels and versions of software are interconnected, and the lifecycle for software versions is often measured in years—ten years is not unusual! Sometimes utility operators are more afraid of the antivirus software than the virus itself. What if the antivirus software blocks a message that slows or stops the system? In the IT world, we say 'just reboot your system.' In the ICS world, this might interrupt vital operations, and that is assuming the system is not in some out-of-the-way, unmanned substation that requires travel to reboot or even just to press the enter key," she said.
But before you get too worried, Holliday notes, "The good news is that this industry is used to being regulated. They are used to government oversight. Currently NERC, the North American Electric Reliability Corporation, is developing industry reliability and risk management standards for planning and operating the power grids that cover the U.S. and Canada—standards that can be implemented by FERC, the Federal Energy Regulatory Commission.
"We have to remember that the Internet was like this 15 years ago," she continued. "It took many years of annoying viruses before we developed firewalls and antivirus software and ways to ensure that software is updated. Today whole categories of software handle our computer security issues. The electric grid is in the same spot.
"Right now the industry is very trusting and a little naïve," she smiled. "We might be inconvenienced by brownouts or blackouts before it gets its act together. But change is in the works."