Government needs joined-up cyber security policy to protect smart grid

Consultants advise DECC to implement national security framework for UK power companies or face the consequences

The government has been advised to co-ordinate data security measures for power companies building a UK smart grid, or risk disruption to the nation's electricity supply.

The Energy Networks Association (ENA), the industry body for UK wires and pipes companies that carry electricity and gas to UK homes and businesses , yesterday published an independent report compiled by consultancy KEMA aimed at persuading the Department for Energy and Climate Change (DECC) to help establish a framework for security management across the national grid.

ENA operations manager Paul Smith admits it is early days for the smart grid proposal: unlike with the smart metering scheme, which will give consumers the means to automatically transmit electricity usage back to suppliers, the government has not even declared definitive support for the smart grid as yet.

But Smith argues that given the potential for disruption to the UK economy, it is important to build a co-ordinated cyber security management policy into any initiative from the start.

"We have to make sure we get it right, we cannot just go along the line of automating equipment without securing it, and if we do not secure it, it presents an opportunity for hackers to terrorists to disrupt it," he said.

Energy minister Charles Hendry promised to "study the ENA report's recommendations carefully" before the government publishes a strategy for smart grid development of its own as part of a broader white paper on electricity market reform.

Currently the UK's eight distribution network operators (DNOs), which include UK Power Networks, Western Power Distribution, Scottish and Southern Power Distribution, manage and operate their own communications and data networks.

If and when a UK smart grid that combines the regional electricity distribution infrastructure is implemented, a common, centralised approach to data security, and associated risk assessment, across all eight companies will be essential, said the ENA.

"This requires a defined cyber security policy, driven and enforced by top management, including appointed ownership and accountability through all managerial levels to operations," wrote the report's authors, KEMA consultants Mark Tritschler and William Mackay.

Data security issues unique to smart grids include having to protect large volumes of automated equipment, particularly in systems substations, governance of non-IT or supervisory control and data acquisition (SCADA) equipment, and the use of industrial control system (ICS) development software and applications on laptops and portable devices used by field engineers.

The Stuxnet worm, which infected Siemens ICS software running on Windows PCs at an Iranian nuclear power plant last summer, has raised awareness of the potential damage that hacking attacks on utility companies could cause.

Nuclear disaster is a worst case scenario, but any disruption to the UK's regional or national power supply can cause large-scale economic damage and even data loss when datacentres, servers and other systems are downed.

KEMA's report takes a top-down management view that is largely short on technical details, proposing an industry wide, collaborative national cyber security initiative, a national smart grid risk assessment process, an operational security management system to bring cyber security under explicit management control, and the implementation of a technology change management strategy across the eight DNOs.

"There is a lot of thought about getting the right equipment in place, but what we really need is a management approach," said Smith.

Smart grids attempt to predict and respond to fluctuations in demand and supply so that providers can deliver power more efficiently, reliably and economically. They rely heavily on modern networks and communications devices that constantly transmit large volumes of digital information.

Research published by Pike Research forecast that investment in smart grid technology infrastructure will reach $108bn worldwide by 2020, with annual spending averaging $16bn.

Smith refused to divulge how much money the UK DNOs themselves were currently investing in smart grid infrastructure. With no government funding available, the ENA is more interested in getting regulatory approval rather than financial assistance.

"There is significant investment going on though I am not in position to share those details at the moment," said Smith. "We do not have the green light at the moment but I think we are only a year or two away."