disrupt key components of it. No damage or blackouts occurred, but the possibility is still there.
“Risks do exist,” says David Baker, director
of services at IOActive, a Seattle, Washington,
USA-based provider of smart grid and computer
IOActive released a report in March saying the
technologies are susceptible to common security
vulnerabilities such as buffer overflows (when a
system attempts to store data in an area outside
the primary database) and rootkits (programs
designed to hide or obscure the fact that a system
has been compromised). Either scenario would
leave utility companies open to fraud, extortion,
lawsuits or widespread system interruption.
Those risks also extend to corporations
installing smart grid devices within their firewalls
to manage power and resources—giving hackers
an access point beyond the very mechanisms
designed to keep them out.
That doesn’t mean the technology shouldn’t be
deployed. Rather, smart grid implementation
projects simply need to be designed or improved
with security in mind.
And to ensure those risks are managed properly,
utilities and government agencies need to establish
requirements , says Mr. Baker.
“The government needs to develop standards for
utility equipment, and the utilities need to drive
vendors to take action and fix problems,” he says.
The best approach is to implement a security
design life cycle as part of the entire software development process, says Mr. Baker.
“From a project management perspective,
you need to build security into the product
design system from the beginning,” he explains.
From a project management perspective, you need to build security
into the product design system from the beginning. Then you need to
revisit security issues throughout the project to be sure problems are
being addressed. —David Baker, IOActive, Seattle, Washington, USA
In Singapore, the government-run Energy
Market Authority launched a pilot smart meter
project involving some 1,000 households and
seems well-aware of the risks.
“In ensuring a secured smart grid, the key
considerations are to identify the threats and
vulnerabilities, protect the network, reduce or
eliminate system vulnerability to physical or
cyberattack, and minimize consequences of any
disruption,” David Tan, deputy chief executive
of energy policy and planning at the authority,
told ZDNet Asia in June.
“Then you need to revisit security issues
throughout the project to be sure problems
are being addressed.”
During the planning phase, IT project team
members should look at how the technology
could be exploited or broken so they can incorporate solutions into their designs. And those
security evaluations should be integrated into the
“If you wait until the end of the project to
consider security risks,” Mr. Baker warns, “it
becomes a much harder problem to solve.”