Smart Grid Security

Most of the talk about smart grid and smart grid security, especially in the US, revolves around automated metering infrastructure (AMI). And much of the security discussion has to do with the ability of an attacker to turn power on and off to affect customers and potentially grid stability. How would the security requirements change if the vision of AMI benefits is completely wrong?

Consider two recent, thought provoking articles from Pike Research.

  1. Is Demand Response The Wrong Strategy? – Demand response presupposes that energy is scarce or at least expensive. The authors compare energy to bandwidth and discuss how bandwidth optimizing protocols and networks died in the face of plentiful, cheap bandwidth.
  2. Are Investments In Changing Energy Consumers Behavior Worth It? – This article looks at whether consumers will change behavior based on time of day pricing. It suggests that behavioral science be applied to answer this question.

We should also consider how security requirements would change if the smart meter could not affect energy delivery. What are availability, integrity and confidentiality requirements of energy usage data? Most utilities have back end processes to detect energy theft and a variety of other checks to periodically validate the automated meter read is reasonable. Some are allowed to bill on an estimated meter reading if the actual reading is unavailable. The security requirements may actually be quite low for automated meter reading.

The biggest risk could be reputation risk if a significant number of customers get incorrect billing and this gets picked up by the press. The bills should not be wildly wrong because of back end checks, but even everyone being overcharged by $10 could be a big story.

The privacy requirement of energy usage data is another issue that could affect AMR. The economics of energy usage privacy are terrible as I noted in a recent article from the WEIS conference. The most likely case is users will complain but get used to the occasional breach of energy usage data. Fortunately there is not the economic incentive to get this data like there is for credit card or identity theft information.

Image by Tom Raftery