Energy Insecurities: The Downside of Being Too Smart

By John Bumgarner


Legal Issues. Security protection for smart appliances could involve a number of different legal aspects. There may be a role for government regulation, such as minimum standards for cybersecurity controls within the appliances. Additionally, contracts between utilities and their customers will need to address the rights associated with information collected from smart meters and smart appliances. Laws and regulations normally lag behind the deployment of technology, so privacy issues will likely increase in importance in the future. For example, a utility that is able to control a customer’s smart appliances through established agreements may have access to personal usage information (PUI), which it could collect, use, and retain. For instance, a smart washer connected to a smart meter could provide the utility with the frequency that laundry is being done in the household.  A usage report may show that on average that this household does eight loads of laundry per week and that three of those loads use the most energy, because they use the sanitization cycle of the machine.   If you combined this information with data collected from other smart devices—such as the dishwasher, oven, microwave, water heater, and thermostat—the utility could construct a lifestyle profile for an individual household.   Customers’ agreements need to outline how this PUI will be protected and used by the utility. 
Consumer privacy will also be vulnerable to the services used by consumers to monitor their energy consumption and control their smart appliances. Some companies, most notably the Internet search behemoth Google, are already entering the market to provide real-time information to consumers. In 2009 Google released PowerMeter, an application that is designed to query smart meters connected to a consumer’s HAN for real-time information on energy use by appliances connected to the smart meters. Technology, such as Google’s PowerMeter, will eventually allow consumers to monitor their residential energy consumption via the internet, such as from a mobile phone that runs Google’s Android operating system, or from a personal computer or Apple’s iPad. With the ability to control their appliances remotely, utility customers will be able to take actions to reduce their energy bills from anywhere in the world, in response to real-time price information. 
Information collected by energy management providers can and probably will be used for a variety of business purposes. Will customers of these services be targeted for advertising related to purchasing new smart appliances or other services that could further reduce their energy usage? Will they be targeted for product marketing campaigns related to their usage patterns? For example, will customers that use their washing machines more intensively receive coupons for Tide detergent?  Companies that provide control services will also be able to track information about how their customers use their services, including the frequency with which they check their energy usage, their sensitivity to price changes, and even their physical location at the time they use the services. Could this information round out the service’s profile of its customers and further be used to target them in unforeseen ways?
Portability and interoperability are also potentially important in a competitive market for personal smart meter monitoring technology. Will historical energy consumption maintained by one service provider be portable to another? Additionally, how will this technology shape interoperability standards for IED-enabled appliances? Furthermore, as a first mover in the market for energy management, is Google likely to have a disproportionate influence on interoperability and other issues?
While questions about privacy, portability, and interoperability loom large in Google’s PowerMeter architecture, so do the cybersecurity concerns.  For example, could hackers compromise PowerMeter user accounts using the "drive-by-download" techniques commonly used by cybercriminals to conduct illicit activities?  Would a mischievous attacker use this access to randomly cycle on or off devices being controlled by alternative architecture?  
Green power insecurities. The deployment of smart meters, intelligence appliances, and consumer-level energy management services are only pieces of the energy sector’s resiliency plans.  One of the other key pieces is the development and deployment of power generations systems to reduce America’s reliance on finite resources, such as coal and oil. The manufacturers engineering these alternative power generations systems need to take into consideration the potential cybervulnerabilities within the underlying architecture. For example, renewable energy projects involve components, such as wind turbines, that are controlled by computerization.  This computerization potentially makes these turbines vulnerable to the same kind of attack that was demonstrated in the Department of Energy’s Aurora project, in which a cyberattack was launched against a generator analogous to components within the national electric grid.
Attackers who wish to maximize damage or disruption may in fact prefer to launch attacks against renewable generation capacity, which may be more geographically concentrated—and centrally controlled—because of the availability of wind or sunlight. Many large-scale renewable projects are being planned. For example, a single wind farm that has been proposed in Oregon, Shepherd’s Flat, will have more than 300 computer-controlled turbines. In another example, the state of California has plans for massive photovoltaic projects with computer-controlled components. These components help to improve the effectiveness of solar electricity generation, by adjusting the elevation and orientation of the photovoltaic arrays in relationship to the sun. But they also increase the vulnerability of these systems to a disrupted cyberattack. For example, what if a mischievous attacker instructed random photovoltaic arrays to orient themselves in polar opposite directions than what were instructed?   What if the attacker reprogrammed the arrays not to except elevation corrections for the operator? 
The security challenges of smart grid implementation are daunting, in part because many projects are already under way across the United States. These projects, many of which have been funded by the 2009 stimulus package (.pdf) are likely to deploy millions of smart meters. The federal government therefore lost an incredible opportunity to integrate federally-required security controls into these initial implementations.  Before expanding the deployment of smart grid or smart utility technology, the federal government should re-evaluate their investments in this technology in light of growing concerns about cyber security. 
Securing America’s energy sector from cyberattacks requires an aggressive and holistic approach, which demands considerable commitments by the energy industry and the government to protect this vital infrastructure. It has been over a decade since an American President declared the electric grid a national security concern; let’s hope it doesn’t take another decade to mitigate the consequences of cyberattacks against this critical industry. 

John Bumgarner is the chief technology officer for the U.S. Cyber Consequences Unit (US-CCU) and a senior research fellow in International Security Studies at the Fletcher School of Law and Diplomacy of Tufts University.  He has been a member of ASIS for over a decade. The terms "warmetering" and "personal usage information" used above were coined in this article.




The Magazine — Past Issues


Beyond Print

SM Online

See all the latest links and resources that supplement the current issue of Security Management magazine.