A new report released by Pike Research, “Utility Cyber Security: Seven Key Smart Grid Security Trends to Watch in 2012 and Beyond,” puts it bluntly: “Utility cyber security is in a state of near chaos. After years of…utilities investing in compliance minimums rather than full security and attackers having free rein, the attackers clearly have the upper hand.”
A discussion of the report at Infosec Island notes, “One of the main challenges in protecting these networks is the fact that these systems were not necessarily designed with cybersecurity in mind. Rather, the security solutions have been layered on in a piecemeal fashion after the networks were operational, leaving ample room for attackers to compromise their functionality."
A lack of security standards is also a huge problem. Currently there are no enforceable smart-grid security standards anywhere in the world for power distribution grids. This lack of a stick to make utilities focus on smart-grid security has led to many utilities investing in cyber security only “when financial punishment for not investing is threatened,” the report says.
Carefully crafted guidelines such as U.S. NIST Interagency Report (NISTIR) 7628 are helping but because they are not enforceable standards, “utilities and vendors that would like to take action now to produce secure smart grids face a quandary: Which guidelines are going to survive? How is it possible to stake a direction now for cyber security and know with assurance that laws enacted several years from now will support that direction?.... Those who choose to plow ahead now risk losing their entire investment if future laws invalidate their approach.”