Internet of Things (IoT) devices get a lot of press, as you’d expect from a category planning to put about 41 billion devices in play within the next few years. For most of us, the face of IoT is consumer devices such as Internet-enabled smartwatches, security systems, doorbells, fridges, etc. But the smart power grid may present IoT’s most game-changing application—and industry regulators are scrambling to keep up.
What IoT Means for the Grid
As our blog post on “The Security Challenges of IoT” describes, the things that make IoT devices effective (they’re highly connected, inexpensive and pervasive) frequently make them a security problem. To recap, IoT includes anything that collects, processes, and shares data via the Internet. Innovations such as RFID tags, expanded broadband access and cheap, low-power processors have all led to a mindset that “anything that can be connected will be connected.” The wide rollout of 5G will only accelerate the trend.
America’s electrical system has raced into this space. Utilities companies are the world’s largest users of IoT devices, thanks largely to smart electrical meters attached to homes. That’s bad news for the world’s remaining meter readers, but a boon for companies and consumers wanting constant, instant information about power usage. Gartner estimates that utility companies have 1.37 billion IoT devices in service right now, well ahead of the second-place physical security industry’s total of 1.09 billion devices.
Further up the electrical supply chain, IoT is proving just as valuable. With data constantly flowing in from every corner of the industry generating and transmitting electricity, a smart grid will:
- Reduce power outages
- Restore service faster
- Integrate renewable energy
- Increase transmission efficiency/reduce energy loss
- Reduce overall costs
- Provide consumer access to data and usage
For one example of IoT’s potential, consider how a smart grid can mitigate the impact of a power outage. IoT devices can detect the source of the outage, isolate the problem and reroute power to places with the greatest need, such as hospitals or telephone lines. Massive amounts of real-time data will also carry advantages such as making it easier to store and transport renewable energy, decreasing our carbon footprint and reliance on fossil fuels.
The Risky Side of More Connections
Of course, the good guys aren’t the only ones who can take advantage of an electrical grid connected to everything. In the pre-IoT world, compromising the grid required physical access. To hack anything, you would need to physically access a power plant, substation or transformer to plug into the controlling systems. If you simply wanted to wreak some old-school havoc, you just needed to get close enough to destroy a transformer or other equipment. From an information security standpoint, most of the grid was effectively air-gapped and isolated from the next component in the process.
Billions of new IoT devices, however, create a seemingly infinite attack surface. Any IoT device can become an entry point a hacker uses to pivot into a larger system. And with most IoT devices carrying notoriously weak, outdated security measures, that’s a legitimate everyday threat.
The smart grid creates issues in the following areas:
1. Access Points – IoT devices create millions of doorways that hackers could use to, at least in theory, access the entire U.S. grid.
2. Trust – The companies and products used throughout the grid will need to prove their dependability and certify that they are as secure as they say.
3. Communication – Internet communications within the grid must be protected from interception.
4. Privacy – Regulations must control how companies and the government use the vast amounts of information collected through IoT devices.
How to Secure Your Connections to the Grid
With an industry moving as fast as IoT, the industry and government are forever playing catch-up with regulations that keep America’s grid secure. In part 2 of this blog series, you can read about the latest regulatory guidelines issued to protect the grid.
The new regulations are significant enough that some of Pratum’s clients are restructuring their operations specifically to better manage new compliance factors. For example, one electrical company that manufactures electrical relay products decided to spin off the relay operations into a standalone company so that the larger company wouldn’t have to manage extensive new rules affecting that category.
The best way to understand your exposure and legal obligations in this space is to bring in a security consultant to evaluate your specific situation. Pratum’s risk assessment, penetration testing and vulnerability scanning services identify exactly what openings may exist in your systems. Our consultants also specialize in helping companies understand how government standards apply to them and prepare their compliance strategy. Many of our clients have learned that taking a leadership position in cybersecurity gives them a competitive advantage.
Large customers (including the government itself) increasingly award contracts to companies who can prove their cybersecurity strategy is up to date right now. Contact Pratum for help in understanding the rapidly evolving world of electrical IoT and planning your next steps.