However, just because security is implemented does not mean the architecture is safe. In the security world, implementing security controls is associated with managing risk to the infrastructure. Since the impact of an event can be easily determined and measured, the level of criticality also can be determined fairly easily. If no security is applied, the likelihood an event will happen increases. Using the traditional risk model of impact times probability, a utility can associate a risk level with the AMI architecture. However, given the dearth of reliable incident data, this process is often very subjective and requires a significant amount of extrapolation.

Utilities must measure risk in order to devise mechanisms to manage the risk. Moreover, the only way to measure risk is to determine, to some extent, the probability of an attack. In high-impact systems such as AMI or other smart grid elements, utilities should understand what security controls are available, implemented and not implemented. This provides utilities with an understanding of what their risk level is so they may provide informed assurance to their consumers that they are making an effort to support reliability from a cyber security perspective.

Because security can be quite ambiguous and interpreted differently without standardization, it will be increasingly important to standardize controls that are necessary to reduce risk. The best way for utilities to provide assurance that their cyber security risk is being properly managed is to require their smart grid elements to adhere to a standard set of security principles.

Opportunities Abound

Smart grid offers a wealth of opportunities to increase energy independence, conserve resources and reduce costs. Like any innovation, new risks are bound to arise. From a cyber security perspective, giving utilities a better view of their operations and greater control over long distances means that hackers able to insert themselves into the communications channels could benefit from these improvements in automation. This is inevitable and simply means the risks shift. After all, greater awareness of the environment means fewer and shorter outages as smart grid technology is leveraged to pinpoint events and anticipated events more quickly.

Smart grid presents an opportunity to improve reliability and security rather than put the grid at greater risk, but to do so requires constant vigilance and proactive steps to address new risks. This is all possible if everyone works together to solve today's challenges rather than those of yesterday.

Michael Echols (Michael.Echols@corang.com) was previously a Critical Infrastructure Security Practice lead at SAIC. He has recently taken a position as a security principal for a utility in Arizona, where he will continue working in the energy and utility market, developing and delivering transformational cyber security solutions for critical infrastructure and smart grid technology. Echols is recognized for his expertise in cyber security compliance and posture analysis for utility control systems.

Gib Sorebo (sorebog@saic.com) is a chief cyber security technologist at SAIC. He has more than 17 years of experience in the IT industry and is recognized for his expertise in information security compliance. He is also the co-lead of SAIC's Smart Grid Security Practice.