Originally published by Forbes. Visit their site for the full piece.
In a distributed world, attack surfaces multiple rapidly and grid edge devices can become weapons
The problem gets worse as the growth of distributed networks of assets create potentially critical issues. The population of these devices is huge and multiplying rapidly. Consulting firm Wood Mackenzie estimates that there are currently 30 million grid-connected assets out there in U.S. homes today, with millions more to come. The company forecasts 88,000 megawatts (MW) of ‘residential flexible potential’ by 2023 (by way of context, the total generation capability of the Texas grid is just under 80,000 MW).
From a cybersecurity perspective, that means there are tens of millions of potential attack surfaces that can now enable hackers to connect to utilities. It also means the bad actors don’t have to go after the utilities’ centralized – and relatively well-protected – Supervisory Data Acquisition and Control (SCADA) systems that run their networks. To destabilize the grid, hackers may soon have have tens of thousands of megawatts of relatively unprotected distributed flexible devices whose behavior they can manipulate to destabilize the grid through a coordinated botnet type of attack.
Rothrock cautioned, “To the extent that we become more and more automated in control of extended systems and…we put this attack surface out there, disconnecting things can be very disruptive without destroying anything.”
He is concerned about vendors, who have focused principally on getting products into the market, with little focus on hardening assets from a cyber perspective,
Those vendors, I don’t think they understand the vulnerabilities they have created. We talk to a lot of IoT vendors. Building an IoT device that is hardened is just not on their roadmap. It takes money and time, and they are focused on cheap and plentiful.”
He commented that it would be helpful for regulation to require cyber standards from UL or from IEEE, but there’s not a comprehensive cyber UL yet. The good news is that the SunSpec Alliance – an association of over 100 companies and organizations active in solar energy and inverters aims to change that in the near future. The organization has been coordinating with Sandia National Laboratories in a distributed energy resource cybersecurity group. It noted in a recent webinar (minutes 28 and 29 of the recording) that it has formed six groups to address various areas ranging from access controls to secure network architecture. It also plans to develop specifications for potential future certification by UL.