Smart meters are coming – the first wave of the "Internet of Things." Which means that, quite suddenly, electric utilities must deal with a fundamental and critical information security challenge.
This is new, very new. To be sure, from its earliest days as ARPAnet, the Internet has been drawn its power almost entirely from the electric utility grid. Organizations might have generators that could kick in during a power outage, but day in and day out, PCs and servers get their power from the plug. Your laptop and mobile device may run on a battery, but sooner or later – usually sooner – you need to plug it in to recharge.
Until very recently, however, the relationship between electric utilities and the Internet ran only one way. The utilities provided the juice, but they themselves were not online, or barely so. They sent meter readers around each month to read customers' electric meters. A clerk typed the readings into the billing system. Only then did IT get involved.
For the utility industry, information security was almost entirely a matter of protecting customers' account information. This was an important job, but a fairly straighforward one. And it had nothing to do with securing the power grid itself.
On one level the challenge is a matter of user privacy. Your electric power usage pattern is all too revealing of your habits and lifestyle. Transmitted to unauthorized persons it could make burglary the latest in cybercrime. Or be misused in scores of other ways.
In the wrong hands, control of information from smart meters could also threaten the grid itself. At minimum, false data on electrical demand could trigger electric power stations to go off line, leading to cascading blackouts. Potentially such false could overload equipment, causing physical damage that cripples the grid for weeks or months.
Responding to these threats and risks, the Department of Energy (DOE) put out an official notice last year advising utility companies to make cybersecurity a top priority. Among the recommendations is that utility firms appoint a security officer who reports directly to top management. The recent National Defense Authorization ACT (NDAA) of 2013 further provides utility security funding to the DOE.