Cleantech Hacked!

It’s always fun when two of our favorite things come together.  Peanut butter and chocolate.  Mohammed Ali and George Foreman.  Pizza and beer.  This week saw a combination of two of my favorite topics to follow, cleantech and cybersecurity, with exciting stories worthy of a John LeCarre novel.

The Government Accountability Office (GAO), Congress’ watchdog agency that monitors the rest of the government, published an important report about the vulnerability of the smart grid to cyber-attack.  At the same time we rework our electrical grid making it more networked in order to improve energy efficiency we are also increasing the points of entry for those who would seek to do damage our energy infrastructure either for money, ideology, or to engage in warfare.  Perhaps the most significant demonstration of the damage a cyber-attack can inflict on energy infrastructure comes from what is reported to be a combined U.S.-Israeli attack on Iran that physically destroyed uranium enriching centrifuges by exploiting a vulnerability in the Siemens Process Control System 7, a system that is used in energy systems around the world.

The GAO report noted a number of significant challenges.  Many parts of the IT infrastructure being put into the smart grid lack even basic security features such as event logging, which would allow utilities to see when they are being probed or analyze an attack.  The National Institute of Standards and Technology (NIST), which was charged by Congress with developing cyber-security standards for the smart grid, failed to look at ways to safeguard against a combined physical and cyber-attack.  In many cases utilities are merely seeking to meet regulatory standards rather than think through ways to establish a comprehensive security system.  Part of the problem is that government entities often control whether utilities can seek to recoup investments in smart grid technology which leads to underinvestment in cyber security features.

In response to these challenges the GAO recommends that the NIST finalize its cyber-security standards and make sure they include issues that were not previously addressed.  They also recommended that the Federal Energy Regulatory Commission coordinate with state regulators “to periodically evaluate the extent to which utilities and manufacturers are following voluntary interoperability and cyber-security standards and develop strategies for addressing any gaps in compliance with standards that are identified as a result of this evaluation.”  Both agencies agreed with the recommendations.  Retrofitting infrastructure with improved cyber-security features is obviously more difficult and expensive than building it right the first time so hopefully utilities and the government regulators can get their act together as soon as possible before much more smart grid build out takes place without the needed features.

In a creative heist that sounds like something out of Ocean’s Eleven cyber thieves have stolen about $38 million worth of carbon emission credits from the online EU Emissions Trading Scheme (ETS) platform.  The ETS, which traded around $122 billion worth of credits in 2010, was temporarily shut down in response to the thefts.  Member states were urged to improve security of the trading platform last year after a series of smaller frauds but a number of governments failed to do so citing a lack of money for the upgrades.  Analysts have pointed out that one silver lining to all of this is that it demonstrates that people understand that carbon credits are something with real value, at least in Europe.  Pike research in a report about Electric Vehicle Cyber Security shows how similar fraud could potentially be perpetrated through electric vehicle charging infrastructure.

The common theme through all of these reports is that as our energy infrastructure becomes more networked and more high value transactions related to energy take place online we are going to see more criminal activity and perhaps cyber-warfare taking place through our energy systems.  And unless we start taking the design and implementation of security standards throughout this infrastructure seriously we are going to be reading a lot more about spectacular energy related hi-jinks in newspapers and in blogs just like this one.