1. 1
The Vicious Circle of Smart Grid Security
Justin A. Turner, Amit K. Barik, Reuben Mathew
Justin.A.Turner@colorado.edu, Amit.Barik@colorado.edu, Reuben.Mathew@colorado.edu
A capstone paper submitted as partial fulfillment of the requirements for the degree of
Masters in Interdisciplinary Telecommunications at the University of Colorado, Boulder,
3 May 2011. Project directed by Jose R. Santos.
1 Introduction
The massive push for energy efficiency and conservation is driving rapid development and
deployment of Smart Grid technology around the globe, effectively driving integration and
connection of Supervisory Control and Data Acquisition (SCADA) systems closer and closer to
the user edge. The resulting network is vast, complex and very similar to the Internet. This
environment greatly increases the possibility of cyber-attacks (Ten, Liu, & Manimaran, 2008) by
introducing attack vectors that were nonexistent in the past. This is a serious threat to the
national power infrastructure that must be addressed. The tragic events surrounding the
Fukushima Daiichi nuclear power plant following the massive 2011 earthquake in Japan
underscore the importance of system availability and data integrity. Initial reports indicate that
primary systems remained intact. Unfortunately, critical axillary systems and communications
infrastructure are significantly damaged. Without these systems, the reactor core is on the edge
of a catastrophic meltdown. In 2010, the Stuxnet worm discovered in an Iranian nuclear plant
could have created a similar situation. Several reports suggest that damage was extensive
enough that it will take several years to recover from. Stuxnet demonstrates how devastating that
a highly sophisticated and focused cyber-attack can be to a power utility. “If the critical
infrastructures of the world are to be safe and secure, then the owners and operators need to
recognize that their control systems are now the target of sophisticated attacks. Improved
defense-in-depth postures for industrial control systems are needed urgently. Waiting for the next
worm may be too late.” (Byres, Ginter, & Langil, 2011) Unfortunately we are treading down a
dangerous path. Actions taken by utility companies, equipment manufacturers and regulators are
not adding up to form a safe and secure environment for which the “smart grid” needs to become
a reality. We believe that in order for stakeholders to build an advanced, efficient and attack
resilient smart grid, we must address considerable gaps that exist between each stakeholder.
According to the Department of Energy, “if we approach issues of reliability, affordability,
energy independence and grid security piecemeal, piecemeal solutions are all we will get.” (DoE,
2010) The statement is clear! Utilities, equipment manufacturers and regulators must work
together to solve the cyber-security crisis that we are seeing unfold within the power industry
today.
2 Methodology
This paper will analyze the perspective of three critical stakeholders. We will start with the
Utility companies, followed by Regulators responsible for developing policies to shape the
industry and finish with a look at the equipment manufacturers. All parties have a critical role in
delivering the smart grid; however each has a unique set of challenges with respect to addressing
cyber-security. This paper seeks to identify the most critical gaps that exist between the
stakeholders today. With a better understanding of the existing environment we can then make

2. 2
recommendations to close gaps, improve awareness and ultimately the overall security posture of
the smart grid going forward.
3 Analysis of Stakeholders
3.1 Utilities
Utilities in the United States are a mixture of public and private companies. Similar to other for
profit businesses, they strive to maximize profits to survive in order to provide services to
society. Currently, electric utility companies are leveraging U.S stimulus money to rapidly
deploy smart meters throughout the U.S. (Mills, 2010). It can be inferred from current research,
that utilities are expanding their markets by working on multiple smart grid projects
simultaneously (Leeds, 2010). From a security perspective, this rapid deployment approach is
troublesome as it decreases the amount of time to plan and deploy security measures. This in
turn increases the cyber threat surface to the power grid by exposing new devices that are not
fully vetted and secured.
According to a recent report, “U.S. based utilities will invest $21 billion by 2015 in cyber
security related activities and technologies to protect the smart grid” (Pike Research, 2010). This
is only a prediction; however this indicates the substantial monetary requirement for securing the
grid. Even though the government is supporting utilities to some degree, small to mid-sized
companies are not often capable of investing in their cyber-security infrastructure at high enough
rates to maintain a good security posture. According to Bigger & Willingham, 2005, Small
electric and gas utilities are concerned with what they see as “looming security requirements”
that they cannot afford or that the results will not benefit their customers. This indirectly creates
two possible scenarios which negatively affect the security posture of the entire smart grid. First,
small utilities which are unable to rapidly invest in security will form weak links in the
interconnected smart grid. Second, if smaller utilities have little to no influence over vendor
decisions due to lack of spending ability, larger utilities will disproportionately influence
manufacturing decisions. The resulting equipment options may not be suitable for smaller
deployments and will force smaller utilities to selectively choose only core capabilities without
advanced cyber-security options.
The rapid state of change combined with the monetary challenges highlighted above is
creating a difficult environment in which utility cyber-security professionals are struggling to
overcome. One of the major problems faced by utility companies is “explaining the technical
advantages of cyber-security to their executives” (Wheatman, 2011). Finding metrics that show
clear business advantages to investing in cyber-security are hard to find. This makes it
increasingly difficult to justify what are in many cases mandated cyber-security practices.
Cyber-security training programs can be expensive and are not always implemented willingly as
a result. Additionally, there is a knowledge gap between IT security personnel and SCADA
engineers. All of these challenges contribute to difficulties with implementing strong cyber-
security practices and technologies within utilities (Clements & Kirkham, 2010).
Looking at security from another perspective, interoperability is one challenge that is
widely recognized but largely unresolved. “The need for standards is urgent” (Lee, 2011).
Defining standards and migrating towards them is important for the smart grid to become a
reality, however combining various networks which operate on different standards exponentially

3. 3
increases vulnerabilities. According to Idaho National Laboratory, 2006, “multi-network
integration strategies often lead to vulnerabilities that greatly reduce the security of an
organization”. If utilities had the luxury to implement a single vendor, single standard
environment they would, however that will likely never be an option. The reality is that
equipment manufacturers are focused on individual pieces of the larger smart grid puzzle. Until
we have developed widely recognized standards that are economically feasible to adopt, the
industry will be stuck in a vicious circle trying to balance proprietary vender technologies with
increasing cyber threats.
From the utilities perspective a critically important security issue lies with the alarming
increase in known vulnerabilities to the systems and networks that we depend on. Consider the
Night-Dragon case (McAfee Foundstone Professional Services and McAfee Labs, 2011). The
Night-Dragon, code named by MacAfee, emerged in November of 2009 in the U.S., Greece,
Kazakhstan and Taiwan. According to McAfee Foundstone Professional Services and McAfee
Labs, China was the origination point of this attack which exploited various utility companies
targeting important proprietary information. The attack used the following methods to
compromise and infiltrate systems:
• Targeted Command and Control systems (in U.S.) using social engineering techniques which
confuse operators into erroneously providing information such as usernames and passwords.
• Used RAT and other available hacker tools (like ASPXSpy and WebShell) to compromise
and penetrate security systems.
• Used SQL-injections to compromise firewalls and database systems.
• Gained access to executive workstations and other sensitive devices (all running Windows
OS) using credentials gathered through social engineering efforts and know windows
exploits.
The attack suggests that victim utilities did not follow a defense-in-depth security
approach. The practice of isolating critical control systems using basic firewall configurations,
considered by many utilities to be their cyber-security savior is an antiquated practice when used
alone and was easily exploited by the Night-Dragon attack using common tools and techniques
that take advantage of untrained and generally unaware users. This attack was sophisticated and
deliberate in nature, indicating that basic measures for securing critical systems is not enough.
SCADA systems which sit at the heart of most utility company operations are
increasingly targeted due to their known reputation for lackadaisical security controls. In 2010,
Stuxnet revealed exactly how critical systems can become crippled by sophisticated attacks.
Stuxnet is “malware made specifically for sabotaging SCADA processes using PCS7 and
Siemens WinCC control systems” (Byres, Ginter, & Langil, 2011) . The Stuxnet attack which
targeted nuclear power plants in Iran propagated using multiple vectors including USB flash
drives, infected PDF files and unpatched hosts. Apart from considering all of the possible attack
vectors used, it is important to know that targeted machines used for command and control of the
worm were mainly Windows based. The worm took advantage of Windows vulnerabilities in
order to infiltrate the network targeting specific models of Siemens control systems. The attack
was not detected by antivirus software since signatures did not exist at the time of attack.
Furthermore, the sophisticated design of the Stuxnet worm allowed it to “live on the victim’s
network for a long time undetected while penetrating all the way through to reach critical control

4. 4
systems.” (Malcho, Harley, Rodionov, & Matrosov, 2010) Many security researchers who have
examined the Stuxnet worm believe it would successfully infiltrate utility networks in the U.S.
today even if the victims followed all of the standards outlined by Siemens in their security best
practices documentation. The Stuxnet attack is a clear indication that highly sophisticated and
targeted attacks are a reality today. Utilities must not wait until the next attack occurs on a U.S.
facility to take serious measures to secure their environments.
3.2 Regulators
Regulators have always played an important role in directing and shaping the landscape for
which utilities and equipment manufacturers operate in any industry. In 2007, the Department of
Energy was directed by the Energy Independence and Security act to “modernize the nation’s
electricity grid to improve its reliability and efficiency.” (DoE, 2010) Since then, utilities and
manufacturers have scrambled to begin shaping this new and rapidly changing environment now
called the smart grid. This monumental task comes with great risk. Cyber-security
considerations were not heavily measured when initial policies emerged directing and shaping
the smart grid. Focus has improved, however it is increasingly clear that confusion and gaps
among interested parties is prohibiting progress. The following diagram presented in a Depart of
Energy briefing in March of 2011 visually depicts a confusing and difficult to follow landscape.
Figure 1 below depicts government entities at the state and federal level, working groups,
commissions, Industry associations and utilities.
Figure 1: Cyber Security Standards / Requirements relationship map (Hunteman, 2011)

5. 5
As the title suggests, this map depicts the relationships between organizations involved in
developing standards for manufacturers and utilities to follow in order to secure the smart grid.
Context is missing from this diagram however in the briefing Mr. Hunteman specifically
highlights several key challenges to addressing cyber-security for the smart grid which include
inconsistent standards at the federal, state, and local levels; significant gaps between
implementation of policies by Federal and State agencies and lack of clearly defined roles and
responsibilities for cyber-security in the smart grid. This sentiment is shared by several utilities
and equipment manufacturers who responded to the DoE’s request for comments on addressing
policy and logistical challenges to smart grid implementation. For example Edison Electric
Institute states in their response that “there is insufficient coordination among the many
independent groups doing testing, or proposing to do testing, and that there should be a certifying
body to oversee compliance with testing and certification procedures.” (EEI, 2010) Others such
as Cisco systems commented that “various federal agencies involved in the creation of the Smart
Grid and the standards on which it will be based can and should address risks as early as
possible.” (Cisco, 2010) The Department of Energy web site contains over seventy five
responses from equipment manufacturers and utilities, many of which repeat this sentiment over
and over.
We can say a few things with certainty regarding the organizational structure of the
regulatory environment and smart grid cyber-security today. First, congress has directed the
Department of Energy to lead the charge with development and implementation of the smart grid
including cyber-security related issues as discussed above. Second, congress has charged the
National Institute of Standards and Technology (NIST) with developing standards for smart grid
technology and implementation. NIST issued standards and/or best practices for smart grid
security in a 2010 document. The policy is a good attempt to lead utilities and equipment
manufacturers in the right direction however several key pieces of information were not
addressed. In the January 2011 Government Accountability Office (GAO) report titled
“Electricity Grid Modernization” the GAO states that while NIST efforts to include missing
pieces to policy are underway, “the plan and schedule are still in draft form.” “Until the missing
elements are addressed, there is an increased risk that smart grid implementations will not be
secure as otherwise possible.”
The Federal Energy Regulatory Commission (FERC) is a federal yet independent agency
similar to the Federal Communications Commission and is charged with “regulation of public
utility transmission and sales” (Greenfield, 2010). This is an oversimplified description of FERC
responsibilities, but in their own words, FERCs authority to regulate does not include local
distribution or resale. If the smart grid is supposed to be an end-to-end system, this policy must
change.
The National Energy Reliability Commission (NERC) which is designated by FERC to
develop reliability standards for bulk power generation and transmission within North America
has published seventeen cyber-security guidelines to date. These guidelines fall under their
Critical Infrastructure Protection (CIP) standards addressing critical asset identification, security
management controls, personnel and training, electronic security parameters, physical security,
systems security management, incident reporting and recovery management. NERC according
to their Chief Information Officer Mark Weatherford, believes that CIP standards are having an
impact. Industry experts agree with one caveat, which is that “utilities are focusing on regulatory

6. 6
compliance instead of comprehensive security” (GAO, 2011). Regardless, NERC regulatory
oversight governs bulk power generation and transmission only. To date there is no uniform
regulation or cross cutting authority given to any agency to provide a common direction and
oversight to smart grid cyber-security efforts.
3.3 Equipment Manufacturers
Equipment manufacturers have an important role in assisting utilities and regulators implement
smart grid technologies. Similar to auto and computer manufacturers, they are the subject matter
experts for the systems they sell and support. As such they play a key role in the development
and employment of robust end-to-end cyber-security technology and policies with respect to the
smart grid. During the onset of smart grid deployment, many service providers and
manufacturers considered security only relevant to smart metering thus ignoring the attention
required towards automation, substation, control systems and SCADA. Recent events such as
Stuxnet already discussed in this paper have reinvigorated attention to these critical control
systems that sit at the heart of power utilities.
It is not immediately clear what specific security concerns that equipment manufacturers
have. For the purpose of discussion we consider open source information from Siemens, Cisco
and others who all provide systems critical to the smart grid. Several manufacturers produce
SCADA systems. One of the major players is Siemens who develops hardware, software and
networking equipment for utilities. Siemens happened to be the system targeted by Stuxnet;
however this paper in no way intends to cast blame on Siemens alone for exploits used by
Stuxnet. A common Siemens control system is the SIMATIC PCS 7 product suite which is
primarily a Distributed Control System (DCS) automation technology for process control
systems is developed around a defense-in-depth strategy. The system uses security features like
automated Windows security patch management, remote access using IPSec and VPNs, virus
scans and firewalls, time synchronization, user and access rights, active directory and work
groups, network management, disaster recovery and system segmentation. Siemens has a
published framework describing best practices to secure their systems. Unfortunately this
framework is “not often implemented in practice” (Byres, Ginter, & Langil, 2011) according to
reports describing how Stuxnet infected and damaged critical control systems.
Cisco Systems who is a manufacturer of enterprise level network devices, strongly
believes that in order to approach the modern smart grid infrastructure, “a comprehensive
security architecture is a must that has improved integration of diverse digital devices, increased
use of sensors, layers of physical and cyber security integrated across all operational aspects of
the grid.” (Cisco, 2010) Cisco like Siemens has developed their own security framework with
best practices as they see them for securing the smart grid. Figure 2 depicts the Cisco approach
for developing a smart grid security plan.

7. 7
Figure 2: Cisco Grid Security Implementation Model
This model loosely depicts the idea of wrapping layers of security around critical
infrastructure. Cisco’s report goes on to describe their technologies and implementation
strategies to protect and defend critical infrastructure. The challenge with the Cisco model along
with Siemens or others is applying it to an environment where multiple vender technologies
exist. In many cases, the interoperability gap will interfere with best practices described in their
security guideline framework. Equipment manufacturers need to continue working on
development of interoperable standards for the safety and security of the smart grid. In an ideal
scenario, equipment manufacturers providing equipment for all portions of a utility network
would be drawn into the plant development process in order to deliver a robust end-to-end
security framework. This is a utopia scenario which assumes that manufacturers will work
together in harmony and openly share information that is often times considered proprietary and
sensitive in nature. We know this will likely never happen, however if manufacturers knew that
utilities would generally choose a manufacturer based on their ability to integrate whole
solutions which incorporated cross brand solutions, manufacturers would start working towards
common standards. Cisco highlighted this in their response to the DoE’s RFI noting that “the
convergence of networking industry participants on the TCP/IP standard was critical to the rapid
evolution of the internet.” (Cisco, 2010) Similar behavior on the part of smart grid
manufacturers will “play the same role in the emerging Smart Grid, by ensuring that utilities and
their customers will benefit from choices among standards-compliant devices that together will
comprise the Smart Grid.” (Cisco, 2010)

8. 8
4 Recommendations
Through our analysis of the stakeholder positions, we concur with statements made in the very
recent report released by the Government Accountability Office. Specifically, we believe that
“key players have to work together as a team” (GAO, 2011) in order to secure the smart grid.
Figure 3: The Vicious Circle of Smart Grid Security
Figure 3 above graphically depicts the vicious circle of smart grid security as we see it
today. Starting with utility companies, we see policies and requirements put in front of them by
regulators which do not always come with clear direction or a supporting business case. Moving
clockwise around the circle we see equipment manufacturers who are working to respond to the
needs of utility companies demanding secure, cost effective and flexible solutions, but do not
have a clear understanding of what is required or standards to develop to. Finally we see
regulators working to develop and provide smart grid standards and security measures to
manufacturers while pushing utilities to modernize and deliver the smart grid to society. It is a
difficult problem that will take some time to correct.

9. 9
We recommend the following actions at a minimum to help correct the security crisis that
we are facing with respect to smart grid implementation:
i. Appoint or nominate a single authority with national reach to assess and measure
compliance with security standards developed by NIST, NERC and any other federal
authority appointed to develop cyber-security standards. This authority should have
the ability to evaluate the entire grid from SCADA system to the household meter.
ii. Reconsider time tables outlined in guidelines used by utilities to secure government
assistance in deployment of smart grid technologies. The sense of urgency to meet
these deadlines to acquire funding is causing utilities and manufacturers to rush
through what should be carefully thought out security plans and implementation
testing.
iii. Create a testing and certification body which independently tests and evaluates
systems and technologies to ensure security and standards compliance. Regulators
(Governments) must clearly define standards for the testing body to use. Utilities
and Equipment manufacturers must participate in the development of these standards
without bias. Leverage the process used by the Department of Defense to test and
certify communications systems (Joint Interoperability Testing and Certification)
iv. Develop an anonymous reporting and discussion forum where utilities,
manufacturers, government entities and possibly law enforcement authorities can
exchange information and ideas freely without fear of recourse.
5 Conclusion
The cyber threats that we face today are very real and dangerous. We know that cyber-
attacks like Night Dragon and Stuxnet will continue to occur as networked technologies are
integrated with the power grid. We also know that new cyber vulnerabilities are emerging with
increasing frequency. Overcoming these challenges will require the entire smart grid industry
from utilities to equipment manufacturers to regulators to work together to form a secure end-to-
end power grid. Having explained the challenges faced by three of the key players, we hope that
our recommendations will generate more action across the industry at a minimum. Security is
paramount and we are all responsible for ensuring it is sufficiently addressed to make the smart
grid a reality.
Acknowledgement
Our research project was successfully completed with the efforts and guidance of numerous
people from academia and industry alike. We would like to thank our project mentor, Jose
Santos and advisor Prof. Stephen Barnes for all their time and valuable insights throughout every
stage of our project. We had two amazing opportunities to speak with the chief Cyber Security
advisor at the Department of Energy, Mr. William Hunteman and the Chief Security Officer at
the National Energy Reliability Corporation (NERC) Mr. Mark Weatherford. Each provided

10. 10
volumes of important insight from multiple perspectives. They each provided some level of
confirmation of conclusions that we have drawn throughout this paper. We would also like to
thank Arun Gerra, Security Engineer at Alchemy Security, LLC for his inputs and industry
perspective of smart grid security. Finally, we would like to take this opportunity to sincerely
thank Prof. Tim Brown for all his patience and detailed guidance in completing this paper.
References
Bigger, J., & Willingham, M. (2005). Critical Infrastructure Protection in the National Capital Region.
George Mason University.
Byres, E., Ginter, A., & Langil, J. (2011). White Paper: How Stuxnet Spreads. Multiple Cities: White
Paper.
Cisco. (2010, April 3). Cisco Smart Grid Security Solutions. Retrieved April 4, 2011, from Cisco.com:
http://www.cisco.com/web/strategy/docs/energy/CiscoSmartGridSecurity_solutions_brief_c22-
556936.pdf
Cisco. (2010). Comments of Cisco Systems to Office of Electricity Delivery and Energy Reliability
Department of Energy. San Jose: Cisco Systems.
Clements, S., & Kirkham, H. (2010). Cyber-security considerations for the smart grid. Power and Energy
Society General Meeting, 2010 IEEE, (pp. 1-5). Minneapolis.
DoE. (2010). What a Smart Grid means to our Nations Future. Washington D.C.: U.S. Department of
Energy.
EEI. (2010). RE: Smart Grid RFI: Addressing Policy and Logistical Challenges to Smart Grid
Implementation. Washington D.C.: Edison Electric Institute.
GAO. (2011). Electricity Grid Modernization Progress Being Made on Cybersecurity Guidelines, but Key
Challenges Remain to be Addressed. Washington D.C.: United States Government Accountability
Office.
Greenfield, L. R. (2010). An Overview of the Federal Energy Regulatory Commission and Federal
Regulation of Public Utilities in the United States. Washington D.C.: Associate General Counsel
– Energy Markets 1 Office of the General Counsel Federal Energy Regulatory Commission.
Hunteman, W. (2011). Electric Sector and Smart Grid Cyber Security. Smart Grid Security East.
Washington D.C.: U.S. Department of Energy.
Idaho National Laboratory. (2006, May). Control Systems Cyber Security: Defense in Depth Strategies.
Retrieved from United States Computer Emergency Readiness Team: http://www.us-
cert.gov/control_systems/practices/documents/Defense%20in%20Depth%20Strategies.pdf

11. 11
Lee, A. (2011, January 11). NIST and the Smart Grid. Retrieved from National Institute of Standards and
Technology: http://csrc.nist.gov/cyber-md-summit/documents/presentations/nist-and-smart-
grid_ALee.pdf
Leeds, D. J. (2010, February 10). The 2010 North American Utility Smart Grid Deployment Survey.
Retrieved from GTM Research: http://www.gtmresearch.com/report/the-2010-north-american-
utility-smart-grid-deployment-survey
Malcho, J., Harley, D., Rodionov, E., & Matrosov, A. (2010). Stuxnet Under the Microscope [White
paper].
McAfee Foundstone Professional Services and McAfee Labs. (2011). Global Energy Cyberattacks:
“Night Dragon” [White paper]. Retrieved from McAfee:
http://www.mcafee.com/us/resources/white-papers/wp-global-energy-cyberattacks-night-
dragon.pdf
Mills, E. (2010, May 15). Money trumps security in smart-meter rollouts, experts say | InSecurity
Complex - CNET News. Retrieved from Technology News - CNET News:
http://news.cnet.com/8301-27080_3-20007672-245.html
Pike Research. (2010, February 4). Utilities to Invest $21 Billion in Smart Grid Cyber Security by 2015.
Retrieved from Pike Research: http://www.pikeresearch.com/newsroom/utilities-to-invest-21-
billion-in-smart-grid-cyber-security-by-2015
Smart Grid Request for Information and Public Comments. (n.d.). Retrieved from U.S. Department of
Energy: http://www.oe.energy.gov/Smart Grid Request for Information and Public
Comments.htm
Ten, W., Liu, C., & Manimaran, G. (2008). Vulnerability assessment of cybersecurity for SCADA
systems. Power Systems. IEEE Transactions on Power Systems, 23(4), 1836-1846.
Wheatman, J. (2011, February 16). Why Communication Fails: Five Reasons the Business Doesn't Get
Security's Message. Retrieved from Gartner: www.gartner.com/DisplayDocument?id=1549927