During World War II energy security meant access to oil for our fighting troops. Years later the 1970′s oil crisis highlighted our supply risk with the Middle East.
Post September 11th, with terrorism on the top of Washington’s agenda, the US connected energy to national security, taking steps like fortifying entrance points to nuclear power plants and natural gas storage facilities and building added physical protection for our electric grid infrastructure. Last week’s gunfire attack on PG&E’s San Jose substation was likely the type of event they were anticipating.
By 2009, as stimulus dollars funded new smart grid rollouts, reports highlighting the new risk of cyber-terrorism for our electric grid surfaced. A group of senators and congressman pushed to get the Department of Homeland Security and FERC involved, setting standards which better would protect it. In his 2012 book Quest: Energy, Security and the Remaking of the Modern World, Pulitzer-Prize winning author Daniel Yergin detailed this emerging risk, calling it ”cyber-vulnerability.”
And it is this energy security theme which is quickly becoming more visible in 2014.
Cyber threats are not new. What’s new is the appreciation for risk to new networks being utilized for energy related systems. Like most security themes all it takes are a few events to get an issue on top of everyone’s agenda.
Where a decade ago the US was busy constructing a second layer of barbed wire fencing around nuclear plants, the 2010 Stuxnet worm attack come throughout the wires, specifically targeted Iran’s nuclear infrastructure through it’s Siemens energy control systems. It later reached Russian nuclear plants as well.
Last week’s revelation that 70 million Target customers were compromised through an HVAC vendor’s network was revealing. The HVAC contractor later clarified that back door network access came not through an HVAC monitoring system, but through their access to Target’s vendor portal for billing & project management. However, the most telling quote was the contractor’s description that it’s level of security protection was “industry standard.”
At Groom Energy we’ve seen our customers increasingly point us towards installing completely separate networks for energy management applications. Corporate IT doesn’t like providing access for outside vendors and building management teams prefer to avoid the battle. While installing secondary networks adds cost, the latest wireless HVAC, lighting, metering and energy monitoring systems are now designed to operate on a standalone basis and bring lower installation costs than even just three years ago.
Our friend Paul Baier, VP of Products at First Fuel, tells us that they too are seeing more security audit requirements from their utility and corporate customers. While First Fuel only needs access to monthly interval cost and consumption data to power their energy audit and monitoring application, customers are now holding them accountable to the security standards associated with Personal Identifiable Information (PII).
Security challenges become even more daunting in the residential market, as smart meter and internet-based thermostat installations roll on. Here mom and dad are the IT security consultants.
Residential smart meters have already sparked health, safety, privacy and even risk of fire concerns – but you have to be entertained when folks are publishing “how to” guides on hacking these newly installed digital meters.
And think about your Nest thermostat. Google’s Nest system already has perpetual internet access to over 1 million homes. Backend network access could provide open visibility to all of your home’s computers, Nintendos and iPhones.
But in a world with so many systems at risk for cyber attacks maybe it’s only fitting that energy technology, a growing new market, gets the attention it deserves – and becomes one of the newest cyber-targets.