Subscribe

Protecting the power grid

By Tiaan van Schalkwyk, Senior Manager: Risk Advisory, Deloitte.


Johannesburg, 16 Jul 2013

The environment of power utilities has become more complicated as utilities embrace digital forms of interchanging information with stakeholders, and because of supply-and-demand optimisation enabled through smart meters for consumers. However, with this comes the added responsibility of ensuring that cyber security requirements are met in order to avoid the potential malicious disruption of power supply that could cripple the economy of a country, says Tiaan van Schalkwyk, Senior Manager: Risk Advisory, Deloitte.

In South Africa, load shedding remains an ongoing concern - more so because the country is still left with several weeks of winter. What the utility and municipalities do not need is to have added complications around cyber security attacks compounding any potential issues that may exist around the availability of power.

Smart metering enables better participation of the consumer in the drive to reduce consumption but provides an easy access point for potential malicious users. The smart meter sits at an individual's house or at an office, and ordinarily has very little in terms of security around the device (physically and digitally). Historically, utilities had closed networks that could better protect it. Today, unprotected smart meters are more open to attack since use is made of Internet communication protocols for transmitting information to the provider.

Adding to the threat is the rise of hacktivism in which cyber attacks (hacking) are not for financial gain but are politically motivated. There is a real possibility that these hacktivists could align themselves to labour or other socio-political causes and target the smart metering system.

If cyber attackers, or any other malicious individuals or groups, affect the smart metering ecosystem in South Africa, then there is a very real risk to the reliability of electricity supply that could have a significant detrimental economic impact on the country and the region. Fortunately, there are protective measures that can be taken to protect electricity supply from cyber attackers. As a starting point, consideration must be given to extant and emergent international security standards that have originated as a direct result of cyber threats. These standards include the North American Electric Reliability Corporate Critical Infrastructure Protection (NERC CIP), the Electric Subsector Cyber security Capability Maturity Model (ES-C2M2), and the ISO/IEC 27032 Guideline for Cyber-security.

Utilities worldwide need to be aware that while the physical threat remains, the digital one is just as significant. This is especially true when looking at the growing use of mobile devices by service engineers in the field and the use of USB storage devices. While convenient for collecting and submitting information, the issue arises in that it is an external device that is as vulnerable to attack as any other. Thus, not only do the physical parameters need to be protected, but also the network and the mobile devices.

To be truly effective, utilities need to be prepared to be sufficiently aware to know immediately when someone is attempting to hack into their systems. The level of preparedness must empower the utility to contain, monitor and repair any damage on the same day. While the identity of the attacker or group of attackers might not always be determinable, the question is how resilient the organisation is and how quickly operations can be restored to a desirable state, damage limited and remedial action taken.

Furthermore, with the age of smart meters, utilities are not only protecting themselves from attack, but are also protecting the information of their customers. This information could be used to determine behavioural patterns, such as when consumers are not at home. In many jurisdictions, and soon to include South Africa, this information poses a significant risk from a legislative protection of personal information perspective.

Utilities, therefore, have an important role to play to not only protect themselves, but also the economy of the country. An important step is to acknowledge that there is a need for cyber security and then determine what forms of attack are being perpetrated by malicious individuals or groups. By doing so, an internal skill set can be built to counteract the threat.

Ultimately, standards and regulatory compliance that consider cyber security in its entirety need to be put in place. The consequences of not taking security seriously are too significant to ignore.

Share

Deloitte

Deloitte refers to one or more of Deloitte Touche Tohmatsu, a UK private company limited by guarantee, and its network of member firms, each of which is a legally separate and independent entity. Please see www.deloitte.com/about for a detailed description of the legal structure of Deloitte Touche Tohmatsu and its member firms.

"Deloitte" is the brand under which tens of thousands of dedicated professionals in independent firms throughout the world collaborate to provide audit, consulting, financial advisory, risk management and tax services to selected clients. These firms are members of Deloitte Touche Tohmatsu Limited (DTTL), a UK private company limited by guarantee. Each member firm provides services in a particular geographic area and is subject to the laws and professional regulations of the particular country or countries in which it operates. DTTL does not itself provide services to clients. DTTL and each DTTL member firm are separate and distinct legal entities, which cannot obligate each other. DTTL and each DTTL member firm are liable only for their own acts or omissions and not those of each other. Each DTTL member firm is structured differently in accordance with national laws, regulations, customary practice and other factors, and may secure the provision of professional services in its territory through subsidiaries, affiliates and/or other entities.

(c) 2013 Deloitte & Touche. All rights reserved. Member of Deloitte Touche Tohmatsu Limited.

Editorial contacts