By Jim Tiller, Vice President, Security Professional Services, North America, BT Global Services

Smart Grid (SG) is, in a word, complex; and complexity is security’s nemesis. The greater the diversity of systems, devices and their interactions translates directly to the spectrum of potential error, gaps and avenues of attack, and more importantly, the potential impact of a security breach.  SG is anything but a “greenfield” scenario and represents the convergence of everything from cutting edge technologies and internetworking to vast legacy systems and processes.

To address some of the security related challenges, many SG solutions are focusing on network security and the protection of data in transit by employing VPN and network authentication mechanisms.  VPN technology, such as IPsec, provides the means to encapsulate other protocols, such as ICCP, DNP3, etc., and messages (MMS), such as GOOSE, GSSE and the like, providing for a common TCP/IP infrastructure promoting interoperability.

In order to provide a common layer of security to support device identification, authentication, authorization, and foundational elements for establishing encrypted communication, many SG device and solution providers are, understandably and rightly so, relying on public key certificates.

Certificates have been around for decades and have been the backbone of many security solutions.  It is not uncommon to assign multiple certificates to a single entity, such as a device, system, and even a user, to support different security services for data protection, digital signatures, email, communications and authentication, to name a few.

The value of using multiple certificates has not eluded SG solution providers in their security strategy.  In fact, there are a number of smart meter vendors that have implemented as many as five separate certificates into each device; some as many as eight.

Of course, the digital certificate is only the tip of the spear; they are the end result of a sophisticated certificate and key management system – the public key infrastructure (PKI).

Although certificates themselves are not complicated, they are the manifestation of trust that must be managed to a high degree of competency because without trust, the fabric that gives meaning to the security of certificates can completely unravel.

The level of effort in managing a PKI can be typically correlated to the number of certificates provided by the system.  Although even a small number of certificates demands a sophisticated and comprehensive PKI, the demands placed on an organization are inexorably tied to the volume, type and policies of certificates.

With this in mind, we must consider what this means in the SG space.

There are a several industry projections concerning the number of smart meter deployments to homes.  For example, in the United States some estimate 12 million homes will have smart meters before 2012 and similar projections for the United Kingdom by 2014 — but this is just the tip of the iceberg.  Projected investments in the United States are $1.5 billion by 2015, which is just a part of the $21 billion projected globally (though CNET just released higher figures).  According to the Brattle Group — to meet the Department of Energy’s (DoE) projection, it will cost $1.5 trillion between 2010 and 2030 to build the future utility infrastructure.  Just the United States alone – according to current census – has more than 120 million homes, which will certainly increase significantly by 2030.

Big numbers and growing fast.  But to see even bigger numbers, think about the number of certificates. Twelve million homes by 2012 in the United States translate to 60 million certificates – and that’s just for home meters.  It doesn’t include all the other systems and devices in other parts of the SG and the commercial and industry sectors.  Fast forward to 2020 where in the United States alone there may be as many as 50 million homes with smart meters, making for potentially 300 million certificates in smart meters.  Globally, by 2030, we could see certificates well into the trillions.

The DoE summarizes the SG challenge perfectly in its report, “The Smart Grid: An introduction,” published in late 2008 — “It is a colossal task.”  As such, and understandably so, organizations all over the world are focused on the great number of foundational characteristics that are necessary to make SG a reality in the coming decades.  However, an equally important and enormous feature of SG that isn’t being addressed today is building a PKI that can effectively oversee hundreds of millions of certificates.

Without a comprehensive PKI based on a unified national strategy and policy, the root of SG security that is required to protect a national asset and critical infrastructure will become unmanageable and ineffective.

In my opinion, employing certificates is the right thing to do, and we shouldn’t allow the vast numbers to deter us or lead us to potentially introducing lesser security to take an easier path.  It will be a challenge, but well within the capabilities of nations to address.

However, we must start now, or the challenge will become insurmountable.