Skip to main navigation

Plug in - Cybersecurity - EY - Global

Plug in

Cybersecurity: how safe is your smart grid?

  • Share

Smart technology brings many benefits for utilities and customers, but has enough attention been paid to security? Jose Granado reports.

Power and utility companies face increased risk of cyber attack through convergence of real-time operational technology (OT) and enterprise information technology (IT) environments, and initiatives such as the smart grid and advanced metering (AMI) technology.

OT systems used to be isolated or “air gapped” networks on proprietary systems. Increasingly this is changing as standard IT technologies are introduced via routes such as an Internet connection and enterprise IT networks. This increases exposure to security threats, and the need for a more thorough approach to security.

Take action to protect your system

It’s time to adjust cybersecurity strategies to defend rapidly evolving OT environments from attack. Systems must be able to detect and respond to security incidents, such as internal and external attacks, and malware, such as the Stuxnet worm.


Our IT risk professionals recommend ten measures to achieve this:

  1. Co-develop and implement an internal controls system (ICS) cybersecurity program focused on identifying risks, not just regulatory compliance
  2. Build a cross-functional cybersecurity team to develop and manage the program
  3. Create and maintain an OT environment asset inventory
  4. Develop security policies and standards specific to ICS devices and IT systems connected to the OT environment
  5. Understand and validate all connection points between the IT and OT environments
  6. Use predictive threat modeling driven by the OT environment asset inventory to find and assess threats and vulnerabilities
  7. Apply controls or countermeasures to hinder an attacker, detect their activity and respond to attacks
  8. Perform production systems and network security reviews of the OT environment, including penetration tests
  9. Consider ICS security requirements in the vendor management process
  10. Develop and implement training and awareness programs linking safety and availability with good cybersecurity practice.

Understanding smart grid vulnerabilities

Smart grid advances are a significant driver in the transformation of the internal control system (ICS) environment. The grid’s complexity and the interconnection of ICS and enterprise networks present increased security risks.

Removing physical or logical borders between network segments also increases the potential threat of malware and other attacks.

Inevitably, smart grids have more entry points and paths for attackers. Implementing wireless technology in an AMI may also allow undetectable interception of wireless traffic.

Protecting smart grid infrastructure

To protect their smart grid investments, P&Us should determine their current level of resistance to attack, and take action to protect systems. This review should include network architecture; information flow patterns and use techniques; remote access management; and the security of the infrastructure’s components (e.g., applications; operation systems used on servers; field devices such as RTUs and IEDs; engineering field networks).

Penetration testing, which involves performing manual and automated tests to identify vulnerabilities, can help find control gaps and risks to the ICS environment. We help you consider factors such as goals, top threats, how systems are connected, who to involve, and protocols for communicating results.


The dynamic nature of cybersecurity and the convergence of OT and IT environments have reshaped the threats facing P&Us. Smart grids and AMI metering have further increased risk and companies must develop a strategic response.

Developing an effective defense that uses both preventive and detective countermeasures takes time and resource. Strong executive leadership will be needed to prioritize resources and create a security program that will stay effective in this rapidly changing landscape.

For more information

Attacking the smart gridRead our technical briefing, Attacking the smart grid: Penetration testing techniques for industrial control systems and advanced metering infrastructure December 2011.

Bringing IT into the foldRead our technical briefing, Bringing IT into the fold: Lessons in enhancing industrial control system security, January 2012.

« Previous | Next »

1"Brazil, Argentina to create company for electric projects – report," Dow Jones International News, 17 February 2012, via Dow Jones Factiva.

2Matthew Daly, "First new nuclear plot in three decades is approved," Associated Press, 10 February 2012, via Dow Jones Factiva.

3"Sweden-Norway green tags market to take shape over several years, observers say", Renewable Energy Report, 20 February 2012, via Factiva.

4"Power-profit collapse threatens German gas-plant closures", Mist News, 8 March 2012, via Factiva.

5"Country to Ink Power Projects With Six Countries," All Africa, 3 January 2012, via Factiva, ©2012 AllAfrica.

6"Arab countries study pan-Mena energy market," Al Bawaba, 27 February 2012, via ISI Emerging Markets.

7"Chinese power firms rev up European shopping binge," China Business News, 10 February 2012, via Factiva, ©2012

8"Coal India to sign supply guarantee agreements," Financial Chronicle, 15 February 2012, via Factiva, ©2012 Deccan Chronicle Holdings Ltd.

9"UPDATE 1-S.Africa plans more funding for nuclear plants," Daily News, 29 February 2012, via Factiva, ©2012 Independent Newspapers (Pty) Ltd.

10"REFILE-S.Africa goes big on nuclear a year on from Fukushima," Reuters News, 9 March 2012, via Factiva, ©2012 Reuters Limited.

11"Japan reported to be in talks with potential US LNG exporters," IHS Global Insight Daily Analysis, 2 March 2012, via Factiva, ©2012 IHS Global Insight Limited.

12"Japan Still on LNG Buying Spree," International Oil Daily, 21 February 2012, via Factiva, ©2012 Energy Intelligence Group Inc.

13"RI-Malaysia power trade to begin 2014," The Jakarta Post, 28 February 2012, via Factiva, ©2012 The Jakarta Post.


Contact us

Jose granado

Jose Granado
Americas Practice Leader, Information Security Services
+1 713 750 8671

Jose Granado Jose Granado

Jose is the America’s Practice Leader for Information Security Services within EY. He has more than 20 years experience as a leading advisor and speaks frequently on Information Security Services to government, Fortune 500 companies, professional bodies and the media. Jose built the firm’s first Advanced Security Center, which tests client systems for security vulnerabilities and provides recommendations for remediation.
EY - Download Plug in July 2012 as a printable document

EY - Cyber security – how safe is your smart grid? (July 2012)




Download our new mobile app for iPad®, iPhone® and Android.

Back to top