The NIST report is an attempt to assess such threats. The vulnerabilities that are listed in the report were gathered from existing research and security documents including NIST's own guide to industrial control systems security and the Open Web Application Security Project (OWASP) vulnerabilities list.
It looks at vulnerabilities that can arise during the operation a smart grid as well as on problems such as authenticating and authorizing users to substations, key management for meters, and intrusion detection for power equipment. The report also considers vulnerabilities arising from inadequate patch; configuration and change management processes; weak access controls; and lack of risk assessment, audit, management, and incident response plans.
Vulnerabilities associated with bad software coding practices, including input validation errors and user authentication errors, can also pose a risk to the integrity of a smart grid, the report said.
The real-time, two-way communication between consumers and suppliers in a smart grid also raises several privacy concerns, the NIST report noted. One major issue that needs to be addressed is the data that will be collected automatically from smart meters. There needs to be more of an understanding of how that data will be distributed and utilized throughout the smart grid system, the report said.
"In the current operation of the electric grid, data taken from meters consists of basic data usage readings required to create bills," the report said. "Under a smart grid implementation, meters can and will collect other types of data," some of which could be personally identifiable information that needs to be protected with strong privacy controls it said.