Thursday, April 30, 2009

Forbes Chimes in on Smart Grid Security

Just ahead of Congress' release of draft legislation intended to protect the grid, Forbes mag yesterday discussed the timing and motivation for the "Critical Electric Infrastructure Protection Act (CEIPA), a bill aimed at tightening the cybersecurity of the U.S. power grid."

In particular, this part of the Forbes article will resonate for anyone involved in web security:
Josh Pennell, IOActive's chief executive and founder, argues that smart meters in general are being pushed to market too fast to build them securely. "What you have is a highly accelerated product space," he says. "Smart-grid systems are being designed like it's 1990, as if everyone with access to them is our friend."
Well said.

Wonk's Take on Smart Grid Security

Some good points in this one , including:
The requirements are different enough for this sector that funding for cybersecurity research and implementation should be an integral part of the electricity grid stimulus spending.
Sounds like a case for not trying to bolt security on after the fact.  Hmmm ... novel approach.

Wednesday, April 29, 2009

NERC's Critical Infrastructure Protection (CIPs) in Detail

Often you'll see the 8 CIPs by title in a list:
  • Critical Cyber Asset Identification
  • Security Management Controls
  • Personnel and Training
  • Electronic Security Perimeters
  • Physical Security of Critical Cyber Assets
  • System Security Management
  • Incident Reporting and Response Planning, and
  • Recovery Plans for Critical Cyber Assets
If you'd like to drill down deeper on any or all of the above, this NERC page is where you want to go (note, you'll have to select the CIP tab when you get there, I can't do that for you).

IEE Maps out Smart Grid progress

See how your state is doing versus the rest on the Smart Grid incentives map and utility scale smart meter deployment map created by the Institute for Electric Efficiency.

Tuesday, April 28, 2009

Discovery's Top 10 V2G Round-up

If/when electric cars become an important smart grid storage or load balancing component, the security ramifications get ratcheted up. In the meantime, small pilots with a comparative handful of electric or hybrid-electric cars are hitting the street. See here for nice overview.

Photo: Discovery Communications

Monday, April 27, 2009

NPR on Electricity in America

Airing this week, this series looks (or perhaps, sounds) promising.

EPRI's Standards Roadmap Role

In case you missed it, here's the press release that announced NIST's selection of the Electric Power Research Institute (EPRI) as the lead org for building the "Interim Roadmap". With so many different players, formulation of, and agreement on, common standards may be the biggest obstacle facing a successful smart grid build-out. Good luck EPRI !!!

Smart Grid Security via Open Platforms

In a recent BusinessWeek article, Pacific Crest Securities analyst Ben Schuman maintains that open platforms are one way to bring security to the smart grid:
the most robust security systems out there are largely based on already established open standards. In order for third-party developers to be able to contribute their best solutions to a smart power grid, it must be based on an open platform as well.

Sunday, April 26, 2009

Smart Grid and DOD's Global Information Grid (GIG)

Some very interesting architectural comparisons and analogies.

Smart Grid Security Webinar Coming Up

Some heavy hitters will be on this paid webinar May 1st, though other than Michael Assante, the NERC CSO, not sure how strong their smart grid security credentials are.

Saturday, April 25, 2009

Food for Thought and Tradeoffs

Discussed here .

FERC Smart Grid Draft

FERC's smart grid policy draft (PDF) is open for comment until May 11th. A NIST/EPRI webinar last week revealed that cyber security has seen its importance bumped up recently, and now a security working group has been created. Here's a couple notes on where to find the cyber meat:
  • Sections 13-15 cover Cyber security and Reliability
  • Section 13 of this doc references 8 recently approved smart grid security measures. You can find them listed here
  • Sections 29-31 address System Security
  • Lastly, security oriented filings guidelines are addressed in sections 45-48

Thursday, April 23, 2009

Wellinghof Throws Down Smart Grid Guantlet

I got to meet FERC Chaiman (then a commissioner) Jon Wellinghof last year at MIT. Smart, generous, balanced. That's how he came across to me.

Two days ago, on the subject of additional coal and nuclear plants for the U.S., he told the world, "We may not need any, ever." He went on to say that new supply side tech (renewables) and demand side technologies and policies (smart grid) would likely obviate the need for more old school forms of generation.

If this idea gains traction, it could bring the smart grid to fruition sooner than later ... with less time to hammer out all the attendent security standards, policies, etc. See what I'm saying?

Here We Go Again: Smart Grid Security Equivocation

Oh brother:
Adding security to smart grid projects is another likely area of focus. The need for security was highlighted earlier this month, after unnamed national security officials told the WSJ that cyberspies had penetrated parts of the nation's grid system and left behind software meant to disrupt it. But justifying expensive security on a cost-benefit measure could be difficult for those developing projects seeking stimulus funding, said Frances Cleveland, president of Xanthus Consulting International.
Here's the article in full.

Wednesday, April 22, 2009

Danahy: Not So Shocking News on the Grid

JD: Last Wednesday, the Wall Street Journal announced "US Electricity Grid in US Penetrated by Spies." While this is not good news by any stretch of the imagination, it may be a stretch to consider it new. 

Read full post here.

Wednesday, April 15, 2009

Danahy: Old Security Habits and the New Smart Grid

JD: This weekend brought us a new security vulnerability message about next generation power, wrapped in the traditional trappings of today's Internet and cybersecurity messaging. The CNN headline reads 'Smart Grid' may be vulnerable to hackers' and the story looked like any of a hundred similar flags waved over software applications, newly delivered services, government infrastructure, etc.

and ...

I think that model is wrong. I am not saying that third-party testing isn't important, but it misses the underlying problems that have allowed the insecure system to exist in the first place. Systems like the Smart Grid need to be developed with a fuller understanding of the purpose, threats, and environment, in which these components will be working.