The opportunity to integrate security into the smart grid from the very beginning has already passed; however, most of the implementations have been small. Before larger implementations continue, such as the smart grid rollout in Miami, the security frameworks and initiatives surrounding the smart grid technology should be allowed to mature. While NIST is the proper organization to issue the security requirements, more granular requirements need to be addressed. Technology companies should not be left to determine which authentication mechanism to implement or what encryption key size to use. NIST should be responsible for determining these requirements.Not sure that can happen ... or can happen fast (or well) enough. My wish is that we'd use hundreds or thousands of more manageable microgrids as Smart Grid security pilots. Find out what works and what doesn't on a smaller scale, before bringing inadequate policies and technologies to bear on entire cities and regions. This would mitigate risk of large scale trouble, generate a heaping helping of new data, and give NIST more time to develop necessarily "more granular" standards in coordination with industry partners.
Saturday, August 1, 2009
Black Hat Smart Grid Security Paper Contends Security-Baked-In Window Already Closed
This paper, presented at hacker conference Black Hat this week by security consultant Tony Flick, lambastes government and industry for not bringing more rigorous security policy standards and enforcement regimes to the Smart Grid in the formative stages. And puts the onus on NIST to get things back on track stat: