Wednesday, September 30, 2009

Smart Grid Startups and Security: Round 2 from GridWeek

This post picks up up where we left off last week during GridWeek 2009, examining patterns that emerged from our talks with Smart Grid startup booth reps. Jack and I noticed that few of the startups are staffed with a dedicated security professional, and had tasked an existing player (CTO, Application Engineer, etc.) with the responsibility. Other exhibiting companies (Cap Gemini, Cisco, GE, ABB, Siemens, etc.) had booths too, but it seemed crazy to ask them if they employed dedicated security pro's, because of course they do, both for their internal operations as well as for their client-facing products and services.

Back to the startups. As you know, we like to pose questions ... so here are a few:
  • In a domain where security rigor is universally regarded as essential, how much security thinking is going on within these start-ups, and how long will the present level be enough?
  • Put another way, when you're a small but growing company in the Smart Grid software or hardware space, how long can you hold out before adding a full time security professional to your team?
  • Do you hire a security staffer once your development team reaches a certain size, say a headcount of ten, or should you put the security pro in place up front to help define the development process before you start writing real code?
  • Given the amount of innovation required in most of these companies, how reasonable is it to expect that the CTO can juggle all the technology balls he/she is responsible for, and do a good job on security tasks (which will often seem like a distraction) at the same time?
I liken this to the situation that faced large and medium companies approximately ten years ago, when it was becoming clear that as they embraced the Internet for new capabilities, they were inadvertently bringing a whole host of new risks and vulnerabilities on board. This is from CSO Magazine in 2001 on why to hire Corporate Security Officer and what he or she can do for you:
... a core responsibility of the CSO will be vulnerability assessment and risk management. Therefore the CSO should report to the COO or CEO. After all, the CSO will evaluate the technology environment and audit the security measures implemented by the CIO. It is in the company's and the CIO's best interest to have the CSO perceived as an impartial assessor of the technology environment instead of a possible rubber stamp .... Think of the CSO as the head of quality assurance for security.
In startup-land, there is no real need for C-level titles beyond CEO. But ignoring the titles, the functional benefits of a dedicated security staffer are clear, no matter what they're called. In other markets we have seen them labeled: Security Architects, Information Security Officers, Security Managers, Security Officers, Information Security Managers, etc. Depending on the offering and the market strategy, there's a mix of roles that these folks may fill, including ensuring the security of the company (its systems, processes and people) and the security characteristics of its products; hardware, software or both.

Hyperbole aside, we all know that the Smart Grid is an area of growing and inevitable security risk. If I'm a utility, and as such am a prospective new customer for a startup, and I'm held accountable to the highest security standards by those who regulate me, I'm going to be damned sure that I put prospective vendors through the ringer before bringing their technology in house. And if I'm a startup, while having a qualified security person on my staff is no silver bullet, our guess is they'll be more than worth their salary as the regulators press their security cases and the utilities/customers get more and more savvy about risk.

Smart Grid: Greener but no Greenfield

It is good to see the attention that the new NIST draft directives for the Smart Grid are getting in the press. Ordinarily, this type of draft release is not interesting enough to the general public to merit any real press, and ends up being a conversational target to the few who arrive interested in the space. Any mainstream attention comes much later in the cycle, as affected parties either applaud or complain.

One impression that I would like to correct is that the Smart Grid itself, and therefore, the challenges of Smart Grid security, is something being developed from scratch.

In Federal Computer Week, Bill Jackson calls out the following:
Deployment of a Smart Grid offers a greenfield opportunity because the existing grid, parts of which are 50 years old or older, was not designed to support alternative energy sources such as wind and solar power, and the two-way flow of energy and data. But this wholesale upgrade also makes it imperative that security be built in now, because the grid lifecycle is measured in decades rather than years, as it is for much of the rest of our information infrastructure. Equipment being designed for deployment now might not be replaced for decades.
There are so many capabilities within the Smart Grid that are new, and there is so much investment going into it, that it is completely understandable to conceive of the Smart Grid as the "new" grid, as opposed to the evolution of the "old" grid. The Smart Grid as a replacement is a misperception that we have seen often in our work on evangelizing smart grid security. The Smart Grid is not a greenfield, not a replacement infrastructure, and most definitely not a new grid. We always have to remember that the Smart Grid is a new way of leveraging, stabilizing, advancing, and enhancing, the OLD Grid.

The billions that have been made available through the Smart Grid Investment Grant Program, the additional billions that are pouring into development of renewables, transmission and distribution advancements, PEV's, and storage, are only a small fraction of the total picture when the nation's power infrastructure is viewed in its eventual entirety. As a result, when we are considering the security of the Smart Grid, we must always consider (as the NIST work does ) the existing grid. Whether we work to create more secure means to connect to it, or to actual revisit the older technologies and improve their protections, those challenges will likely be the most pressing, and the most complicated, that we need to solve.

Monday, September 28, 2009

What's on First: Insights in NIST's 1st Draft

Never will one mistake the complexities of the Smart Grid, and of undertaking the improvement of its protections, for a straightforward task in security and engineering. It presents an Augean stable of issues, and NIST has waded in with a legion of contributors, to first make sense of it all, and then to start handing out shovels.

In the first draft of their analysis, announced during Grid Week, Annabelle Lee and team have created a dense, but readable tome, numbering some 236 pages at present, entitled, Smart Grid Cyber Security Strategy and Requirements. I encourage you to read it, either on its own, or as an adjunct to the more general draft of NIST's Smart Grid guidance on interoperability. In the event that you are interested in some sense of where the emphasis was put, and are more engaged by the higher level issues of focus and risk, I did a bit of data reduction and reached some pretty interesting, if unintended ( and definitely scientifically questionable ) conclusions.

One of the techniques that NIST uses in creating a better means of discussing cyber security for the grid is to categorize the areas of likely risk and their impacts. This is very helpful, as there are myriad instances of connection between systems within the Smart Grid and some higher level abstraction helps to make the issues digestible. These 15 categories are defined within the document, as are the potential impacts to them ( Confidentiality, Integrity, Availablity ), and their levels ( High, Medium, Low ) using established definitions from the venerable FIPS Publication 199. This exercise, and the tables contained within the draft, permits a reader with a spreadsheet (me) to draw two conclusions about priorities in Smart Grid Security.

Conclusion 1: Integrity is the most important attribute
In reviewing the definitions of the categories, and the impact that was most highly rated, the answer was unanimous. Integrity, as opposed to confidentiality or availability, was rated as a "High", in every single instance. (NB: In categories 10-12, there is a range of impact level, but each included "High" for Integrity ) Whether because corrupted data could degrade the operation of the grid, or because it could be used to defraud customers, suppliers, or the market, integrity showed up as the Number 1 concern, with no exceptions, according to the NIST results.

Conclusion 2: B2B and control system connections are Riskiest
There were only two categories which ranked with "Highs" across the board, for Confidentiality, Integrity, and Availability, and both could be described as connections between different kinds of systems. The categories are numbers 6 and 7, relating to B2B and control/non-control systems respectively. This feels right intuitively, but it also represents a potential area of rapid growth in both members and risk for the Smart Grid. It describes the connections that are both most likely to be leveraged by new entrants and which are most likely to use either IP, or actual Internet-based, networking. As we have written about before, the Soft Grid is probably the next big area of investment and expansion, as organizations form to leverage the new infrastructure and public enthusiasm to deliver more interesting and likely complicated applications.

In the remarkable depth and detail of the NIST report, it is very possible to become discouraged by the references to "hundreds of standards" and by the complexity of the diagrams it contains. It is important to have a sense for where to start, as the NIST process will necessarily be a lengthy one, and time ( and Smart Grid Investment Grants ) are waiting for no-one. If, as contributors to the Smart Grid, or as advisors to organizations which seek to connect, we can help them to focus on these few issues from the start, it is possible that they will be far better prepared for the new documents, threats, and requirements that are certain to follow.

Thursday, September 24, 2009

New Smart Grid Standards are Out - Complexity is In

Earth2tech, as usual, does a great job of reducing complexity into consumable pieces. In this case, the subject is the new NIST Smart Grid standards draft released today (PDF here). Far from appearing as an afterthought or not at all, Cyber Security issues are front and center in the executive summary and are described in some detail on pages 71-79 of the document. Also significant is that control system security, which some feel is getting short shrift in this process, is given substantial attention and weighting, with a list of applicable security-related standards on page 79.

As the diagram above illustrates, however, complexity itself may ultimately become the biggest security challenge. The best human minds, augmented with the most sophisticated tools, will have a monumental task keeping track of the myriad threat vectors and security controls deployed to defend against them. As one of the GridWeek conference panelists said on Tuesday, acknowledging complexity's potential risks, "we hope that we can move towards simplicity at some time in the future." Yeah, that'll be easy.

Diagram: NIST

Wednesday, September 23, 2009

GridWeek:Startups and Security

We are dealing with some raw data here, but one thing jumps out after speaking with a dozen or so Smart Grid start-ups in the Exhibition area: few of the new startups employ a security professional. Some are flatfooted when asked about how and if their product is secured, some are more assured. But even in the latter case the answer tends to be that "the CTO handles security."

There is little doubt that the CTO's of these organizations are highly skilled and technically very deep. But, given the nature of many of these cutting edge providers, they are much more likely to be schooled, and buried, in issues directly related to the functionality that they are attempting to provide. Security will necessarily be put relatively low on the priority list, particularly in the absence of any specific requirements or breaches as identified by others external to the company.

One phenomenon we noticed was that the impetus for people even having a name to assign to security is derived from more consistent utility behaviors in the area. Almost to a person, the interviews which we performed resulted in a statement about how the security resource was identified because the utilities demanded that there be a person with security responsibility in the vendor providers. Kudos to the utilities, and here's hoping that the security person in name will grow into a security resource in fact, as the requirements of their position be more fully articulated going forward.

This blog maintains that the great Smart Grid project could fail, or fail to thrive, largely based on its ability to get security reasonably right, and because adoption will be partially determined by industry and public perception of its safety. The finding that young Smart Grid companies, as represented here, have not prioritized security action, versus titling and responsibility, is a concern. Some of the firms like Itron and Gridpoint have taken time to articulate their security strategy, and that is definitely a step forward, but there is much work to be done by all, in describing, and demanding, a consistent security emphasis going forward.

We will continue to reach out to the CTO's in the coming weeks to better understand their familiarity and efforts in security, and will bring that to you here.

Tuesday, September 22, 2009

Sometimes Smart Grid is More about "Smart" than "Grid'


As Andy and I are heading down to the Grid Week festivities, one of our discussions from last night is sticking with me, and that is on the topic of Microgrids and their role in addressing some of the natural consequences of our reliance on a monolithic grid, whether Smart or not.

Back in July, Andy wrote about the role of Microgrids, and the natural benefits that accrue from the diversity they bring. As we were discussing our priorities for today's sessions, Microgrids and their enablers showed up again repeatedly. This was not just because they are interesting contributors to the Smart Grid ecosystem, but because they may well serve a critical function in terms of reliability, stability, and "reconstructability" of power. Whether as a fallback for generation in the case of a localized attack on more traditional grid linchpins, or as a means of supplying power to areas with less robust links to the main power grid, it is clear that the microgrids have a couple of hats to wear.

In their paper, "Redundancy and Diversity in Security" Bev Littlewood and Lorenzo Strigini take pains to describe the need for understanding both the inevitability of systemic failures, as well as the unlikely nature of fully preparing for an attacker's strategy to breach a system. While one can imagine many or all of the likely points of failure of a system, it is much more difficult to model and accomodate all of the venues through which an attacker may choose to corrupt or disrupt a complex system. As a result, the most prudent strategy is to both ensure redundancy of those likely and foreseeable failure points, and also to architect the delivery system in such a way that an unexpected failure will not necessarily and immediately propagate itself through natural interconnectedness.

As we are talking with vendors and experts today at Grid Week, I will be asking the question about views on Microgrids, about whether the systems and interfaces that are being created today to accommodate their membership into the Smart Grid will also be expected to recognize that these smaller grids can stand on their own, whether they will leverage those microgrids for meaningful redundancy when other sources fail, and if anyone is seeking to minimize the amount of system control that flows outward to the member microgrids in an effort to keep them from being affected by any potential corruption to the major grid infrastructure.

We'll let you know how it goes.

Smart Grid Security Blog Broadcasting from GridWeek 2009


Jack and I have landed in DC for GridWeek 2009.  We'll be pushing and pulling on vendors who say they've got the Smart Grid, and particularly Smart Grid security, all figured. out. Stay tuned for updates and commentary of all kinds.

Photo: American Architecture

Thursday, September 17, 2009

Found a Nugget at NETL!

As we have investigated the nature and definition of security within the Smart Grid context, we have had few definitive descriptions or declarations about what Smart Grid Security really means. This lack of concrete and common understanding is one of the reasons that Andy and I started writing, and now continue writing, the Smart Grid Security blog. Our goal is always to suggest the questions that should be asked, and the issues that will need to be addressed. We do not try to prescribe or promote a definition, it is our thought that the entire space is just too young.

While doing my usual late-night dive around the net, I found an excellent document that I would like to point our readers to, from the National Energy Technology Laboratory, developed for the U.S. Department of Energy. Published in January of 2007, it is an appendix to a much larger piece, which is entitled, A Systems View of the Modern Grid, which was initiated to describe (prior to the pervasive popularization of the term "Smart Grid"), a more informed view of the evolution of the existing grid into something more modern, efficient, reliable, and secure.

I encourage you who are interested in securing the Smart Grid to take a look at Appendix A3: Resists Attack, wherein the authors do a very respectable job of describing many of the likely risks, and the types of regulations/requirements that will be needed to manage/avoid them. As an example, here is a snapshot of a graphic and a fact that I have not seen broadly discussed regarding utility cyber attacks:


And given that these systems and networks have only become more open and accessible since 2003, I would expect that the trend has continued upwards since then.

Aside from good factual data throughout, there are also some concrete recommendations that I wish had been heeded as we jumped headlong into the Smart Grid Investment Grant Program, pilots, etc. Here is an example:
SYSTEM REQUIREMENTS
The systems approach to electric power security would identify key vulnerabilities, assess the likelihood of threats and determine consequences of an attack. The designers of the modern grid can draw on extensive experience developed by the Department of Defense in assessing threats and system vulnerabilities.
And there is much more. Please give it a read. This is a major Smart Grid Security Blog KUDOS to NETL and the authors for a prescient piece of work, that is still an excellent resource three years after publication. Note: Appendix 3 "Resists Attack" has been added to the SGS Blog library in the "Relevant Docs" section.

Tuesday, September 15, 2009

Crucial Smart Grid Conference Announcement: GridWeek 2009


In case you haven't heard, one of most significant US-based Smart Grid conferences (and there are many) is fast approaching. As the dogged detective from Dragnet Joe Friday would say, here are the facts, just the facts:
  • Who: The DOE, members of the Gridwise Alliance, and every small, medium and large industry player is speaking, exhibiting, or both. Attendees are everyone who by vocation or passion needs to know more about where our electrical infrastructure is heading
  • What: Four days of presentations, roundtables and exhibits covering almost every aspect of emerging Smart Grid business, technology and policy issues
  • When: 21-24 September 2009. Note: Smart Grid cyber security is getting extra attention on Tuesday and Wednesday
  • Where: The Ronald Reagan Building in downtown Washington, D.C.
  • How: Register here and get yourself there
Hope you can make it. If you do, and you have some conference commentary for the Smart Grid Security Blog or would like to meet, please drop us a line at sgsblog@bochman-danahy.com.

Monday, September 14, 2009

Smart Grid an Unexpected Boon to Telco's

It was good to read, the other day, about the integration of yet another group of players into the Smart Grid universe: The Telco's. I had bumped into a very interesting article on the mixing of Power and Communication networks at Telephony Online. As the Internet was developing, the shining lights who were attempting to secure the early networks and systems of the Internet age were most often employees of the rapidly growing community of Internet Service Providers, and many were employees of the backbone providers (initially the telco's).


There have been multiple announcements and articles about these new linkages in the past few months, like this announcement from AT&T, this second piece in Telephony Online magazine, and this article about the new FCC interest in Smart Grid/Meter backhaul.

As we talk through the coming culture clash between ordinary IT and Utility IT, it is very reassuring to know that there may soon be pressure building for good security from the IT security experts within the major telco partners for backhaul, billing, equipment provision, etc.

I am hoping that we see these providers demand the same kind of security from the Utility connection partners as they have demanded from their partners on the Internet side of the business. It may provide exactly the linkage we need to have the migration we need begin to move talented people from IT to utilITies.

Sunday, September 13, 2009

Smart Meters, Privacy Alarms and Alarmists

While often related, cyber security and privacy also have distinct lives all their own. The recent musings of Philadelphia staff writer Andrew Maykuth and some of the folks he interviews heighten fears of the coming Smart Grid without the slightest allegation of system vulnerability or reliance on the repetitive use of the word "Hackers." Instead, he gives us Orwell:
Meters could record material so frequently that power flows could be interpreted like DNA to reveal unique electrical signatures of individual appliances. Some experts imagine an Orwellian future in a carbon-constrained world, where consumers are cited for excessive electricity use, or divorce lawyers comb through meter records and ask: Who used the hot tub while the spouse was away? "The privacy implications are astounding," said Susan L. Lyon, a Seattle lawyer who specializes in data-security issues. She compared the smart grid's potential benefits - and risks - with those of the Internet.
... and Godzilla:
The drive to retool the United States' electricity generation and distribution networks may inadvertently raise a monster with unparalleled abilities to invade residential privacy," Elias Leake Quinn, a research analyst at the Center for Energy and Environmental Security in Boulder, CO.
This isn't security. This isn't even social engineering. It's business functionality pure and simple. We are in the early days of deciding how we want this software to run (and not run) and what kinds of data are accessible by different organizations. If you don't like the coordinates we seem to be heading towards, get involved early and often.

Wednesday, September 9, 2009

EMP, Asteroids and the Smart Grid


Re: the title of this post - there are some threats you just can't do anything about, so you try not to worry about them too much, and get on protecting yourself against the ones you can. To that end, I recently participated in a short article on Electro Magnetic Pulse (EMP) risks to the grid and Smart Grid on earth2tech. For background on this topic, here's the Wikipedia entry.

Basically, we should not let EMP concerns sidetrack the good work being done to rapidly advance the state of the Smart Grid. For example, I watched as an EMP discussion temporarily paralyzed a NIST Smart Grid standards working group session for almost half an hour. Don't get me wrong, EMP is a serious topic not to be taken lightly, but standards, no matter how thoughtful and excellent, aren't going to help us much there.

A trip to Kirkland Air Force Base's EMP simulator in New Mexico would have shown you we were working on protection measures, and training films from my early Air Force days showed EMP shielding on B-52s on their one-way mission to the USSR during our MAD mutually assured destruction days. Today, short of keeping nukes from exploding anywhere near CONUS, we should acknowledge that there are no good national-scale solutions to EMP out there. All proposed are way too expensive, way too impractical, and virtually impossible to implement without shutting down our government, economy and military for 10-20 years. Or longer.

With a well positioned high altitude nuclear explosion (200 miles up over the US midwest), the Smart Grid, if anything, seems to make us even more vulnerable by adding more devices with easily fry-able circuitry to the mix. But in scenarios where a nuke goes off on the ground or at low altitude, distant micro grids and remote sections of a national Smart Grid would miss out on the carnage, and by islanding, would not be taken down by a cascading failure of the national grid as regional systems likely would today. So the take away is keep on building the Smart Grid, and try not to let EMP, or civilization-ending asteroids, get in the way.

Alarming Doomsday Illustration: Wikimedia Commons

Monday, September 7, 2009

Smart Grid Ontogeny need not Recapitulate Internet Phylogeny

Many years ago, French physician and embryologist Etienne Serres suggested that more advanced species passed through the developmental stages of their evolutionary chain as they came into existence. This was later summed up into the (incorrect) axiom, "Ontogeny (development and growth) recapitulates Phylogeny (evolution)", by Ernst Haeckel, known as the "Recapitulation Theory". While disproven to the satisfaction of most scientists years ago, it seems that Drs. Serres and Haeckel may have an angle on the growth of the Smart Grid.

During the early growth of internetworking, there were centers of computing power, and within them, commuities that wished to be united with other similar groups. More importantly, there were those that simply understood that such communication was possible, and they worked to try to accomplish it. In 1969, the very young arpanet had four nodes on it. There was already growing computing power, but the connection of the vast majority of those systems, and any sense of potential for heterogeneity was clearly a thing for the future. This picture, from the Computer History Museum provides a cocktail napkin's view of how simple the Internet's beginnings were


That network would grow in 20 years to have hundreds of thousands of nodes, as individuals and organizations created applications and infrastructure to support a new generation of businesses and communications. Sadly, though, along the way there were a generation of mishaps, from the Morris worm, to CodeRed, to identity theft and denial of service attacks.

The evolution of the Internet has been a bumpy one. When things are so exciting, so much is possible, and when there is unlimited fuel (in this case venture capital and rising stock values) it is hard to keep organizations focused on doing things safely.

The Smart Grid is at the launching pad of a similar accelerated evolution. Interest in renewables and political capital are combining with environmental passions, grant money, and a green field industry. If one believes that recapitulation theory is inevitable, we will simply accept that the growth of the Smart Grid will demonstrate all of the flaws and weaknesses of the Internet as it matures. Haeckel and Serres posited that there was one basic form that organisms began with, and that such a form was then morphed into whatever being was under development. Many view the Smart Grid in the same way, that it is an infrastructure, much like the existing Grid, or the Internet, or both, and therefore it will necessarily experience many, if not all of the same bumps. I don't think it has to.

Biological recapitulation is largely discredited because it was provable that humans never had the scales of early reptiles, or mammalian teeth while in the womb, or other clearly identifiable earmarks of adults of more primitive species. I would ask that we think of all of the earmarks of the problems of the Internet's growth be examined; insecure configurations, poor access control, and unexamined software and systems, and that these issues be removed. Let us prove that Smart Grid development will not recapitulate the Internet's evolution, because we have learned from that experience, and now have the power to skip those steps as we move on to the next phase of power creation, consumption, and distribution.

NIST Workshop to Cover Badly Needed Control Systems Security Basics

This just in from Joe Weiss:
Following the October 19-22 Applied Control Solutions Control Systems Cyber Security Conference, NIST will hold a 1-day Workshop October 23rd that will discuss the NIST FISMA security standards and guidelines that apply to industrial control systems including for Smart Grid. There will be no charge for attending the NIST session. Details on the NIST session are being finalized. For information on the NIST Workshop, go to http://csrc.nist.gov/staff/indexhtml.
The location for the ACS Conference and NIST Workshop is the Bethesda Marriott, 5151 Pooks Hill Road.

Thursday, September 3, 2009

A New Threat to Old Energy is a New Threat to the Smart Grid

Why? Because any time the press puts the words "hackers" and any kind of energy in the same headline, it impairs our collective confidence that we'll ever be able to secure the promising but IT and Internet technology-dependent marvel called the Smart Grid. Here are a couple of illustrative examples from last week's best/worst Smart Grid enthusiasm-squelching article in Foreign Policy journal titled "The New Threat to Oil Supplies: Hackers":
The SINTEF Group, an independent Norwegian [energy and climate] think tank, recently warned oil companies worldwide that offshore oil rigs are making themselves particularly vulnerable to hacking as they shift to unmanned robot platforms where vital operations -- everything from data transmission to drilling to sophisticated navigation systems that maintain the platform's position over the wellhead -- are controlled via wireless links to onshore facilities.
Ominous sounding indeed. Makes it sound like vaguely-categorized "wireless links" are the villain here. Or maybe it's the onshore facilities that are the security weak link. I don't know, but the typical generalist reader is going to suspect the worst of both. That appears to be the SINTEF Group's intent, anyway. Note to self and readers: always take alarming security reports from analyst groups and small security consultancies with a few spoons of NaCl.

OK, here's another one from the same article, and arguably it's got more teeth:
While the newest oil rigs ... [are] loaded with cutting-edge robotics technology, the software that controls a rig's basic functions is anything but. Most rely on the decades-old supervisory control and data acquisition (SCADA) software, written in an era when the "open source" tag was more important than security, said Jeff Vail, a former counter terrorism and intelligence analyst with the U.S. Interior Department. "It's under appreciated how vulnerable some of these systems are," he said. "It is possible, if you really understood them, to cause catastrophic damage by causing safety systems to fail."
I'm no SCADA expert, but everything I've learned from control systems pro's of late supports Vail's contention that the folks building these things did not anticipate a time when their systems would be exposed to the wider world via wireless or wired connections to other computers, let alone the Internet. I'd say the time will come when folks who want the Smart Grid to be secure and successful, both in reality and in the public's perception, are going to have to go on a security messaging offensive. I know the press makes its money via all things sensational, but consider how many scary Smart Grid cyber security stories you've read this year versus how many you've seen that tell you it's going to be plenty secure because we know how to do it. One way this great and very necessary undertaking can (and may) fail is if no one -- from large enterprises to individual homeowners -- trusts it enough to use it.

Wednesday, September 2, 2009

Electro-Shocker Therapy: The Risk of Disconnection

There is a quiet riot going on in the Smart Metering community today over an article that got covered by Reuters, which was actually content from GreenBiz, based on an article in the MIT Technology Review, which was itself based on content from a presentation given by Mike Davis of IOActive at Black Hat ( a yearly premier IT Security Conference, widely attended ) on July 29th, 2009, which was actually initially presaged by an IOActive report on March 23rd, 2009.

...Phew...

For those of you who didn't click on any one of those largely redundant links to see what was going on, Mike Davis and the team at IOActive have done research into some of the Smart Metering infrastructure, and have some very credible concerns about their security, and some interesting and informed approaches that potential attackers might take to arrange their exploitation.

So there.

"Well Jack, if they are so redundant, why waste the 1's and 0's to hit it again here, on the ordinarily fresh Smart Grid Security Blog?"

Because this new excitement about a story almost 6 months old is an indication of an underlying problem that most utility professionals, particularly those in T&D or in Billing, know well...This problem is Disconnection.

No, no, no. Not terminating service, not smokin' transformers, not backhoes through buried lines. I am talking about the recurring disconnection between the world of IT Infrastructure and the world of Power Infrastructure. The world of IT knows that it is vulnerable, and it knows that it has to improve, and everyday there is a battle between the attackers and the defenders. As a result, there is a rapidly maturing discipline in the IT world that is driving baseline security behaviors, constant research into the changing state of the art, and a hunger and interest in learning about dangers before they become calamities. As a result, my IT colleagues were excited about Mike Davis' presentation at Black Hat long before he was due to give it, because that kind of first hand knowledge and credibility is sought after, shared, and appreciated, in the IT world.

The Power World ( and I know that generalizations cry out for individuals to claim that they are the exceptions, so please feel free to do so) is not yet engaged to that point. As it was in the early days of the Internet, many in the Power World are hoping to be protected by obscurity, limited connectivity, and arcane systems. As a result, they are not questing for, and demanding, research into the vulnerabilities of the systems now in place or the systems soon to come. They will demand it soon, though, either because of an increase in interest, or because of an increase in damages.

Beyond all of this, there is another disconnection that deserves to be noted. This furor is raised because of the seeming insecurity of the meters, and their potential vulnerability to attack. This could be because you can rip one off of your house, or buy one for a reasonable cost, making it easier to study. Whatever the reason, the Smart Meters are but one component of the new Smart Grid. Where is the research into the security of the management software, of the data concentrators, of the WAN interfaces, of the Headend Servers? More importantly, where is the demand that such research take place now, before the actual devices are deployed and weaken or destabilize the entire infrastructure?

I am not talking about defining standards, or rating encryption, or even mandating some simple best practices. All of these things are good, and necessary, and some are even underway. I am talking about the kind of testing of these components that was written of long ago, applied to computer systems and their vulnerabilities.

In 1993, Dan Farmer and Wietse Venema wrote a seminal paper, entitled,"Improving the security of your site by breaking into it", which created a new wave of thinking in IT: That organizations had to think about security from the perspective of an attacker. What might be tried? What might happen? It was no longer enough to secure the behaviors that the organization expected to see.

These two worlds are coming together in the Smart Grid, with IT invading and improving the use of power in many ways. The disconnection in Security must end soon, or we will certainly start to see a loss of power, energy, and momentum in the perceptions, if not the circuits, of the Smart Grid.