Wednesday, September 2, 2009

Electro-Shocker Therapy: The Risk of Disconnection

There is a quiet riot going on in the Smart Metering community today over an article that got covered by Reuters, which was actually content from GreenBiz, based on an article in the MIT Technology Review, which was itself based on content from a presentation given by Mike Davis of IOActive at Black Hat ( a yearly premier IT Security Conference, widely attended ) on July 29th, 2009, which was actually initially presaged by an IOActive report on March 23rd, 2009.

...Phew...

For those of you who didn't click on any one of those largely redundant links to see what was going on, Mike Davis and the team at IOActive have done research into some of the Smart Metering infrastructure, and have some very credible concerns about their security, and some interesting and informed approaches that potential attackers might take to arrange their exploitation.

So there.

"Well Jack, if they are so redundant, why waste the 1's and 0's to hit it again here, on the ordinarily fresh Smart Grid Security Blog?"

Because this new excitement about a story almost 6 months old is an indication of an underlying problem that most utility professionals, particularly those in T&D or in Billing, know well...This problem is Disconnection.

No, no, no. Not terminating service, not smokin' transformers, not backhoes through buried lines. I am talking about the recurring disconnection between the world of IT Infrastructure and the world of Power Infrastructure. The world of IT knows that it is vulnerable, and it knows that it has to improve, and everyday there is a battle between the attackers and the defenders. As a result, there is a rapidly maturing discipline in the IT world that is driving baseline security behaviors, constant research into the changing state of the art, and a hunger and interest in learning about dangers before they become calamities. As a result, my IT colleagues were excited about Mike Davis' presentation at Black Hat long before he was due to give it, because that kind of first hand knowledge and credibility is sought after, shared, and appreciated, in the IT world.

The Power World ( and I know that generalizations cry out for individuals to claim that they are the exceptions, so please feel free to do so) is not yet engaged to that point. As it was in the early days of the Internet, many in the Power World are hoping to be protected by obscurity, limited connectivity, and arcane systems. As a result, they are not questing for, and demanding, research into the vulnerabilities of the systems now in place or the systems soon to come. They will demand it soon, though, either because of an increase in interest, or because of an increase in damages.

Beyond all of this, there is another disconnection that deserves to be noted. This furor is raised because of the seeming insecurity of the meters, and their potential vulnerability to attack. This could be because you can rip one off of your house, or buy one for a reasonable cost, making it easier to study. Whatever the reason, the Smart Meters are but one component of the new Smart Grid. Where is the research into the security of the management software, of the data concentrators, of the WAN interfaces, of the Headend Servers? More importantly, where is the demand that such research take place now, before the actual devices are deployed and weaken or destabilize the entire infrastructure?

I am not talking about defining standards, or rating encryption, or even mandating some simple best practices. All of these things are good, and necessary, and some are even underway. I am talking about the kind of testing of these components that was written of long ago, applied to computer systems and their vulnerabilities.

In 1993, Dan Farmer and Wietse Venema wrote a seminal paper, entitled,"Improving the security of your site by breaking into it", which created a new wave of thinking in IT: That organizations had to think about security from the perspective of an attacker. What might be tried? What might happen? It was no longer enough to secure the behaviors that the organization expected to see.

These two worlds are coming together in the Smart Grid, with IT invading and improving the use of power in many ways. The disconnection in Security must end soon, or we will certainly start to see a loss of power, energy, and momentum in the perceptions, if not the circuits, of the Smart Grid.

No comments: