Thursday, September 3, 2009

A New Threat to Old Energy is a New Threat to the Smart Grid

Why? Because any time the press puts the words "hackers" and any kind of energy in the same headline, it impairs our collective confidence that we'll ever be able to secure the promising but IT and Internet technology-dependent marvel called the Smart Grid. Here are a couple of illustrative examples from last week's best/worst Smart Grid enthusiasm-squelching article in Foreign Policy journal titled "The New Threat to Oil Supplies: Hackers":
The SINTEF Group, an independent Norwegian [energy and climate] think tank, recently warned oil companies worldwide that offshore oil rigs are making themselves particularly vulnerable to hacking as they shift to unmanned robot platforms where vital operations -- everything from data transmission to drilling to sophisticated navigation systems that maintain the platform's position over the wellhead -- are controlled via wireless links to onshore facilities.
Ominous sounding indeed. Makes it sound like vaguely-categorized "wireless links" are the villain here. Or maybe it's the onshore facilities that are the security weak link. I don't know, but the typical generalist reader is going to suspect the worst of both. That appears to be the SINTEF Group's intent, anyway. Note to self and readers: always take alarming security reports from analyst groups and small security consultancies with a few spoons of NaCl.

OK, here's another one from the same article, and arguably it's got more teeth:
While the newest oil rigs ... [are] loaded with cutting-edge robotics technology, the software that controls a rig's basic functions is anything but. Most rely on the decades-old supervisory control and data acquisition (SCADA) software, written in an era when the "open source" tag was more important than security, said Jeff Vail, a former counter terrorism and intelligence analyst with the U.S. Interior Department. "It's under appreciated how vulnerable some of these systems are," he said. "It is possible, if you really understood them, to cause catastrophic damage by causing safety systems to fail."
I'm no SCADA expert, but everything I've learned from control systems pro's of late supports Vail's contention that the folks building these things did not anticipate a time when their systems would be exposed to the wider world via wireless or wired connections to other computers, let alone the Internet. I'd say the time will come when folks who want the Smart Grid to be secure and successful, both in reality and in the public's perception, are going to have to go on a security messaging offensive. I know the press makes its money via all things sensational, but consider how many scary Smart Grid cyber security stories you've read this year versus how many you've seen that tell you it's going to be plenty secure because we know how to do it. One way this great and very necessary undertaking can (and may) fail is if no one -- from large enterprises to individual homeowners -- trusts it enough to use it.

No comments: