Tuesday, November 23, 2010

I Mind this Gap: The Distance Between the Future Smart Grid and Today's Mix of Security Challenges

For a critic of alarmist, sensationalist Smart Grid headlines, I'm a bit surprised the blog editor in me approved this one by the blogger in me. But to dust off a 50 cent word from grade school writing class. it was the juxtaposition of two statements made in the past few days that got me going.

One is a great reminder of the very many compelling reasons we're building this thing from one of the industry's most articulate Smart Grid advocates, GTM's Senior Smart Grid Analyst David Leeds. The other is a sweeping cautionary statement on Stuxnet-like threats last week by one of the most respected security minds in the business, former AEP and NERC CSO Mike Assante, (now CEO of NBISE).

Here are a few snippets from Leeds' piece. First, what the Smart Grid will do for us:
The ... smart grid will not only bring new communication capabilities to mission-critical grid devices and end-user appliances in order to optimize energy efficiency, reliability and security, but will also serve as the enabling platform to plug in the next generation on clean energy technologies, such as rooftop solar systems, wind farms and electric vehicles.
And from an economic perspective, why we need to build it now:
While today’s distribution grids, lacking real-time visibility and control, are largely running blind and consequently costing the U.S. economy approximately $100 billion to $150 billion each year in power outages, tomorrow’s grid, much like the human body’s own nervous system, will have sensory intelligence embedded throughout, giving the grid the ability to anticipate disruptions, and even to self-heal.  
OK, I'm motivated ... let's build this sucker stat!  But hold on ... the gap I'm referring to in the title, is, of course, the yawning chasm between what you hear Leeds' saying must be done, and Assante's message (which we're about to get to), which communicates that as a nation, we're not ready for this.

Mr. Assante is not an alarmist - far from it. In fact, that's why his word counts for so much in this space. But his vocation and experience put him perpetually on the lookout for issues that bring risk to critical infrastructure systems, and when he sees one, his job is to sound a considered, highly targeted alarm audible to senior decision makers, which is what he just did in Washington.

Here's one of his first points - it sets the high-level stage for some of the more granular suggestions he makes later on:
Developing and implementing effective indicators, defenses, and countermeasures to cyber threats like Stuxnet demands that we look not just to the security community but also to the system designers, planners, engineers, and operators of our essential technology and physical infrastructures. We must take a prudent and proactive approach that enhances our ability to learn and apply knowledge fast enough to manage the dangerous consequences that come with these types of attacks. We can no longer ignore known system weaknesses and simply accept current system limitations. We must admit that our current security strategies are too disjointed and are often, in unintended ways, working against our efforts address the highly-advanced security challenges facing our cyber-dependent critical infrastructures.
That's a lot, a whole lot. Maybe too much to hold in main memory. But then he puts a finer point on it, shining light on operational systems ...
No one should be shocked that cyber exploits can be engineered to successfully compromise and impact control systems. Study after study has identified common vulnerabilities found across control system products and implementations. The exploitation of a hard-coded password design in one vendor’s implementation will not be an uncommon or isolated occurrence.
And finally, towards the close, here's one of several actions he recommends:
Require critical infrastructure asset owners and control system vendors to report industrial control system specific security incidents and the U.S. government must provide up-to-date information to asset owners and operators on observed adversary tactics and techniques, especially when investigations reveal attacker capabilities to side-step or exploit relied upon security technologies.
Not a full solution, mind you, but certainly a firm step in the right direction from where we are now: make more information available to the community so we can more quickly adapt and update our defenses. Today in the energy sector, there's nothing like this. Hence, a gap in knowledge.

Then there's this: we're concerned that Stuxnet's massive attack penetration strategy that defeated most current cyber defenses, armed with more broadly targeted payloads in future versions, and it's definitely getting attention. But less obvious, yet almost as much of a concern. is that a focus on High Impact Low Frequency (HILF) a.k.a., advanced cyber threats, might prompt utilities to take their eyes off more mundane, but nevertheless serious, day-to-day attacks on their systems.

This second gap is the one in setting security priorities ... between preparing for advanced threats as well as ensuring that essential security best practices and defenses are maintained to combat everyday threats from malware, criminals, insiders, etc. There's crawling, walking, then running, and so far on securing the electrical infrastructure, most would say we're crawling.  And then there's walking and chewing gum at the same time: preparing for diverse threats and doing a good-enough job on all of them. This is not a job for wimps, and it's going to take a long time before we see significant progress.

So let's end with David Leeds, alright? When security challenges seem overwhelming it's always helpful, for me anyway, to revisit why we're putting ourselves through all of this in the first place.
[The] U.S. is hardly alone in promoting smart grid as an economic growth engine; virtually every major economy is now either piloting or deploying smart grid technologies, and it’s now understood that you can not run a digital 21st century economy on a 20th century grid.
Maybe we can fuse Leeds' economic drivers with Assante's security cautions and recommendations and come up with a middle-path approach that keeps attackers at bay and keeps the LED lights burning bright.

Click HERE for more on HILF threats and what we might do about them.

Photo credit: Cindy Andrie on Flickr.com

No comments: