Beroset on AMI and Smart Meter Security Considerations - Late 2013

Ed Beroset is the Director of Technology and Standards at one of the main smart meter making companies, Elster, and I've had the good fortune of meeting him on several occasions when both had speaking duties at grid security conferences. In this case, tech director also = security strategist and spokesman.

Recently, as I've started to prepare myself for work with Greentech Media's Grid Edge council, I wanted to check up on the current state of security thinking around AMI and smart meters.

Lo and behold, here's Ed who just put it down in pixels with 3 questions to ask yourself, along the lines of what are you protecting and why, and 7 to ask your vendors.  In the latter category, I particularly like #1 and the advice that follows:

What security measures does your system employ? 

Don’t settle for vague or imprecise answers to this question. Any reputable vendor will be able to give you a clear and detailed answer. Furthermore, don’t accept the excuse that the security measures are proprietary and top secret. As any security expert can attest, in modern systems, it is not a secret algorithm, but a secret key, that ensures security.

This may be more advanced than your typical energy sector start-up is ready for or need be ready for, but it's a good example of the types of scrutiny mature product suppliers like Elster have come to expect as a matter of doing business with increasingly security-aware customers.

You can read the full article HERE.

CNAS Provides a Good Way to Grok the Executive Order

First of all, Happy Valentines Day, SGSB readers.  Hope you are finding as much success in your love lives as you are in your careers securing (or caring about securing) the most critical of critical infrastructures.

Yesterday found me walking down the street in Washington DC a little before noon, when suddenly I ran into some friends, old and new, who had just popped out of the US Department of Commerce. They witnessed directly, and gave me a  first-hand account, of the birth of the administration's Executive Order (EO) on better securing the nation's critical infrastructures.

Great Video: Latest Utility CEO on Cybersecurity

Another CEO joins the emerging chorus of senior energy sector executives not just tuned in to the strategic nature of cybersecurity and privacy challenges in the Smart Grid era, but willing to speak out about it. Also hits some good notes re: supply chain issues as well.

Thanks to Jessie Knight, Chairman and CEO of San Diego Gas & Electric (SDG&E). And hat tip to IBM colleague Tracy A and SmartGridNews.com for sending me this.

For Energy and other Critical Infrastructure Companies, Supply Chain Security Trap Door Remains Wide Open

Another week, another awful revelation related to security weaknesses in widely (and I do mean WIDELY) installed control system products. Last week we THIS and that was revealed, now this week we pile on with an issue that impacts seems well nigh insolvable.

From Ars Technica:

"The CoDeSys software tool, which is used in industrial control systems sold by 261 different manufacturers, contains functionality that allows people to remotely issue powerful system commands," Reid Wightman, a researcher with security firm ioActive, told Ars .... "There is absolutely no authentication needed to perform this privileged command," Wightman said.  Of the two specific programmable logic controllers (PLCs) Wightman has tested, both allowed him to issue commands that halted the devices' process control. He estimated there are thousands of other models that also ship with CoDeSys installed, and he said most of them are probably vulnerable to the same types of attacks.

Perhaps we'll learn something in coming weeks that will reveal the scope isn't as big as it seems. But until then, I'll leave you with a comment from one of the Ars readers that get's to the heart of the supply chain security challenge:

If it sounds too stupid for words BUT it would make life easier for the developers or admin, then it's sure to have happened. 

Sad, but I'm afraid, true. HERE's the whole article for you.

Supply Chain Security Awareness on Upswing for Energy and Comm Sectors

10/25/12 Update: Huawei just said it is ready to have all its source code tested for security. Would other vendors be so bold?

------------------

If you don't subscribe to the online version of the Wall Street Journal, you probably don't get its daily CIO feed, which provides a nice topical tapas-sized taste of what's on folk's minds every morning.

One of those folks is me, and I've been stirred up lately by all the press (The Economist, 60 Minutes, etc.) and Capitol Hill attention Chinese communications equipment maker Huawei has been getting. Personally, I haven't have any direct contact with Huawei or its products, but I have a gut-level response when a company gets pilloried solely on where it's headquartered or the nationality of the owner(s).

GoodSpeed to the Rescue for Pernicious Smart Grid Hardware/Firmware Security Problems

Very much in the spirit of an SGSB post that's turned out to be pretty popular: The Value of Black Hat to Smart Grid Security, free spirited hacker genius Travis Goodspeed is starting something that might raise a few vendors' hackles. But actually, because it may incite some anxiety, it may also get some results.

In Travis' own words, here's the raison d'etre of his new iniative, called "Smart Grid Skunkworks":  

Recent vulnerabilities found in smart meters and HAN devices have shown a number of weaknesses in the engineering practices used to build these devices and their constituent components. A vulnerability in a chip or library is fixed slowly, and it is a very rare event that the meter and thermostat vendors affected by the vulnerability are notified by their suppliers. Because of this, vulnerabilities are spreading downward through the supply chain, and the engineers of smart grid devices are left uninformed.

There are technology and business issues at work here. And more than a little corporate psychology too. 

Left alone, this seemingly intractable set of esoteric problems would likely never be solved. But that's what got Travis charged up, it seems, so much so that he dreamed up this movement and ended his call to action with:

I invite you to join me in preventing smart grid vulnerabilities before they are created.

I've given you the bookends, but you should definitely read the whole piece yourself, HERE. And then if you've got the technical chops to help, and you won't get yourself in too much hot water, this might be just the thing for you.

Photo credit: Travis Goodspeed on Flickr.com

Do it for Mom: Knocking out Smart Grid Vulnerabilities Early this Holiday Season

Unless you're in Texas where until recently roofs where melting and tires exploding, you've noticed the new autumnal smells in the air, right? So right about now who wouldn't want Smart Grid security, motherhood and/or apple pie? That's what this new Oak Ridge National Labs (ORNL) project promises:

Rather than wait for signs of a security problem to crop up in smart-grid technologies, wouldn’t it be better to automatically analyze software and hardware to uncover vulnerabilities, whether accidental or malicious?

I think this must be a trick question; the answer seems so obvious:

Add one part DOE lab, another part respected energy sector security service provider Enernex, and a generous dollop of AMI vendor Sensus, and it appears you've got a formula for something that's been missing in Smart Grid supply chain security ... until now.

Let's see how this goes.

Click HERE to read more on this.

Photo credit: cotaroba at Flickr.com

Asset Owners Speak Out/Up at Smart Grid Security Summit West

What a great start. Five guys charged with improving the security posture of their large utilities all on stage, and fielding questions from conference organizer Mike Amadhi and an audience full of security minded folks from all walks of life.

In no particular order, here are a few notes I took organized by speaker:

Jeff Gooding - Southern California Edison

• Very interested in standards
• Vendor certification would be desirable, though preferably nothing as heavy as the Common Criteria
• Finds it takes approx 2 years for an IT security generalist to get up to speed and be competent in the operational technology (OT) arena

Ward Pyles - Southern Company

• (Partly tongue in cheek, partly not) said Southern Co. doesn't talk security anymore. Rather, it's all about reliability ... doing what's required to keep systems operational and available.
• To do this, he/they use a different, more business oriented vocabulary
• Also, working with vendors towards certification

James Sample - Pacific Gas & Electric

• Security is much more a people than an technology issue
• Would like to see more standards baked into products at time of manufacture
• Like Ward, increasingly uses reliability versus pure security in conversations across the business lines
• Spends significant amount of time pushing vendors to deliver secure solutions
• Wishes he could spend less time on vendors (above) and more time working with his people

Christopher Peters - Entergy

• Security pro's must be good communicators and tailor language to fit their audiences
• Bridging silos is one of his main jobs
• Having a CXO as a boss is very helpful in accomplishing the above

Stephen Mikovits - San Diego Gas & Electric

• Very thankful for CPUC's order that CA IOUs generate 10-year forward looking Smart Grid deployment plans, including a major emphasis on security
• This really helped SDG&E as well as the other utilities by giving them a platform to communicate security  requirements and recommended actions

So there you have it. Several themes emerge: security as reliability, language and communications, silo busting, supplier security and certification, importance of security standards. Seems like most in the audience felt like these were the right notes. I sure did.

BTW - I was working pretty fast. If you spot any typos or inaccuracies here, please let me know and I'll update the post asap.

Conference Alert: EnerSec Smart Grid Security Summit West 2011

This conference series, the first ever dedicated to Smart Grid Security and Privacy, had a great start last year in San Jose and now returns to California with a head of steam after robust attendance and some very strong content earlier this year in Knoxville.

The lineup keeps getting stronger and this session promises a compelling mix of workshops on day 1, followed by days 2 and 3 with regulator and industry updates, round table discussions and lots of back and forth with what has been in the past a very energized audience.

You can expect a bunch of utilities will be present, and not just the big 3 from California, plus state regulators from CA and TX, fed folks from DOE, NERC, FERC and NIST.  Also, owing to proximity to one of the largest USN bases in the world, we'll likely see some energy-minded sailors present too.

Here's the basic facts for you:

• Dates: 3-5 Oct 2011
• Location: San Diego
• Venue: Town and Country Hotel - click HERE to reserve a room
• For more info and to register for the conference, click HERE

Next week I plan on throwing a few trivia questions at you. Correct answers may earn you a significantly reduced rate for the conference, or at the very least, hearty congratulations.

Photo credit: http2007 on Flickr.com

Electric Sector Supply Chain Responsibilities re: Security

I found a recent post "Fix the Problem, Stop Bailing out Vendors" on the Digital Bond blog quite compelling.
Author Dale Peterson begins thusly:

We, the SCADA Security community, need to put all our efforts and emphasis in the PLC, RTU, controller space on getting vendors to add basic security features to their models available for sale today. Beginning with authenticating the source and data sent and received from the PLC and continuing with other Security 101 features. We should not say or pretend that any other solution besides this is acceptable.

... and what follows is some interesting back and forth between Peterson and SCADAhacker Joel Langill, as well as a number of pretty well informed commenters, on how to best approach these challenges, and with whom the ultimate irresponsibility lies.

While Siemens is mentioned because its equipment was targeted by Stuxnet, all makers of intelligent, connected grid systems (and I'd certainly include grid and Smart Grid software and application vendors here as well) should have their feet held to the fire re: the security functionality of their products.

We can try to do that via regulation, or we can start asking, and then demanding it in RFPs and other sourcing docs. One way or another, solid security functionality is becoming a real requirement. Let's not pretend otherwise. And let's not let others pretend otherwise. Click HERE for the full post.

Photo credit: manpages on Flickr.com