2 Smart Grid Security Conferences and another Pike Report Signal Robust Interest in Smart Grid Security

Colorado-based Pike Research has said it again: Smart Grid security is (and will continue to be) very big business. How big you ask?  CNET's cites Pike's just released report saying that in the next five years "about 15 percent of all smart grid investments will be spent on cybersecurity. This will represent a total global investment of $21 billion." Those are substantial numbers by any standard, and dwarf the recent US Federal stimulus infusion of $3.4 billion also known as the Smart Grid Investment Grant (SGIG) program.

Now, in case you haven't noticed, there are about a million multi-day Smart Grid conferences going on around the globe at any one point in time. But there aren't as many, or actually hardly any, that focus on the security aspects of this grand enterprise.

It was probably just a coincidence, but last week's market size announcement by Pike certainly sets the stage for two important, and very different conferences on this topic.

First, there's the first Smart Grid Cyber Security Summit. It's being held on Aug 10 -11 in San Jose. A great speaker line-up so far, including many folks we've had the pleasure of talking - and sometimes working - with. Looks like AMI, HAN and Smart Meter systems are going to get a fair bit of coverage, though control systems will get their due during Joe Weiss' presentation.

And speaking of Joe, about one month later, on September 20-23, there's the ten year-running Industrial Control Systems Cyber Security Conference that will be held, as usual, in the DC area (conference web site not yet operative and venue currently TBA). It's a deep and focused drill down on an often overlooked but nevertheless crucial aspect of the overall Smart Grid security problem set. To get a feel for what it's going to be like, look no further than last year's agenda, here.

Utilities security professionals are always seeking clear and credible industry fodder to establish more compelling business cases for security investments. Surely the Pike report, as well as the conferences in August and September, are a good place to start.

Without Further Adieu: Smart Grid Security Data Security Deck

For those of you who are regular or occasional readers of the SGSB, you may have noticed our day-job commitments occasionally impede our aspirations for posting material in a snappier manner on the blog. Nevertheless, we have just made last month's Powerpoint deck available for viewing and downloading here.

Also want to let you know we'll be handling upcoming webcasts a little differently, with videos covering designated Smart Grid security subjects posted on or about the days in brackets below:

• IT System Security Challenges and the Smart Grid (June 30)
• An introduction to Smart Grid-related Standards and Regulations (July 28)
• Understanding the SoftGrid: Assuring security and privacy for your Customer Portal and other new applications (Aug 25)
• Approaches to securing AMI (Sep 29)
• Security and Privacy from the Customers' Point of View (Oct 27)
• Understanding and Empowering a Smart Grid CISO (Nov 24)
• Violable but Reliable : Preparing for the inevitable break down in Smart Grid security (Dec 29)
• All the places we have been: A 10th Session Recap of Smart Grid Security (Jan 26)

If you have questions you'd like to see addressed in any of these, particularly the June 30 presentation on IT Systems Security (initially addressed in a recent post here), please submit them ahead of time to our our email address. OK? Au revoir ... for today.

Securing Smart Grid IT Systems

We're halfway to the next Smart Grid Security show (# 3 on IT systems security on June 30) but have started doing some of the preparatory work. Essentially, what this session's going to focus on is the different IT systems (legacy and new) that need to be shored up. (Note: SCADA/control systems are purposefully excluded from this discussion as they are quite a bit different beasts, and we'll cover them in some depth in the not-too-distant future.)

You may ask, why the special emphasis now? Well, until recently and with no offense intended, utilities were an Internet backwater. They were (happily for them) way down on attackers' list of targets, partly because of their reputation as technology laggards, and partly because many of their systems were standalone, or nearly so. Folks we've met who've worked in utilities for decades, as well as those who've helped take care of their technology needs, attest that they've worked un-harassed in relative obscurity, until recently that is.

Emerging Center of the Universe

Now all eyes are on these guys: the press and analysts, Congress, the Department of Homeland Security (DHS), regulators NERC and FERC .... And two groups who more than any other are putting pressure on the utilities to perform, security-wise:

• The aforementioned attackers, who now like what they see a lot more as utilities bring new web apps on-line, begin to aggressively interconnect their systems, and enable two-way communications to/from some of their most important systems, like the head-ends that aggregate much of the incoming traffic from customer systems
• And of course, customers. Long dormant with only the absolute minimum interaction with their electricity providers, thanks largely to the press, customers are waking up and beginning to raise their voices demanding better service and control over fees

Which Systems Need (Better) Securing

In addition to what you can see in the Forrester slide, both the old and the new, there are numerous other types of systems, not the least of which (in importance) are "outage management systems". From our survey of utilities' IT managers and their service providers, we can place all into one of several categories:

• Classic Cobol/Mainframe - As everyone knows, mainframe apps have been around forever and are always just a year or two away from replacement. This will (almost) never change. Many, if not most were developed initially deployed pre-Internet era and therefore security was neither designed in nor bolted on. Formerly protected primarily by their isolation, these old workhorses are becoming increasingly connected as their data (e.g., customer, financial, accounting, etc.) become increasingly important to other systems in a Smart Grid world. What's our advice for securing these systems ... stay tuned
• Client/Server - Most often found in the form of packaged or "commercial off the shelf" (COTS) applications, these include a server component including logic and a database, and client-side software that sits on PCs. Typically manufactured by large, well known software vendors, these systems are most secure when configured properly, patched quickly, and kept up to date on the most current release. Note: these systems are as secure as their vendors have chosen to make them
• Web Apps - Here we find some of the utilities' efforts to establish better rapport with business and residential customers. Some are purely informational, but others use access controls to enable account management, bill payment and other self-help features. These are typically developed using a mix of COTS packages, custom code and free and open source software (FOSS), and security vulnerabilities can lurk in any of those three pieces, as well as from improper configuration. Note: these are as secure as the requirements stipulated they must be. If there were few/no requirements for security in the design docs, barring a major overhaul at some point, that's how much security you can expect to find in them.
• Web Services and Cloud - Code words connoting using remotely hosted application logic and data storage. We all use them today, and utilities, while sometimes slower to adopt new tech than others, are no exception. Examples include Geographic Information Systems (GIS), email, productivity apps, etc. These too, are as secure as their designers have chosen to make them, and in particular, users need to ask about how their data is protected, in transit and at rest

Parting Thoughts

In some ways, securing IT systems is the same job for utilities as it is for other sectors. It's been done before and is clearly not rocket science; yet doing it very well over time is a major undertaking for an organization, and requires solid commitment from the highest levels in an organization.as well as steady and adequate funding. It's not clear that as presently staffed and budget, most utilities can fully meet this challenge.

In other ways, of course, the ramifications of significant breaches are on quite a different plane altogether. As some of these systems will connect directly or indirectly to control systems that monitor and sometimes drive important physical power infrastructure, we should treat securing utility IT systems levels of gravity and rigor similar to FAA control tower applications or DOD command and control systems. The costs of failure in the energy sector are indeed often life threatening, not to mention economically and socially hazardous, and merit the community's absolute best efforts.

Chart courtesy of Forrester Research, 2009

More Smart Grid Security Fun: V2G Hacking and Cyber Car Jacking

Thanks to Forrester analyst Usman Sindhu for zeroing in on risks emerging from new sources on the Smart Grid edge. Namely, those related to our increasingly (wirelessly) wired automobiles. At the IBM Innovate conference Jack and I are attending this week, cars came into focus in a way I don't think they have before. You see, this is a conference devoted almost fully to the art and science of software, and cars are made out of steel, right?

Well, for time being, yes. But that's not the end of the story. Besides steel, the typical car of 2010 has over 200 million lines of code. And though ferrying payloads to low earth orbit and docking with the International Space Station are beyond most 2010 models' capabilities, this is far more software than it takes to run the space shuttles. With dozens of applications and interfaces, not only is each one a highly complex system in itself, but if you think about it, each is an intelligent node in a system of systems. Improvements are now rolling out with increasing frequency to safety, navigation and propulsion systems, among others.

Jack has recently developed an auto-fixation, and as he said in a presentation earlier today, the ability to monitor, diagnose, and repair many vehicular problems without expensive, inconvenient trips to the repair shop is a major win for car makers and customers alike. The way he described it, it was almost like techno-nirvana. Until, that is, he mentioned the likely frailty of the software upon which all of this great new functionality depends.

As recent recalls have demonstrated, the cost of loving what software enables is realizing what happens when it goes wrong, whether by accident or from malicious intent. For a drill down, recommend you see this from the Economist on Cars and software bugs, as well as the Discovery Channel's "This Car runs on Code". Karl Koscher et al from the University of Washington spell it out in plain English in their recent paper: "Experimental Analysis of a Modern Automobile":

While the automotive industry has always considered safety a critical engineering concern (indeed, much of this new software has been introduced specifically to increase safety, e.g., Anti-lock Brake Systems) it is not clear whether vehicle manufacturers have anticipated in their designs the possibility of an adversary. Indeed, it seems likely that this increasing degree of computerized control also brings with it a corresponding array of potential threats.

Threats from bad guys are one thing; threats from poor coding, configuration errors and other unintentional companions of complexity are likely a bigger challenge in the near term. Nevertheless, could an attacker work his/her way through less-than-secure automotive communications networks to put drivers in harm's way or adversely impact a utility? Sounds exotic, but when Vehicle-to-Grid (V2G) dreams start becoming reality, and electric cars draw their power from the grid while fulfilling important energy storage functions upon which we come to rely, this is one area we want to make sure doesn't get overlooked. In fact, just like in everything else, we'd recommend minimizing the drama and designing security in from the word go.

Photo Credit: So Fast it Hertz Blog

Hexad-dicted

Soon the edited and filtered version of the Smart Grid Security Blog Webcast #2 on data security will be available, and I encourage all of you who missed the live version to take a listen. (There are plenty of you who will be hearing this set of messages for the first time, as we did very little to publicize the schedule for this piece. We'll improve upon that for Webcast #3!)

Anyway, in the discussion of securing data for the Smart Grid, we are re-empathizing the two key points that we have made previously, and will continue to hit upon.

• A new and unprecedented volume of data is coming your way
  You can either plan for it, and figure out how to secure it before the deluge starts, or you can simply let it all come and hope that the sheer volume of it will bury the evidence of your obvious lack of security forethought.
• Your data is not all one flavor or type
  You need to break it up according to its security needs, its use in applications, and its likely combination with other types of data. Do this, and you may save untold hours and millions in efforts to partition it later, or to design a new series of systems that must first process the indigestible mass every time they need a new tidbit of data.

While preparing and presenting the data security webcast to offer some help in executing successfully given the facts above, I had been on a search for a set of externally developed and accepted security characteristics that were less vague (and therefore limiting) than the usual CIA triad. While Confidentiality, Integrity, and Availability are important, as concepts they are too indefinite and messy. If I copy an encrypted database of private information for later cracking, what fundamental premise has failed? The data is still confidential, it is still accurate, and the original copy is available for all to use. But I have still done something unsettling and bad. In order to present the security concerns accurately and succinctly to the new and largely untainted utility population, there needed to be a richer description that could be used with more accuracy, and more differentiation, as the new and highly varied data sources were contemplated for the Smart Grid. I arrived back at a six element formulation of security characteristics developed by renowned information security scion, Donn Parker, called eponymously, the "Parkerian Hexad".

In the Hexad, the venerable characteristics of Confidentiality, Integrity, and Availability are importantly augmented by the additions of Control, Authenticity, and Utility. Through the addition of these new descriptors, there is a natural clarity that arises around the description of security requirements for various data and service components.

I have translated more complete descriptions of the Hexad here, from the recent Webcast:

This is a start, for those of you with less time or feverish interest to go very far for a more in depth treatment. For folks who would like a very good introduction, with examples, from the fellow who coined the term "Parkerian Hexad", Michel Kabay, I really recommend this self-playing PowerPoint presentation from his work at Norwich University, from his overview page, it is here, and while it takes a couple of minutes to load, I think it is a great introduction for those of you just digging in. It also concludes with a description of what IA jobs mean in terms of responsibilities. I think this is also prime fodder for individuals just digging into roles as security leads within utilities, or those of you looking to hire roles like that.

Why learn these terms?
Unlike many industries that adopt new technologies and new business models incrementally, the utilities industry is jumping into the mix with both feet. There is little room to slow the pace of integration of new IT technologies in order to stop and compartmentalize the areas of investment based on security concerns or characteristics. The situation that has been created is one of rapid change and rapid growth.

By attempting to apply the security characteristics, and by answering the questions that inform the identification of issues, there are many interesting issues that will be brought to light. Smart meter location is just an address. Pair it with a user, and you have an identity or privacy problem. Similarly, in the case of outbound or control data, authenticity, integrity, and availability are all key.

Creating a checklist for all of the data involved in an application, and then having a discussion of how these useful and discrete characteristics apply, will lead to a much earlier, and much higher level conversation about why this kind of focus on Smart Grid Security is necessary.

Security (and other) Take-aways from GTM's Networked Grid 2010

I had the pleasure of attending and speaking at Greentech Media's annual Smart Grid conference in Palm Springs last week, and it was nothing less than a life affirming experience. One reason is because I finally got to see my first real wind farm and it was a doozy: thousands of turbines in one valley means you can drive at 70 mph for ten minutes and still find yourself surrounded by them. More on the San Gorgonio Pass Wind Farm can be found here.

But as with every good conference, it's the variety, depth of knowledge and generosity of the speakers and fellow participants that can make it a great experience. I had the privilege of moderating a strong panel on Smart Grid security topics that included:

• Saadat Malik, Cisco
• Rick Stephenson, Revere Security
• Tom Parker, Securicon
• Rilck Noel, Verizon Business

We began with this simultaneously humorous and cautionary anecdote from Smart Grid security guru, Massoud Amin of University of Minnesota, drawn from his most recent whitepaper:

Consider the following “sanitized” conversation showing the lack of awareness of inadvertent connection to the Internet for a power plant (200–250MW, gas-fired turbine, combined cycle, five years old, two operators, and typical multi-screen layout).

M.A.: Do you worry about cyber threats?

Operator: No, we are completely disconnected from the net.

M.A.: That’s great! This is a peaking unit, how do you know how much power to make?

Operator: The office receives an order from the ISO, then sends it over to us. We get the message here on this screen.

M.A.: Is that message coming in over the Internet?

Operator: Yes, we can see all the ISO to company traffic. Oh, that’s not good, is it?

The panelists then addressed a wide range of questions, some from me, and then some better ones from the attendees. The main message the panelists conveyed was that while the press loves to spread fears that Smart Grid vulnerabilities will create chaos, information on what's being done to secure the system in the trenches is the most effective counterbalance. These guys were good.

For me, though, the takeaways from this conference were several and often not directly related to security concerns. Here's three for you:

• In a Home Area Network (HAN) panel, after lots of discussion on new functionality for homeowners and their utilities and service providers, a man stood up, and, addressing CEOs from HAN start-ups, spoke with authority: "I see your focus is on new Smart Grid functionality and capabilities. But remember: reliability trumps everything. Don't forget it." He's right of course, and it was a sobering moment
• It was clear there was quite a bit of buzz about what microgrids might do to the industry, particularly from a business model point of view. Seemed to me that most of the utility pro's there might want to urge their orgs to get out in front of this movement before it goes around them
• Lastly ... Holy crap this Smart Grid thing is complicated and complex - so many moving parts - so much we don't know yet about its ultimate shape, size and function. Good luck to all of us !!!

Photo credit: Wikimedia Commons

The First Webcast is Up!

Ok, so it isn't as polished as Sixty Minutes, but think of it as Smart Grid Security cinema verite'.

Anyway, after much effort, a version of the recent webcast, "An Introduction to Smart Grid Security" is now available. We recommend you watch it in youtube HD (720p). It runs about 15 minutes in total, and and you can watch Part One here:

And you can watch Part Two here:


Because the slides look blurry in lower resolution video, and because you may want to use them yourselves at some point, we are making them available to you in their original form, here:

SGSB Webcast 1 Deck

While it is far from perfect, we finally decided just to get it out there because we wanted to get this one published without further delay. As this is our very first webcast for the blog, we are interested in your comments so that we can make the next one better, and more useful for you, our readers. Please hit the "What do you think?" feedback button, and let us know what you -do- think.

Thanks to all those who attended, and who asked questions during the session. We look forward to the next one, on May 26th, on "The Smart Grid and Data Security". See you (or you'll see us, I guess) then.