Friday, May 29, 2009

Smart Grid Knowledge Boost: New EPRI Conference Announced

Come to New York City in late June for EPRI's EPRI Power Quality Applications (PQA) and Advanced Distribution Automation (ADA) 2009 Joint Conference and Exhibition. Lots of focus on new applications and some on smart grid security as well. You'll find a nice overview here and EPRI's own listing here.

Thursday, May 28, 2009

Facilities Managers Joining Smart Grid Bandwagon

... and noting security/reliability benefits:
Enhanced security is another benefit. By implementing a grid that can sense what is happening within it, system operators will know when someone is trying to tamper with it. The electrical grid is a critical infrastructure, and an attack on it could be devastating. Recent reports state that spies have been mapping the U.S. utility infrastructure and hacking into its computers, planting software that could be used to disrupt it.
Another recent incident that points to the vulnerability of critical infrastructures is the cutting of lines in California that disabled phones and the Internet. It is impossible to police millions of miles of electrical cables, so intelligent systems will be vital in monitoring and securing this critical infrastructure.
Full article here.

Tuesday, May 26, 2009

Smart Grid Communications: It's about More than Wires ...

... it's about wireless, including how today there's not nearly enough wireless coverage to go around:
Coverage is indeed one of the challenges as some utilities have up to 50% of their service area not covered by their existing networks. Utilities often operate in a mix of dense urban to extreme rural areas and need to flexibility of operating in both.
2-way comms and robust security will likely require far more bandwidth than this offering can provide, but it's a start towards a solution we didn't even know we needed a few years ago. See more: here.

Friday, May 22, 2009

DOE and Providers Talk Smart Grid Stimulus Tactics

You can't say interesting things aren't going on in smartgridland. More and larger pilot deployments are happening, standards are evolving, industry groups are jockeying for position. And there's little doubt security considerations will get lost in the shuffle. This Ars Technica article does a nice job of laying out the competing interests and players in the smart grid stimulus scrum.

Tuesday, May 19, 2009

Smart Grid Security in DC Update

This week's been a busy one for those of us at the SGS Blog and it's not over yet:
  1. Covered the CNA "Powering America's Defense: Energy and the Risks to National Security " report release event at the Newseum Monday morning - it was great and the "smart grid as energy security" theme was prominent
  2. Attended the FERC/NIST/EPRI interim standards development workshop in National Harbor, MD today.  Extremely well organized by EPRI's Erfan Ibrahim - it could have been herding cats, but instead it was a case study in how to get the most value out of 600 or so diverse but very talented participants
  3. Tomorrow my colleague Jack and I are off to brief Senate staffers on the current state of smart grid security, as well as hear them out on what they need next
Will keep you posted on the fruits of all of the above.

Photo: Wikimedia Commons

Insider Threat Lesson for Smart Grid from Water

Too generous with privilege levels? Social engineering? $9 million of the California Water Service's money and and their auditor recently fled the US.

Hat tip to Annabelle Lee of NIST, who mailed this to the smart grid cyber security working group. Read all about it here .

Sunday, May 17, 2009

Friday, May 15, 2009

Cisco on Mobile Internet & Smart Grid

Seems like the wireless providers smell a gold rush.  Nice post on this topic yesterday from a Cisco blogger. Now imagine what this means for security ...

Thursday, May 14, 2009

Palo Alto Looks Before it Leaps ... in to Smart Grid

While other towns install first and ask questions later, EPRI's Don Von Dollen advises Palo Alto to think, plan, then act:
Wait for the activity at the state and federal levels to settle down. Wait for the dust to settle. Wait and see what vendor products still are around before you start making any decisions too quickly.
Does this sound crazy? I don't think so. Palo Alto is following Von Dollen's advise. Here's the full story.

Wednesday, May 13, 2009

New Senate Bill S. 946 for Improved Grid Security

More and more the grid, smart or otherwise, begins to resemble a giant information system, replete with millions if not billions of nodes and a humongous network permeating almost all of North America. Or if you forget the computational and control system aspect for a second, as the Senator Lieberman's bill introduces it:
The critical electric infrastructure of the United States and Canada has more than $1,000,000,000,000 in asset value, more than 200,000 miles of transmission lines, and more than 800,000 megawatts of generating capability, serving over 300,000,000 people;
There sure are a lot of decimal places to keep track of in all of this. Maybe computers will help with that. Big question is: do you want the smart grid to be more like a Mac, or more like a PC?

Tuesday, May 12, 2009

Highly Consumable Smart Grid & Renewable Energy Info via Podcast

RenewableEnergyWorld has just produced four smart grid podcasts for your edification, accessible in a short article that begins with this nice imagery:
If demand on today's electrical grid looks like a rough landscape of high peaks and low valleys, demand on tomorrow's "smart grid" will look more like a series of rolling hills.
Check 'em out.

Monday, May 11, 2009

Grid Security is Mainframe Security Redux

As in, it's secure because no one can get to it except Boy Scouts:
Up until about a decade ago, things were a lot simpler. The industrial control systems that manage the generation and flow of power were pretty much protected from intrusion by their closed-loop architecture. These control systems existed and operated in isolation from everything else. But increasingly, these systems have been linked to countless corporate networks for everything from real-time monitoring of electricity generation and transmission to remote meter reading and automated grid operations.
Then along comes the Internet and Web front ends slapped on legacy apps, and all the riff raff come pouring in. Sounds to me like the analogy - while imperfect - mainly fits. Security expert Sami Saydjari sums it up nicely:
the rush to improve convenience and efficiency by tying together administrative systems and billing systems over the Internet has created gateways to the power grid control systems.
For more, see the full article in ComputerWorld.

Sunday, May 10, 2009

Cars 'n Grids

This is good stuff from the founder of ZipCars:
Robin Chase considers the future of electricity, the future of cars and the internet three terms in a single equation, even if most of us don’t yet realize they’re on the same chalkboard. Solve the equation correctly, she says, and we create a greener future where innovation thrives. Get it wrong, and our grandchildren will curse our names.
and also this:
Chase talks about how cars fit into the equation. She sees automobiles as just another network device, one that, like the smart grid, should be open and net-based. “Cars are network nodes,” she says. “They have GPS and Bluetooth and toll-both transponders, and we’re all on our cell phones and lots of cars have OnStar support services.” That’s five networks.
Hold on to your hats. A new rolling mash-up (hopefully not smash-up) is forming.

Saturday, May 9, 2009

Security Comments for FERC Policy Draft

As part of a profound effort to "get it right the first time," contributors from across the cyber security and power industries are sharing their recommendations with FERC.  Here's an excerpt from the submission by Jack Danahy, serial security technology patent holder and founder of multiple cyber security companies:

Comment 2: Docket No. PL09-4-000, Page 11, Subsection 14

In the section described as “Cybersecurity and Reliability”, the reference is made back to the EISA and FPA standards, both of which focus attention on disruption as a defining feature of a cybersecurity incident. From the FPA Section 215:

The term `cybersecurity incident' means a malicious act or suspicious event that disrupts, or was an attempt to disrupt, the operation of those programmable electronic devices and communication networks including hardware, software and data that are essential to the reliable operation of the bulk power system.
We know from commercial experience and from recent disclosures regarding incursions into the existing Grid that cybersecurity incidents are often not immediately disruptive. Data theft can provide deep intelligence into Grid logistics and operation, and passive malicious code is frequently left behind for use later as either a hidden inroad or a data egress mechanism. The proposal should be more specific in its own language, and should characterize any unauthorized access to, or modification of, a critical system as a “cybersecurity incident”. Failed attempts in this regard should also be identified, as they can often provide a predictive pattern of behavior in the even of a future incursion. Power disruption may well be the ultimate goal of some of these attacks, but the less obvious damage caused by information leakage and system compromise lay the groundwork for either a more damaging, or more widespread, event in the future.

Thursday, May 7, 2009

A Suitable Smart Grid Security Standards Dev Process

To all colleagues working on the formulation of effective security policy for the emerging smart grid, here's something from Jack Danahy I think you'll really like ...
JD: For those of you who are security devotees and are looking for a new place to offer some value, and for those of you who are dedicated to the Smart Grid and are worried about security, I'd like to draw your attention to the draft Federal Energy Regulatory Commission's (FERC) Smart Grid Policy Paper issued in March, and closing on comments this coming Monday, May 11th. Admittedly it might be a bit close to the wire for those of you looking to add your own views to the process, but as this is really only a draft, I figured that both communities would do well to be aware of what is coming in this potential policy so that you will be better prepared to think and act on it.
Click through for the full article: Foreseeing Federal Policy for Smart Grid Security

Tuesday, May 5, 2009

IEEE Joining the Smart Grid Standards Fray

News on IEEE & DOE/NREL plus a short round-up of other smart grid standards work and legislative activities here.

A Wave of Smart Grid Security Solutions is Building

You can expect more and more of these announcements in coming months as the press coverage amps up awareness (and concern) about smart meter and smart grid vulnerabilities, and security solutions providers (pick your metaphor): smell blood in the water and start jockeying for position. Here's how Industrial Defender and InGuardians phrased it in yesterday's press release:
The combination of Industrial Defender's industrial control and SCADA expertise, coupled with the AMI cyber security assessment capabilities of the InGuardians team, is a key building block of the Smart Grid initiative and will ultimately provide industry leadership and expertise toward its protection.

Monday, May 4, 2009

Here We Go Again

Within an otherwise fine tech intro article on SmartSynch's Universal Communications Model (UCM), comes the type of observation I wish were just fear mongering hyperbole:
Smart grid systems are currently riddled with security holes, but that hasn't stopped utilities from rapidly rolling out smart meters.
You think there's any research to back up this assertion? Or is it likely true cause that's the way we always build: capability first, security last ... if at all.

Friday, May 1, 2009

Smart Grid for Internet Types

For those joining the smart grid security fray from the IT / internet side of the house, here's a great piece from Capgemini's Balaji Natarajan. Many good points, including something you're going to hear repeated on the SGS blog: security must come first ... Before wide scale integration efforts, development of new equipment and apps ... and before roll out and power-up.

Here's Natarajan:
Smart grid security needs to be thoroughly investigated to enable a multi-tiered security model for the grid. Once this is done, startups should be encouraged to build innovative tools that adhere to these standards. It’s important to note that the smart grid’s cyber-security layer may need to be more regulated (by federal policies) than the Internet’s has been, given the potential direct impact on national security systems.