Thursday, July 30, 2009

Baby Smart Grid Versus "Grown Up" Hackers

When the Internet was born, hackers were in their infancy, and the two grew up together. On the eve of the Smart Grid's arrival, the bad guys have gone from boys to men.

According to Wired Magazine, these aren't your father's hackers.  Now it's a full blown career: today's hackers perfect their craft and do their work to earn their daily bread. And when they focus like this, with ridiculously robust monetary and technical resources at their disposal, they get better and better at breaking through even the most well implemented defenses.

To wit::
Particularly disturbing to security experts is the speed with which the bad guys are jumping on newly disclosed vulnerabilities. "Even one year ago, a lot of these web exploit toolkits were using vulnerabilities that had been discovered one or two years prior," says Holly Stewart, Threat Response Manager at IBM's X-Force. "They were really, really old.... That has really changed, especially this year. We're seeing more and more current exploits go into these toolkits. And we're seeing exploits come out that are even just a couple days after the vulnerability announcement."
Consider this as utilities and other orgs prepare to play in the Smart Grid world, basically moving from near-zero to 1,000 MPH in cyber security intensity. One thing's for sure: it's going to be quite a ride.

No (Smart Grid) Security, No Peanut

Earth2Tech touches on Smart Grid security again, this time on DOE using what should prove to be an effective lever:
As Patricia Hoffman, the acting assistant secretary for the Department of Energy’s Office of Electricity Delivery and Energy Reliability said in a testimonial last week, the DOE may refuse to hand out smart grid stimulus funds to an otherwise promising project if that applicant can’t prove that the project has addressed cyber security concerns. Well, we should hope so — if we learned anything from the buildout of the Internet it’s that networks that have sophisticated connections will have increasingly sophisticated hackers.
But is DOE expert on cyber and other security issues? How will it know which projects to green light and which ones to deny? These questions are on the author's mind as she concludes:
We just hope the DOE is able to accurately assess the projects when it comes to security.
Same here. But since Smart Grid security standards are still being hashed out by NIST and others, it's hard to imagine what DOE will use as a baseline re: security goodness.

Sunday, July 26, 2009

More on "Hacking the Smart Grid" and Customer Data

This from a recent Policy Management piece in SC Magazine:
[I]n their rush to squeeze efficiencies from power, water and gas grids, utilities, energy regulators, governments and technology providers forgot the consumer. To benefit from the confluence of technological advances in smart meters that are operated remotely, internet communications and smart appliances that will digitise our grids, we must first lay secure foundations for privacy of customer activity and security of the networks from attack.
I like this. You build a business right when you think about the needs of the customer first. A great deal of current Smart Grid propaganda is about the needs of everyone but its ultimate end-users.

Here's the rest.

Friday, July 17, 2009

Rocky Mountain High

I'm going off the grid to recharge the batts for a week next week, so the Smart Grid Security Blog won't have any new posts till late July. In the meantime, if you like power or pasta, eggplant or energy, don't forget the 2009 GovEnergy Conference coming up in Providence, RI, 9-12 August. (Previous post on this conference explains the Italian food fixation.)

In case you're curious, the Aspen Ranger Station guide to where I'll be hiking is here.

Photo: Julie Penner

Thursday, July 16, 2009

Danahy's Smart Grid Security Wake-up Call

The Discovery Channel's Tech site is featuring an article by Jack that includes this alarm:
Now is the time to ensure that the smart grid is secure. Billions of dollars are being set aside to build out the infrastructure and security should be a primary component. Just imagine an Internet without passwords, virus scanners, firewalls, encryption or antispyware. That's the kind of national power system we face if we don't starting thinking about to how protect the new grid against attack. Security must become as central to the goals of the smart grid as cost-savings, energy independence and environmental protection.
That's what we call the grid, albeit on more isolated nets ... and largely what's being deployed today in pilots across the country while early standards are being hammered out.

Danahy calls for three things fast: 1) Defining mandates, 2) Creating pre-purchase standards, and 3) Robust management resilient enough to deal with successful breaches.

Read the whole thing here.

Tuesday, July 14, 2009

Smart Grid Security on Marketplace

Breathless enthusiasm for the Smart Grid build-out meets the voice of reason, coming in this instance from CSIS's James Lewis:
We want to build a secure smart grid but we also want to build it in a hurry and you can't have both.
From a recent public radio interview here.

Darknet Hackers Grok Smart Grid "Opportunities" for Badness

Darknet is where the cyber good guys explore the dark side, with an eye on rooting out risk and shoring up defenses. This post makes it clear that one of the first thoughts an ethical hacker thinks when they imagine the power grid becoming a giant computer network, is: "[this] is a hackers playground!"

Also this:
The scary part is there’s no encryption and many things are done without authentication, meaning with a little reverse engineering you can probably shut down the power to anyone on the not-so-smart grid.

Discover(y) the Smart Grid

If you don't feel you've mastered all Smart Grid fundamentals yet, the Discovery Channel always makes learning a very engaging and entertaining experience.  This week they're focusing on the Smart Grid, so check it out here if you want to get even smarter than you are now.

Monday, July 13, 2009

Security Thoughts on Microgrid Nation

It was pointed out that the recent SGS Blog post on microgrids as a potentially faster/cheaper/better way to get to a modernized, more efficient power system left out one key detail: security ramifications. Well, two come immediately to mind:
  1. If all communities (define as you will) are on separate power network islands, a problem on any one of them will have a lesser chance of impacting the larger system of systems. And that's a good thing
  2. Less good might come of reliance on the same application or infrastructure software across communities. Today, one of the things that gives Apple and Linux users a little more breathing room against viruses and common attacks is the fact that they are not Windows systems replete with a who's who list of easy attack vectors. This is security through diversity. While cost efficiency and systems integration drivers would impel us towards standard apps and systems, we might do well to remember the benefits of technology diversity 

Sunday, July 12, 2009

The Easiest Smart Grid Security Question to Answer

In a recent CSO magazine blog post titled "Hacking Power: Feds Promise Smart Grid Security" the author ponders:
... it remains to be seen if the new [NIST and FERC] specifications will be secure enough to stop the bad guys.
I don't want to be rude and mean no offense to the writer of an otherwise reasonable article. Yet though I hold no security patents, nor have ever written more than a few lines of Pascal in college, I nevertheless have plenty of experience to say with certainty:
Nothing remains to be seen. Specifications do not stop determined bad actors, on the Smart Grid or elsewhere.
Yet even more to the point: the question posed is not a useful line of inquiry. A more immediately practical exercise would be built around this idea: Despite the best efforts of standards bodies and technology providers, some, if not many, adversaries will successfully breach different lines of defense built into and around Smart Grid systems. Two questions worth asking, then, are:
  1. How will the Smart Grid react? and,
  2. What kind of experience do we want these attackers to have?
I bet you know the answers already, but mine would likely include the following key words: for 1) "resiliency", "redundancy" ... and for 2) highly "constrained".

Saturday, July 11, 2009

Microgrid Nation

Have you ever read an opinion piece and been won over by the time you finished the second paragraph? Anya Kamenetz's recent Fast Company article, "Why the Microgrid Could Be the Answer to Our Energy Crisis" certainly had that effect on me, by making the intractable tractable. Along the way, it bursts the "energy superhighway" balloons of cleantech celebs Al Gore and Nevada Senator Harry Reid, and touts IBM and GE as large co's that get the microgrid vision.

See for yourself here, and when you're sufficienctly foaming at the mouth and ready to make it happen, here's Kamenetz's DIY micrgrid how-to manual for homeowners.

Thursday, July 9, 2009

Danahy on Smart Grid Security in Government Computer News

As power controls take on characteristics more akin to cyber systems, the numbers and types of threats go through the roof. This article in GCN makes the case that FERC's current Critical Infrastructure Protection (CIP) standards and audit practices may be ill-suited to ensure protection of an increasingly Internet-like power grid.

Here's Jack's 2 cents in context:
But some security experts say the standards do not go far enough. The technology of the electric grid was designed with the expectation that it would be a private network rather than an interconnected IP-addressable system, and the security standards focus largely on reliability rather than network integrity.
“I don’t think in today’s world that is even close to being adequate security,” said Jack Danahy, chief technology officer of Ounce Labs. “There has to be a more expansive understanding of what security means.”
The cyber security of the power system is taking on more urgency with development of a new interactive smart grid and recent reports that hackers have compromised the current grid.

Wednesday, July 8, 2009

Funniest Smart Grid Article So Far

A outburst like this (on the present state of the home area network (HAN) portion of the Smart Grid) can only come from Jesse Burst, of course:
There are only two things wrong with today's in-home displays for energy management: (1) they suck for utilities and (2) they suck for consumers.
Among the encyclopedic list of HAN vendors shortcomings is a failure to appreciate homeowners' security concerns, as in:
When they talk to utilities, most HAN vendors reveal their lack of understanding of the utility charter and mindset. They chatter about entrepreneurial opportunity, or pioneering new markets, or liberating consumer data. They fail to discuss maintaining reliability, or justifying technology to regulators, or safeguarding privacy and security.
For full article click here.

Tuesday, July 7, 2009

Austin's Amazing, Ambitious Pecan Street Project

In addition to its well deserved reputation as a mecca for technology and live music, Austin is a Smart Grid development hot bed, not doubt about it. Code named (non threateningly enough) after a street named after a nut, the Pecan Street Project is going to be fun to watch. It begins in a city that's already miles ahead of the competition, with intelligent meters deployed in large numbers since 2003. In case you're wondering, that's long before the term Smart Grid ever rolled off anyone's lips.

It's all captured simply in the project's four stated initiatives:
  1. Austin will develop a clean energy public/private research and development consortium. Its mission will be to research and develop clean energy technologies and distributed generation systems on Austin’s grid.
  2. The consortium will create an economically sustainable distributed generation system. Unlike any other “smart grid” project in America, the Pecan Street Project intends to develop a new distributed generation system that integrates clean energy into an economically sustainable business model. The Pecan Street Project will provide the consortium with access to Austin’s grid to test and develop this new system.
  3. Austin Energy will open its grid to entrepreneurs and researchers to test prototype technologies in the real world. We aren’t just going to build a lab – the City of Austin will be the lab.
  4. We will implement this model locally and system-wide. Once the consortium creates the new distributed generation system, Austin will show the world how it works. We will do that by using this system to develop the locally produced clean energy equivalent of a new power plant.
Can you imagine what would happen if this was going on in YOUR town? What are the security implications of going this far this fast? If it doesn't work out well can the project be unwound without too much pain and suffering? You can read more about it on the official PSP web site here, and check out IBM's take on it here.

Photo: Wikimedia Commons

Smart Grid Security at Black Hat

For those not familiar with Black Hat, it's mecca (in Vegas) for many on both sides of the cyber wars. This year the Smart Grid will be there too, with folks from security services firm IOActive describing their work uncovering vulnerabilities in some of the hardware and software used to build Smart Grid pilots.

From IOActive's EnergyPulse site, here's a piece of secure programming 101, adapted accordingly:
The challenge to building a secure smart grid power infrastructure is to quickly enact methods that support both asset owners and smart grid vendors. Typical of most emerging industries and first-to-market initiatives, the smart grid AMI community lacks a formal Secure Development Lifecycle (SDL) to guide and govern the release of sound quality technology and products.
Government Computer News has the conference heads-up here. And here's the Black Hat site itself, with everything you need to know about how to get the most out of the conference which runs 25-30 July.

Wednesday, July 1, 2009

Smart Grid Security and Some Timely Truths Re: Industrial Control Systems

Industrial Control System (ICS) expert Joe Weiss of Applied Control Solutions presented on the Cyber Security implications of control systems at a recent Air Force Cyber Security symposium. This is new ground for CIOs and cyber professionals reared on IT systems and networking and these findings are important on their own.

However, in the context of the emerging Smart Grid, they are a timely and necessary wake up call. Two categories speak clearly to visitors from the IT world: which haracteristics of typical ICS deployments differentiate them from IT, and some popular security misconceptions or myths many harbor about them:

General ICS Characteristics
  • Management – Generally CIO not responsible
  • Administration – Generally not centralized
  • Patches – Generally not frequently applied (no patch Tuesday)
  • Threats – Unintentional is very important
  • Obsolescence – ICS replaced after 15-20 years
  • Remote access – Often necessary
  • Certifications – Not available yet
  • Educations/training – Needs to be for ICS
ICS Security Myths
  • Using Windows and TCP/IP “make it IT
  • External malicious threats are always the biggest concerns
  • Firewalls make you secure
  • VPN / encryption use makes you secure
  • IDS will always catch control system attacks
  • Higher-to-lower security zone connections are always more secure
  • Field devices can’t be hacked
  • You are secure if hackers can’t get in
It's worth your while to see Weiss' full presentation if control systems are new territory for you ... and the odds are, they are.