Tuesday, December 29, 2009

Security Standards Trump all others in Smart Grid Survey

So a bunch of utilities professionals were just polled by a research firm which asked them, of all the different types of Smart Grid-related standards that are being developed/decided right now, which are the most important?

Boy, this is going to make me sound like a total dork, but the results channeled through Jesse Berst's SmartGridNews.com site revealed that Security Wins! Here's a link to the outfit that did the work.

As we stated in a previous post called the Smart Grid Security Confidence Game, the large-scale Smart Grid build-out that waits just beyond the lessons learned in the SGIG pilots isn't going to happen if the utilities, the regulators and the users don't trust the security controls.

All we can say to the good folks at NIST and the multitudinous other orgs charged with arriving at comprehensive security standards for the Smart Grid is: hope you got some rest this week - we need you back on the job stat in 2010.

And FYI: based on emails and other traffic on the cyber security work group community site, they're not actually resting this week either.

Tuesday, December 22, 2009

Calling the Next Generation of US Energy Rock Stars

Some folks are suspicious of anything the government tries to do beyond defending our borders and protecting national interests abroad. Others believe that government can do much more. I'm kind of in between, generally valuing a small footprint Federal government, but every once in a while applauding innovation in government when it shows up.

Such is the case with a new DOE organization, the Advanced Research Projects Agency-Energy (ARPA-E), which came to life just this year and has been given a $400 million boost to get itself and its first bunch of projects off the ground. ARPA-E is not about incremental improvements in energy science; no, it focuses exclusively on high risk, bet the farm, swing for the fences, change the world energy technologies.



A couple of weeks ago I had the privilege of being in the first row when new ARPA-E director, Dr. Arun Majumdar, introduced the ARPA-E Fellows Program to a capacity audience at MIT. Saying the goal of his org is to boost US competitiveness in Energy Tech (ET) by helping to find and nurture the "Next generation of "Energy Rock Stars", Majumdar noted his own existence was thanks to the pioneering artificial fertilizer breakthroughs of American scientist Norman Borlaug. He went on to show how many energy technologies first discovered in the US like photo-voltaic solar and lithium ion storage now have little-to-no market leadership nor manufacturing presence in the country. This trend he plainly aims to turn around.

One thing you can say for sure: whether ARPA-E advances technologies that benefit the grid directly or finds ways to greatly increase the capabilities of renewable power generation or storage, it all grows the Smart Grid one way or another. By the way, Majumdar came across as warm, brilliant, determined and 100% sincere. I for one am rooting big time for him and his world changers.

Photo Credit: Lawrence Berkeley National Lab

Wednesday, December 16, 2009

More than Taters Found in Idaho

Finding detailed, organized, and educational material that relates traditional IT and cyber security to the challenges of SCADA and the Grid can be a very time consuming activity. There are multiple higher-level documents, and/or very detailed documents, (Here, here, and here, as examples) that help to describe the expanding threat surface that IT enablement and pervasive internetworking will bring, but finding meaningful and relatively detailed information on the topic can be daunting.

For my own bootcamp/bootstrap education, I have been consuming first, "Securing SCADA Systems", by Kurtz, and then "Cybersecurity for Scada Systems", by Shaw. But these are probably more dense than is neccessary for those who are looking for a more readily consumable description of challenges and recommendations. In trying to find that level of content for you, our valued readers, I stumbled upon course material from some extremely helpful folk at Idaho National Labs. Don't let the nuclear tone and front page announcement of graphite testing fool you, there is a four hour course and an eight hour course here, and they have a raft of good content inside.

One of the slides was especially excellent, and I present it here by way of both introduction to our newer readers, and as validation for those who have, with us, been working to highlight and hopefully increase the level of IT/Cyber security discussions that are surrounding the Smart Grid. Here it is:

It is hard for anyone to deny that the worlds of modern internetworked information technology and of the existing SCADA-driven grid are merging. That said, this diagram, which while using information derived in 2007, shows the manifest disconnect in security practices and priorities between the two communities as they operate today. This data is directly in support of much of what we are seeing, and clearly reinforces some recent feedback we have gotten. In moderating a panel at last week's IQPC Scada and Control System Security Summit, Andy and I got a question relating to the new burdens that the Smart Grid was placing on the existing grid for things such as Antivirus/Anti-malware software, Intrusion Detection/Protection, and more. It became clear that these arguably baseline technologies were not yet deployed broadly within the utility community, and that the introduction of the Smart Grid was causing people to finally start to view them as important, if not required. This was not to say that they wanted it, or that they felt comfortable that they could accommodate the additional load on their systems, but the perceived connectivity of the Smart Grid is causing them to consider this, for the first time, as a priority.

Coming from an IT perspective, this was surprising. According to members of the audience, the Windows XP Service Pack 2 BIOS security change that occurred years ago had disrupted multiple SCADA systems, as have more recent instances of corruption and malware, as reported in the media. Considering that, it is almost unthinkable that basic security technologies have not been deployed, even if only in response to the unacceptable vulnerability conditions. Unthinkable or not, we need to start thinking hard about it, because clearly it is happening.

Some of the reasons for this lack of progress are well-known. The overtaxed nature of both the systems and the individuals charged with their operation, the proprietary nature of some of this infrastructure, and the cost-averse nature of many utility commissions all conspire to a preference for the pretense that these are isolated, and therefore inviolable networks.

This slide points out, with vivid clarity drawn from analysis of these control systems, how far there is to go, and how different the drivers and fears of the organizations are from those who typically and aggressively pursue security at a proactive or holistic level.

We are just now beginning to recognize and recommend the need for a balanced approach to IT and Cyber security in the new and existing Grids. The work done at INL is extremely helpful in creating a bridge between the existing and incoming Grid and Smart Grid communities, and I recommend that you take the time to examine it to the purpose of expanding the group that can speak in, and be concerned with, the colliding challenges of internetworked computing, security, expertise, stability, and staffing.

Tasty Tater Image Courtesy of: http://www.flickr.com/photos/samiksha/ / CC BY 2.0

Sunday, December 13, 2009

Who Is and Is Not Making Smart Grid Standards

One organization at the center of Smart Grid standards formulation wants to be clear about one thing you may find less than intuitive. You should be aware that the National Institute of Standards and Technology, better known as NIST, is not making the standards for the Smart Grid.

That NIST is involved there is no doubt. See this from the Energy Independence and Security Act of 2007: NIST has "primary responsibility to coordinate development of a framework that includes protocols and model standards for information management to achieve interoperability of smart grid devices and systems…". In point of fact, NIST's role in the process is to be the honest broker between warring tribes of standards bodies, lobbyists and advocates of all stripes. As the above slide makes plain, each home is a bloody standards battleground. This is not easy work for NIST, or any of the innumerable stakeholders.

But to repeat: NIST is not making the standards. It's an open process and that's a job for all of us. Just so you know.

Slide Credit: "Repowering the Nation: Setting Standards for the Smart Grid" presented at MIT on Nov 21, 2009 by George Arnold, NIST National Coordinator for Smart Grid Interoperability Standards. Full presentation is here.

Monday, December 7, 2009

The Smart Grid Security Confidence Game

You may not know Ira Winkler from a hole in the wall. Or know the difference between Ira Winkler and Henry Winkler ... heyyy !!! But you should know this: Winkler, a well-known and generally well respected IT security pundit, recently published an opinion piece in Computerworld called "The hackability of the smart grid". In it, he lists six types of trouble he claims hackers will likely be able to cause to the future "Smart Grid":
  • Cutting electricity to homes and businesses
  • Overburdening the grid
  • Causing brown-outs
  • Having smart-grid devices attack the grid itself
  • Getting free service
  • Undermining confidence
To be sure, while all of the above are plausible and serious, it's the last one, related to confidence, which could ultimately have the biggest impact on Smart Grid operators and other stakeholders.

It seems to me like there's a vacuum out there where only pundits dwell. Wouldn't it be excellent if some of the utilities could be more forward leaning and get out in front of this issue?!? Messages on the thorough measures they're taking to protect the grid and their customers might help. But so far they're not saying much, and until they do, folks like Winkler are the ones exhibiting their confident predictions that rough days are in store for the young Smart Grid and that the utilities are playing marketing defense, not working to shore up their security and privacy weak spots with vigor.

Says Winkler:
The power companies don't like it when people say things like this, as they showed by attacking me after my previous exposé of power-grid vulnerabilities. So far, though, every claim I made has been proved correct by documented attacks or government reports. Sadly, I know that I will be proved right once again.
I hope he's wrong, but you know what they say about hope. Hope is not a strategy ... for protecting the Smart Grid. Let's hear it utilities execs ... we know you're busy working these issues, but please take a minute to tell the public what you are doing to prove Winkler wrong (Ira, not Henry).

Photo Credit: Igor Bespamyatnov @ Flickr