Tuesday, June 29, 2010

2 Smart Grid Security Conferences and another Pike Report Signal Robust Interest in Smart Grid Security

Colorado-based Pike Research has said it again: Smart Grid security is (and will continue to be) very big business. How big you ask?  CNET's cites Pike's just released report saying that in the next five years "about 15 percent of all smart grid investments will be spent on cybersecurity. This will represent a total global investment of $21 billion." Those are substantial numbers by any standard, and dwarf the recent US Federal stimulus infusion of $3.4 billion also known as the Smart Grid Investment Grant (SGIG) program.

Now, in case you haven't noticed, there are about a million multi-day Smart Grid conferences going on around the globe at any one point in time. But there aren't as many, or actually hardly any, that focus on the security aspects of this grand enterprise.

It was probably just a coincidence, but last week's market size announcement by Pike certainly sets the stage for two important, and very different conferences on this topic.

First, there's the first Smart Grid Cyber Security Summit. It's being held on Aug 10 -11 in San Jose. A great speaker line-up so far, including many folks we've had the pleasure of talking - and sometimes working - with. Looks like AMI, HAN and Smart Meter systems are going to get a fair bit of coverage, though control systems will get their due during Joe Weiss' presentation.

And speaking of Joe, about one month later, on September 20-23, there's the ten year-running Industrial Control Systems Cyber Security Conference that will be held, as usual, in the DC area (conference web site not yet operative and venue currently TBA). It's a deep and focused drill down on an often overlooked but nevertheless crucial aspect of the overall Smart Grid security problem set. To get a feel for what it's going to be like, look no further than last year's agenda, here.

Utilities security professionals are always seeking clear and credible industry fodder to establish more compelling business cases for security investments. Surely the Pike report, as well as the conferences in August and September, are a good place to start.

Sunday, June 20, 2010

Without Further Adieu: Smart Grid Security Data Security Deck

For those of you who are regular or occasional readers of the SGSB, you may have noticed our day-job commitments occasionally impede our aspirations for posting material in a snappier manner on the blog. Nevertheless, we have just made last month's Powerpoint deck available for viewing and downloading here.

Also want to let you know we'll be handling upcoming webcasts a little differently, with videos covering designated Smart Grid security subjects posted on or about the days in brackets below:

  • IT System Security Challenges and the Smart Grid (June 30)
  • An introduction to Smart Grid-related Standards and Regulations (July 28)
  • Understanding the SoftGrid: Assuring security and privacy for your Customer Portal and other new applications (Aug 25)
  • Approaches to securing AMI (Sep 29)
  • Security and Privacy from the Customers' Point of View (Oct 27)
  • Understanding and Empowering a Smart Grid CISO (Nov 24)
  • Violable but Reliable : Preparing for the inevitable break down in Smart Grid security (Dec 29)
  • All the places we have been: A 10th Session Recap of Smart Grid Security (Jan 26)
If you have questions you'd like to see addressed in any of these, particularly the June 30 presentation on IT Systems Security (initially addressed in a recent post here), please submit them ahead of time to our our email address. OK? Au revoir ... for today.

Tuesday, June 15, 2010

Securing Smart Grid IT Systems

We're halfway to the next Smart Grid Security show (# 3 on IT systems security on June 30) but have started doing some of the preparatory work. Essentially, what this session's going to focus on is the different IT systems (legacy and new) that need to be shored up. (Note: SCADA/control systems are purposefully excluded from this discussion as they are quite a bit different beasts, and we'll cover them in some depth in the not-too-distant future.)

You may ask, why the special emphasis now? Well, until recently and with no offense intended, utilities were an Internet backwater. They were (happily for them) way down on attackers' list of targets, partly because of their reputation as technology laggards, and partly because many of their systems were standalone, or nearly so. Folks we've met who've worked in utilities for decades, as well as those who've helped take care of their technology needs, attest that they've worked un-harassed in relative obscurity, until recently that is.

Emerging Center of the Universe

Now all eyes are on these guys: the press and analysts, Congress, the Department of Homeland Security (DHS), regulators NERC and FERC .... And two groups who more than any other are putting pressure on the utilities to perform, security-wise:
  • The aforementioned attackers, who now like what they see a lot more as utilities bring new web apps on-line, begin to aggressively interconnect their systems, and enable two-way communications to/from some of their most important systems, like the head-ends that aggregate much of the incoming traffic from customer systems
  • And of course, customers. Long dormant with only the absolute minimum interaction with their electricity providers, thanks largely to the press, customers are waking up and beginning to raise their voices demanding better service and control over fees
Which Systems Need (Better) Securing

In addition to what you can see in the Forrester slide, both the old and the new, there are numerous other types of systems, not the least of which (in importance) are "outage management systems". From our survey of utilities' IT managers and their service providers, we can place all into one of several categories:
  • Classic Cobol/Mainframe - As everyone knows, mainframe apps have been around forever and are always just a year or two away from replacement. This will (almost) never change. Many, if not most were developed initially deployed pre-Internet era and therefore security was neither designed in nor bolted on. Formerly protected primarily by their isolation, these old workhorses are becoming increasingly connected as their data (e.g., customer, financial, accounting, etc.) become increasingly important to other systems in a Smart Grid world. What's our advice for securing these systems ... stay tuned
  • Client/Server - Most often found in the form of packaged or "commercial off the shelf" (COTS) applications, these include a server component including logic and a database, and client-side software that sits on PCs. Typically manufactured by large, well known software vendors, these systems are most secure when configured properly, patched quickly, and kept up to date on the most current release. Note: these systems are as secure as their vendors have chosen to make them
  • Web Apps - Here we find some of the utilities' efforts to establish better rapport with business and residential customers. Some are purely informational, but others use access controls to enable account management, bill payment and other self-help features. These are typically developed using a mix of COTS packages, custom code and free and open source software (FOSS), and security vulnerabilities can lurk in any of those three pieces, as well as from improper configuration. Note: these are as secure as the requirements stipulated they must be. If there were few/no requirements for security in the design docs, barring a major overhaul at some point, that's how much security you can expect to find in them.
  • Web Services and Cloud - Code words connoting using remotely hosted application logic and data storage. We all use them today, and utilities, while sometimes slower to adopt new tech than others, are no exception. Examples include Geographic Information Systems (GIS), email, productivity apps, etc. These too, are as secure as their designers have chosen to make them, and in particular, users need to ask about how their data is protected, in transit and at rest
Parting Thoughts

In some ways, securing IT systems is the same job for utilities as it is for other sectors. It's been done before and is clearly not rocket science; yet doing it very well over time is a major undertaking for an organization, and requires solid commitment from the highest levels in an organization.as well as steady and adequate funding. It's not clear that as presently staffed and budget, most utilities can fully meet this challenge.

In other ways, of course, the ramifications of significant breaches are on quite a different plane altogether. As some of these systems will connect directly or indirectly to control systems that monitor and sometimes drive important physical power infrastructure, we should treat securing utility IT systems levels of gravity and rigor similar to FAA control tower applications or DOD command and control systems. The costs of failure in the energy sector are indeed often life threatening, not to mention economically and socially hazardous, and merit the community's absolute best efforts.

Chart courtesy of Forrester Research, 2009

Monday, June 7, 2010

More Smart Grid Security Fun: V2G Hacking and Cyber Car Jacking


Thanks to Forrester analyst Usman Sindhu for zeroing in on risks emerging from new sources on the Smart Grid edge. Namely, those related to our increasingly (wirelessly) wired automobiles. At the IBM Innovate conference Jack and I are attending this week, cars came into focus in a way I don't think they have before. You see, this is a conference devoted almost fully to the art and science of software, and cars are made out of steel, right?

Well, for time being, yes. But that's not the end of the story. Besides steel, the typical car of 2010 has over 200 million lines of code. And though ferrying payloads to low earth orbit and docking with the International Space Station are beyond most 2010 models' capabilities, this is far more software than it takes to run the space shuttles. With dozens of applications and interfaces, not only is each one a highly complex system in itself, but if you think about it, each is an intelligent node in a system of systems. Improvements are now rolling out with increasing frequency to safety, navigation and propulsion systems, among others.

Jack has recently developed an auto-fixation, and as he said in a presentation earlier today, the ability to monitor, diagnose, and repair many vehicular problems without expensive, inconvenient trips to the repair shop is a major win for car makers and customers alike. The way he described it, it was almost like techno-nirvana. Until, that is, he mentioned the likely frailty of the software upon which all of this great new functionality depends.

As recent recalls have demonstrated, the cost of loving what software enables is realizing what happens when it goes wrong, whether by accident or from malicious intent. For a drill down, recommend you see this from the Economist on Cars and software bugs, as well as the Discovery Channel's "This Car runs on Code". Karl Koscher et al from the University of Washington spell it out in plain English in their recent paper: "Experimental Analysis of a Modern Automobile":
While the automotive industry has always considered safety a critical engineering concern (indeed, much of this new software has been introduced specifically to increase safety, e.g., Anti-lock Brake Systems) it is not clear whether vehicle manufacturers have anticipated in their designs the possibility of an adversary. Indeed, it seems likely that this increasing degree of computerized control also brings with it a corresponding array of potential threats.
Threats from bad guys are one thing; threats from poor coding, configuration errors and other unintentional companions of complexity are likely a bigger challenge in the near term. Nevertheless, could an attacker work his/her way through less-than-secure automotive communications networks to put drivers in harm's way or adversely impact a utility? Sounds exotic, but when Vehicle-to-Grid (V2G) dreams start becoming reality, and electric cars draw their power from the grid while fulfilling important energy storage functions upon which we come to rely, this is one area we want to make sure doesn't get overlooked. In fact, just like in everything else, we'd recommend minimizing the drama and designing security in from the word go.


Photo Credit: So Fast it Hertz Blog

Tuesday, June 1, 2010

Hexad-dicted

Soon the edited and filtered version of the Smart Grid Security Blog Webcast #2 on data security will be available, and I encourage all of you who missed the live version to take a listen. (There are plenty of you who will be hearing this set of messages for the first time, as we did very little to publicize the schedule for this piece. We'll improve upon that for Webcast #3!)

Anyway, in the discussion of securing data for the Smart Grid, we are re-empathizing the two key points that we have made previously, and will continue to hit upon.
  • A new and unprecedented volume of data is coming your way
    You can either plan for it, and figure out how to secure it before the deluge starts, or you can simply let it all come and hope that the sheer volume of it will bury the evidence of your obvious lack of security forethought.
  • Your data is not all one flavor or type
    You need to break it up according to its security needs, its use in applications, and its likely combination with other types of data. Do this, and you may save untold hours and millions in efforts to partition it later, or to design a new series of systems that must first process the indigestible mass every time they need a new tidbit of data.
While preparing and presenting the data security webcast to offer some help in executing successfully given the facts above, I had been on a search for a set of externally developed and accepted security characteristics that were less vague (and therefore limiting) than the usual CIA triad. While Confidentiality, Integrity, and Availability are important, as concepts they are too indefinite and messy. If I copy an encrypted database of private information for later cracking, what fundamental premise has failed? The data is still confidential, it is still accurate, and the original copy is available for all to use. But I have still done something unsettling and bad. In order to present the security concerns accurately and succinctly to the new and largely untainted utility population, there needed to be a richer description that could be used with more accuracy, and more differentiation, as the new and highly varied data sources were contemplated for the Smart Grid. I arrived back at a six element formulation of security characteristics developed by renowned information security scion, Donn Parker, called eponymously, the "Parkerian Hexad".

In the Hexad, the venerable characteristics of Confidentiality, Integrity, and Availability are importantly augmented by the additions of Control, Authenticity, and Utility. Through the addition of these new descriptors, there is a natural clarity that arises around the description of security requirements for various data and service components.

I have translated more complete descriptions of the Hexad here, from the recent Webcast:


This is a start, for those of you with less time or feverish interest to go very far for a more in depth treatment. For folks who would like a very good introduction, with examples, from the fellow who coined the term "Parkerian Hexad", Michel Kabay, I really recommend this self-playing PowerPoint presentation from his work at Norwich University, from his overview page, it is here, and while it takes a couple of minutes to load, I think it is a great introduction for those of you just digging in. It also concludes with a description of what IA jobs mean in terms of responsibilities. I think this is also prime fodder for individuals just digging into roles as security leads within utilities, or those of you looking to hire roles like that.

Why learn these terms?
Unlike many industries that adopt new technologies and new business models incrementally, the utilities industry is jumping into the mix with both feet. There is little room to slow the pace of integration of new IT technologies in order to stop and compartmentalize the areas of investment based on security concerns or characteristics. The situation that has been created is one of rapid change and rapid growth.

By attempting to apply the security characteristics, and by answering the questions that inform the identification of issues, there are many interesting issues that will be brought to light. Smart meter location is just an address. Pair it with a user, and you have an identity or privacy problem. Similarly, in the case of outbound or control data, authenticity, integrity, and availability are all key.

Creating a checklist for all of the data involved in an application, and then having a discussion of how these useful and discrete characteristics apply, will lead to a much earlier, and much higher level conversation about why this kind of focus on Smart Grid Security is necessary.