Monday, June 7, 2010

More Smart Grid Security Fun: V2G Hacking and Cyber Car Jacking

Thanks to Forrester analyst Usman Sindhu for zeroing in on risks emerging from new sources on the Smart Grid edge. Namely, those related to our increasingly (wirelessly) wired automobiles. At the IBM Innovate conference Jack and I are attending this week, cars came into focus in a way I don't think they have before. You see, this is a conference devoted almost fully to the art and science of software, and cars are made out of steel, right?

Well, for time being, yes. But that's not the end of the story. Besides steel, the typical car of 2010 has over 200 million lines of code. And though ferrying payloads to low earth orbit and docking with the International Space Station are beyond most 2010 models' capabilities, this is far more software than it takes to run the space shuttles. With dozens of applications and interfaces, not only is each one a highly complex system in itself, but if you think about it, each is an intelligent node in a system of systems. Improvements are now rolling out with increasing frequency to safety, navigation and propulsion systems, among others.

Jack has recently developed an auto-fixation, and as he said in a presentation earlier today, the ability to monitor, diagnose, and repair many vehicular problems without expensive, inconvenient trips to the repair shop is a major win for car makers and customers alike. The way he described it, it was almost like techno-nirvana. Until, that is, he mentioned the likely frailty of the software upon which all of this great new functionality depends.

As recent recalls have demonstrated, the cost of loving what software enables is realizing what happens when it goes wrong, whether by accident or from malicious intent. For a drill down, recommend you see this from the Economist on Cars and software bugs, as well as the Discovery Channel's "This Car runs on Code". Karl Koscher et al from the University of Washington spell it out in plain English in their recent paper: "Experimental Analysis of a Modern Automobile":
While the automotive industry has always considered safety a critical engineering concern (indeed, much of this new software has been introduced specifically to increase safety, e.g., Anti-lock Brake Systems) it is not clear whether vehicle manufacturers have anticipated in their designs the possibility of an adversary. Indeed, it seems likely that this increasing degree of computerized control also brings with it a corresponding array of potential threats.
Threats from bad guys are one thing; threats from poor coding, configuration errors and other unintentional companions of complexity are likely a bigger challenge in the near term. Nevertheless, could an attacker work his/her way through less-than-secure automotive communications networks to put drivers in harm's way or adversely impact a utility? Sounds exotic, but when Vehicle-to-Grid (V2G) dreams start becoming reality, and electric cars draw their power from the grid while fulfilling important energy storage functions upon which we come to rely, this is one area we want to make sure doesn't get overlooked. In fact, just like in everything else, we'd recommend minimizing the drama and designing security in from the word go.

Photo Credit: So Fast it Hertz Blog