Monday, July 19, 2010

Smart Grid Confidence Game 3: Hacking the US Grid Annoyingly Difficult, Ridiculously Time Consuming, says Wired's Danger Room

Much appreciation to Wired's Michael Tanji for recently observing that the sky remains in its nominal coordinates and that we should proceed with our lives, and previously scheduled Smart Grid initiatives, already in progress. Here's the opening:
People have claimed in the past to be able to turn off the internet, there are reports of foreign penetrations into government systems, “proof” of foreign interest in attacking U.S. critical infrastructure based on studies, and concerns about adversary capabilities based on allegations of successful critical infrastructure attacks. Which begs the question: If it’s so easy to turn off the lights using your laptop, how come it doesn’t happen more often?
Remember, it serves no one's interests to deny that the grid and Smart Grid face many significant threats. It's just that by subjecting ourselves to jarring FUD alarms only, we lose balance, perspective and the ability to believe what our eyes are telling us is really going on in the world.

So why is it, then, that despite daily media claxons and vuvuzelas signaling that the end (of the grid) is nigh, that our massive and complex electrical generating, transmitting, distributing and consuming systems mainly keep working? The answer lies, at least in part, in their very complexity. Tanji continues:
The fact of the matter is that it isn’t easy to do any of these things. Your average power grid or drinking-water system isn’t analogous to a PC or even to a corporate network. The complexity of such systems, and the use of proprietary operating systems and applications that are not readily available for study by your average hacker, make the development of exploits for any uncovered vulnerabilities much more difficult than using Metasploit.
Now here comes the tricky part, where isolation from the Internet is given some of the credit:
... these systems are rarely connected directly to the public internet. And that makes gaining access to grid-controlling networks a challenge for all but the most dedicated, motivated and skilled — nation-states, in other words.
While isolation may be the current state, I don't think you can bet on it as a constant. The temptations to connect are too many, and one-off connections to the Internet often go undetected by internal security staff and auditors. Better to stick with the complexity/diversity message than the "disconnected today/always will be disconnected" pledge.

The full piece is here, followed, as per usual, by a comment chorus from the bitter and bizarre (with a couple of regular folks sprinkled in).

Also, if you want to get a better feel for this complexity yourself, give the Google Tech Talk on "Smart Grid, Utilities, and Internet Protocols" a look. The presenter is Enernex's Erich Gunther. As the saying goes, he'll forget more about our electric infrastructure and the Smart Grid than most of us will ever learn. In addition to the complexity arguments made earlier, Gunther, and others like him on the "good guys" team, are another reason why I'm confident that attackers' impacts will be moderate and the sky will remain aloft as we develop and deploy the Smart Grid. Hope you're confident too.

Photo credit: Dominic Alves at