Browse
Engage
Research
The security firm IOActive warns that the Smart Grid, as currently being built, is so insecure that it's vulnerable to the kind of attacks that have bedeviled Internet sites and ordinary users for years. In fact, from the company's description of the dangers, it sounds as if ordinary users may be more secure than the grid itself, because users at least have installed security software.
The report concludes that the grid is vulnerable:
"...to common security vulnerabilities such as protocol tampering, buffer overflows, persistent, and non-persistent rootkits and code propagation. These vulnerabilities could result in attacks to the Smart Grid platform, causing utilities to lose momentary system control of their Advanced Metering Infrastructure (AMI) Smart Meter devices to unauthorized third parties. This would expose utility companies to possible fraud, extortion attempts, lawsuits or widespread system interruption. If security is not addressed in the design and implementation of these emerging technologies, it may prove cost prohibitive to address them once the devices are fully deployed."In other words, hackers could bring down parts of the grid, or possibly the entire grid itself, and could resort to extortion or blackmail. Left unsaid was that terrorists could attack the grid as well.
The Smart Grid will be used not only by power companies, but by enterprises as well. Intelligent devices will live inside corporate firewalls and communicate via the grid and with each other, and be used to manage power and resources. If the very fabric of the grid is insecure, it won't matter how well a corporation protects itself --- hackers can make their way inside enterprise firewalls via the Smart Grid.
The solution, according to IOActive, is that the grid from the beginning should be built for security. Joshua Pennell, President and CEO of IOActive, told the Committee of Homeland Security and DHS in a presentation that the grid needs to include best practice security assessments and that the industry should "follow a proven formal Security Development Lifecycle, as exemplified by Microsoft’s Trustworthy Computing initiative of 2001, to guide and govern the future development of Smart Grid technologies."
There's no doubt that IOActive has an axe to grind here --- after all, it specializes in security, and so stands to gain if more security were embedded in the grid. But the company is also absolutely right: If security isn't baked into the Smart Grid from the beginning, it spells potential disaster.
To get a copy of the press release about the study, click here.
Lock photo CC licensed by Flickr user subcircle.
VIRUSES on SMART GRIDS
Murphy's Law: also applies to SMART GRIDS.
Get tough on crime - make planting Viruses, Worms, etc a Federal Crime, and start putting hackers in jail or better yet send them to a Turkish Jail never
to be seen again.
Smart Grid = Nightmare
Not too likely. Most do not envision an end-to-end control scheme. The practical limits of the smart grid are easily surpassed once one tries to move past a simple pricing signal approach across the power carrying grid. Everything else envisioned uses a secondary wired/fiber/wireless local network that is itself isolated from the regional network, county network, State level network, Regional Power (FERC/NERC defined geo-power grids and interconnects), and National level (if ever needed but highly unlikely with reporting at the FERC/NERC levels).
Despite all of the political rhetoric the utility industry is a strong believer in the KISS principle. Hence the high degree of availability of electricity in this country. The pretty pictures our politicians paint for a smart grid and the actual systems that will be deployed are not at all linked. Nor are they really needed to achieve the desired end results.
But you have identified a genuine concern that there is adequate attention to this entire issue of vulnerability to IT enabled hacking at each level of deployment of the smart grid.
Jack Pouchet
Emerson Network Power
www.efficientdatacenters.com