Smart grid technology opens a world of possibilities for energy conservation and efficient operations. Unfortunately,...
it is also creating great opportunities for smart grid hackers.
Tony Flick, principal at FYRM Associates, compares the evolution of nascent smart grid security standards to the Payment Card Industry Data Security Standard (PCI DSS), which is aimed at securing payment cards.
That's not a good thing, in Flick's opinion. He said PCI DSS rules, which were created by the National Institute of Standards and Technology (NIST), fall short because they are vague and allow the industry to police itself. This leads to deployment uncertainties, scenarios in which implementations are considered compliant without actually being secure and other problems.
"I wouldn't characterize [PCI DSS] as an absolute failure -- any security is better than none -- but at the same time, there are valid criticisms of the standard," Flick said.
Black Hat 2009:
Visit our Black Hat 2009 special coverage page: Researchers at the 2009 Black Hat conference in Las Vegas will no doubt demonstrate today's emerging security threats. SearchSecurity.com and Information Security magazine editors are live in Las Vegas and ready to talk to today's security experts about the cutting-edge threats that you'll need to prepare for.
Utility companies have begun rolling out digital electric metering devices that connect to the Internet and collect electricity use at a home or business. The devices are connected to electric substations and enable utility companies to route power more efficiently. The goal is to reduce costs and save energy by closely monitoring energy consumption.
Flick, who is scheduled to make a presentation entitled "Hacking the Smart Grid" on July 30 at Black Hat USA 2009 in Las Vegas, said that final decisions on rule creation have not been made. He urges NIST to eschew the hands-off approach that characterized the PCI DSS effort.
"We need to have enough government regulation and oversight and details to make sure companies adhere to a strong enough level of security," Flick said.
In some cases, however, it may be too late. Utilities are rolling out smart grids that likely won't be compliant with subsequent standards.
"You can't really integrate from the beginning if the beginning is already past," he said.
Early indications are that security indeed is a big issue. IOActive Inc., which also will be presenting at the conference, performed penetration tests on a number of smart grid devices. In response to email questions, IOActive's senior security consultant Mike Davis declined to specify what gear was tested. Among the smart grid vulnerabilities the firm found were an overall lack of security in older devices to problems with cryptographic key distribution in newer gear. He indicated that the media focus on smart grid security has led vendors to tell him that they are paying attention to security, and he holds out hope that this is so. Davis' presentation, "Recoverable Advanced Metering Infrastructure," also is slated for July 30.
Smart grid technology essentially will be overlays to existing electric grid management systems. Insecure smart grid technology could provide crackers with an express lane to the insecure networks to which they attach. Pre-smart grid power infrastructure insecurity was a hot topic this spring when a Wall Street Journal report claimed, among other things, that the U.S. grid was hacked by the Chinese and other countries. Though the story was ridiculed by experts, there is general agreement that the main conclusion -- which was that the grid is vulnerable -- hit the mark.
"It is very serious," said Ira Winkler, the president of the Internet Security Advisors Group and the author of Spies Among Us: How to Stop the Spies, Terrorists, Hackers, and Criminals You Don't Even Know You Encounter Every Day. "Right now the power grid is susceptible to a wide variety of attacks. At this point they are only limited by the will and creativity of the bad guys, whoever they may be."
Smart grid insecurity adds another layer to a landscape of problems that have multiple causes and developed over a long period of time. The root problem is that power companies use the public Internet to traffic mission-critical data and, in many cases, inadequately protect those systems.
There is no good news here. Power grids and the control networks that run them often rely on Microsoft's Windows Embedded OS, which experts say has been compromised. Many utilities simply don't know where all the sensitive software is, and scans designed to map the often fragile networks can create what in essence are self-inflicted denial-of-service (DoS) attacks.
Denial completes this recipe for disaster. The organization responsible for minding the grids' security -- The North American Electric Reliability Corporation (NERC) -- lets utilities self-assess their "critical cyber assets." The predictable results are that utilities say they don't have many. This is precisely the type of thinking that Flick warns against for the new smart grid element of the system.