A call for baking tighter security into electrical ulitilty smart grids
Posted on | May 16, 2010 | add a comment
Electrical utilities across the nation are looking into installing “smart grids” that can intelligently monitor Internet-connected meters and appliances in homes and businesses. With only a handful of smart grid projects underway, cyber security concerns have already taken center stage, as Andres Carvallo, Chief Strategy Officer of Grid Net explains in this LastWatchdog guest blog post.
By Andres Carvallo
It’s time for utilities and their vendors to start building security protocols into every aspect of the smart grid fabric. It’s also time for utilities to hold their software vendors accountable for flawed architectures and vulnerable technologies. The risks are too great to take lightly.
At the 2009 Black Hat security conference, security consultancy IOActive reported that it was able to simulate a smart meter worm that infected about 15,000 home meters (out of 22,000 homes) and subjected the devices to the control of the worm’s designers. At the time, IOActive’s Mike Davis stated that, “the vast majority of smart meter systems use no encryption or authentication processes to prevent someone from uploading malicious software or turning meters on and off en masse.â€
Let’s be clear: any time that you connect devices into a network, you face security risks. But networking our nation’s electricity grids poses even greater security hazards, since most devices are located in physically unprotected / vulnerable locations and simply cannot be protected by the “four walls†of a data center or a physical plant.
(Q&A on the promise and pitfalls of smart grids. Click here.)
But even worse: some Smart Grid vendors are offering technologies that are actually accelerating the threat of viruses and worms spreading the damage from a single device getting hacked.
For example, vendors that rely on radio-frequency (RF) mesh networks are peddling an architecture that relies on “peer-to-peer†networking – in this case, using the meter as a network link – and that thereby increases the risk of ‘man-in-the-middle’ and impersonation attacks. In the RF mesh scenario, smart meters are the first, and highly vulnerable, line of penetration for hackers and virus-spreaders. Think of mesh network infrastructure as a self-propagating home botnet that makes the threat of spreading malware very, very real. It’s a scary thought.
In designing the smart grid, utilities should hold their vendors accountable for implementing a multi-faceted security approach to their offerings. This should start security at the edge device. Embed unique, standards-based hardware and software security into every network node and device. That way, the device can be detected and isolated before it proliferates a virus.
Also use only standards-based security, and use it everywhere. By incorporating security standards throughout the smart grid, utilities can leverage the collective best efforts of tens of thousands of engineers, universities, government agencies and white-hat hackers, as well as hundreds of millions of dollars of investments in the latest security technologies.
Consider security a marathon, not a 40-yard dash. Maintaining a safe, secure smart grid requires continuous vigilance and the stamina to sustain ongoing investments in security oversight, critical software patches, software upgrades and process improvements. That’s because security threats are never-ending: hackers enjoy a challenge, and they intend to keep at it.
By Byron Acohido