"Smart" Grid Security "Breach"
When the Wall Street Journal reports on Smart Grid, people pay attention. I've been mulling this topic for a few days, and am prepared to give it my best non-security expert shot. I think there are three basic points related to this topic:
1) Life is full of tradeoffs: want security? give up connectivity
2) Why is this a story?: This isn't even Smart Grid - this is 'regular grid'
3) What is the state of the art? People are hard at work on Smart Grid security - what are they doing?
Tradeoffs -
My experience with security comes from our Semiconductor industry data acquisition and control product. We find that we have two very different customers, and we can almost never make them both happy. Our direct customers, who use our product, want as much interconnectivity as possible. The IT organization whose job it is to maintain security want as little as possible. Others may achieve a better balance of security and access than we do, but the tradeoff seems ever present. We are just one little company, but reading one of the great security evangelists, Bruce Schneier gives me confidence that we are seeing the same thing everybody experiences. There is value to be had from the greater connectivity proposed in the smart grid. This value goes well beyond the 'laziness' of not having to go on-site to throw a switch. The power of automation and large aggregated data analysis has been proven in countless fields and will be demonstrated on the smart grid as well. This power comes at a cost. More access means more vulnerabilties. Vulnerabilites get exploited, whether by nefarious agents or bored teen-agers. It hasn't stopped poople from moving ot online banking, and it won't stop this either.
1) Life is full of tradeoffs: want security? give up connectivity
2) Why is this a story?: This isn't even Smart Grid - this is 'regular grid'
3) What is the state of the art? People are hard at work on Smart Grid security - what are they doing?
Tradeoffs -
My experience with security comes from our Semiconductor industry data acquisition and control product. We find that we have two very different customers, and we can almost never make them both happy. Our direct customers, who use our product, want as much interconnectivity as possible. The IT organization whose job it is to maintain security want as little as possible. Others may achieve a better balance of security and access than we do, but the tradeoff seems ever present. We are just one little company, but reading one of the great security evangelists, Bruce Schneier gives me confidence that we are seeing the same thing everybody experiences. There is value to be had from the greater connectivity proposed in the smart grid. This value goes well beyond the 'laziness' of not having to go on-site to throw a switch. The power of automation and large aggregated data analysis has been proven in countless fields and will be demonstrated on the smart grid as well. This power comes at a cost. More access means more vulnerabilties. Vulnerabilites get exploited, whether by nefarious agents or bored teen-agers. It hasn't stopped poople from moving ot online banking, and it won't stop this either.
Why is this in the news?
This aspect of the story is fascinating. The first thing to note is that the WSJ article says nothing about smart grid. It merely states that utility grid has been attacked. Secondary sources have augmented this story to focus on SmartGrid. The next aspect of the story is the vagueness of the article. Inteligence officials state 'Chinese' and 'Russian' 'cyberspies' have penetrated our utility grid. When? How significantly? What constitutes the electrical grid? What makes the 'cyberspies' 'Chinese' or 'Russian'? Who are these officials? A number of commentators have picked up these threads. I will try to summarize and augment. Computers get 'botted' all the time. The BBC did a story on how you could buy a 20000 computer botnet for $0.25 a machine. So given the number of computers that get hacked, what attribute of a computer is required for it to be 'part of the grid'? Is it on somebody's desk & mostly used for email & powerpoint? Could I use the 'botted machine to play Enron energy trader? A while back there was a story that NSA got hacked - the PR department! What makes the attacks 'chinese' - a chinese IP? Any hacker worth anything routs through a bunch of secondary IP's- China is a very popular pass-through. Unnamed 'intelligence officials' can be in the disinformation business as easily as the info business. A theory is that the NSA is agitating for more control over cybersecurity. To quote Bruce Schneier twice in one post, he's convinced this story is a plant as well.
What is the state of the art?
One of my favorite podcasts, Currents, had a show on grid security. A key point that I took away is that cyberterrorism is pretty darn inefficient. Hacking the grid is hard, and almost anything you do can be undone fairly easily. By contrast, the physical infrastructure is not enormously well protected, and a very small number of very low-level people can really do some damage destroying physical switches and relays that take months to replace. Bottom line, much less sexy attacks are a much greater risk to infrastructure. A further point is that every serious smartgrid organization has studied security intensely and has proposed detailed. This is now the point in the post where my lack of security background comes through. I can't tell you whether the proposes approach is sound, or best of breed, but security has definitely been a serious consideration in SmartGrid.
Independent of the facts, I think this story highlights the critical PR challenge that this new technology faces. Let's hope the Smart Grid isn't Tesla to the the status quo's Edison.
2 Responses to ""Smart" Grid Security "Breach""
Or maybe I'm biased by my desire to find plenty of job opportunities in this sector.
Post a Comment