Posted on Wed, Feb 24, 2010 @ 10:47 AM
I took the challenge to wade through 300 pages of NIST's (National Institute of Standards and Technology) second draft of NIST IR 7628,
Smart Grid Cyber Security Strategy and Requirements. My head is still ringing.
What is it?
The nation's electric power infrastructure is called the grid. It is believed the grid will not be able to generate sufficient power for all citizens in the future. Therefore the government wants to enable more efficient distribution of energy and use of natural resources by the utilities and consumers. And the way to do this is by modernizing the electric utility distribution model using information technology. Hence the Smart Grid.
Smart Grid Vision
The NIST plan lays out a complex web of intelligent consumer devices from washing machines, water heaters and electric car batteries, connected to a computer network within the house or building; which is then connected to intelligent meter type devices; connected to a network of utilities and service providers (solar, wind, coal, nuclear, natural gas, hydroelectric); which are then connected to financial trading houses which set market prices that affect energy rates.
Imagine a network of millions of intelligent devices, homes, buildings, utilities, distributors, financial markets and service providers all connected. The Internet redux.
Except in this situation there is the massive ability to control, shut off and turn on devices central to daily living, school, industry and work. Both consumers and service providers using Smart Grid technology will be able to regulate the use of energy by individual devices within the home and also local storage of power. Storage options can range from an electric car battery to batteries which store energy generated from solar panels or wind turbines. You will also be able to regulate usage and energy storage based on real-time market prices.
So as a result of Smart Grids the public can conserve energy, lower energy costs, lower carbon emissions, and have less reliance on foreign oil (automobiles). Yet while the goals are worthy, after watching movies like the Terminator and The Matrix, I couldn't stop thinking this massive network will lead to a Doomsday scenario. Computers taking over the world.
However, this is not what keeps NIST and others up at night. The fear is that this massive network based on off-the-shelf computer technology, presents a frightening cyber security challenge. And the threats could be from terrorists, natural disasters, internal malcontents as well as consumers themselves.
Difference in security for Smart Grids vs. corporate IT
A traditional IT-focused understanding of cyber security is that protection is required to ensure confidentiality, integrity, and availability of the network and data. The priority is confidentiality first, then integrity and availability.
For industrial control systems, including power systems, the priorities of the security objectives are availability first, integrity second, and then confidentiality (consumer data). Cyber security in the Smart Grid includes both power and cyber system technologies, processes in IT and power system operations and governance.
Because the Smart Grid includes systems from the IT, telecommunications, and energy sectors, the risk assessment process is applied to all three sectors as they interact in the Smart Grid. It is an enormous undertaking. But once the Smart Grid is secure, it will be the harbinger of daily life in the future.
Posted on Tue, Feb 16, 2010 @ 08:37 AM
In their official corporate blog last month, Google reported attacks originating from China on certain Gmail accounts. Further investigation revealed the Gmail accounts belonged to Chinese human rights activists. And then they found that accounts of dozens of U.S., China and Europe-based Gmail users, who are advocates of human rights in China, were accessed via phishing scams or malware placed on users' computers.
When Google.cn (China) was launched in 2006 it agreed to censorship by the Chinese government. However, based on these latest attacks and increasing limits on free speech on the web, Google is re-evaluating their position. It is a possibility, dependent on their talks with the Chinese government they will cease operating in that land.
What are we to do when a sovereign government breaches security and attacks its own people? Who do you turn to for recompense? What additional security measures can one take?
Google is already warning all users to deploy anti-virus and anti-spyware programs, to install patches for their operating systems, to update their web browsers and to be cautious when clicking on links appearing in instant messages and emails.
But is this enough? In the old days when the government snooped on you they wire-tapped your phone, camped outside your house with long lens cameras, sifted through your trash and followed you around. It took a lot of effort and expense to spy on someone. Now in the cyber age, the snoopers are faceless and attack millions with little effort. What can one do?
Individual and corporate security measures will safeguard you to a certain point. But when a government attacks, ultimately it is the human response, the people at every node of the network who safeguard our freedoms. Unplugging will not be an option unless we desire to return to the Stone Age. Thus behind every security measure there must be people willing to stand for what is right.
Posted on Wed, Feb 10, 2010 @ 09:32 AM
The Department of Energy (DOE) has a goal to secure control systems used in the energy sector from malicious cyber attacks-attacks that could lead to potentially catastrophic disruptions in our critical infrastructures. As part of this effort, DOE created a document called "Roadmap to Secure Control Systems in the Energy Sector." As I was reading it I came across some interesting nuggets about previous attacks on utilities (Source: GAO 2004, Reed 2005). Some things you may not hear on David Letterman.
- 1. Unsuspected code hidden in transferred product (USSR, 1982)
While the following cannot be confirmed, it has been reported that during the Cold War the CIA inserted malicious code into control system software leaked to the Soviet Union. The software, which controlled pumps, turbines, and valves on a Soviet gas pipeline, was programmed to malfunction after a set interval. The malfunction caused the control system to reset pump speeds and valve settings to produce pressures beyond the failure ratings of pipeline joints and welds, eventually causing an enormous explosion.
- 2. Hacker exploits cross-sector interdependence (Massachusetts, USA, 1997)
A teenager hacked into and remotely disabled part of the public switching network, disrupting phone service for local residents and the fire department and causing a malfunction at a nearby airport.
- 3. Insider hacks into sewage treatment plant (Australia, 2001)
A former employee of the software developer hacked into the SCADA system that controlled a Queensland sewage treatment plant, causing a large sewage discharge over a sustained period. He was caught and sentenced to two years in prison in 2001.
- 4. Worm exploits interconnected business and operations networks (Ohio, USA, 2003)
The SQL Slammer worm infiltrated the operations network of the Davis-Besse nuclear power plant via a high-speed connection from an unsecured contractor's network (after the corporate firewall had previously blocked the worm). After migrating from the business network to the operations network, the worm disabled the panel used to monitor the plant's most crucial safety indicators for about five hours and caused the plant's process computer to fail; recovery for the latter took nearly six hours. Luckily, the plant was off-line at the time.
These stories were used to illustrate the concern by the U.S. government about the potential for cyber attacks on the energy sector. And as smart grid technology evolves that will tie everyone and everything together in a futuristic, postmodern indulgence of technology in daily life-we will need all the security we can get.
GAO. 2004. Government Accountability Office. Critical infrastructure protection: Challenges and efforts to secure control systems (GAO-04-354)
Reed, T. 2005.
At the abyss: An insider's history of the cold war. Random House