Blog

Monday, February 16, 2009

The not so smart “Smart Grid” - Addendum

There has been a lot of traffic in the blogsphere about Smart Grid security. In the real world, working groups are being formed, standards are being written, and there are many activities by the GridWise Architecture Council (http://www.gridwiseac.org/), NIST (http://www.nist.gov/smartgrid/) and a host of people that truly get it when it comes to security. I think all of this work is absolutely needed and there are a lot of very smart people working on those groups/standards and they are doing a great job.

However…

We are not just talking about the designed-in functionality of all these devices and what they are “supposed” to do, we are talking about all of the ingenious things that someone with malicious intent can make them do. In other words, many systems meet their design and functional specification, but what else are these devices capable of doing?

One of the biggest vulnerabilities discovered while I was at DHS (http://www.cnn.com/2007/US/09/26/power.at.risk/index.html#cnnSTCText) was based on a device operating within its design parameters. There was no “bug” in the software and the device did only what it was designed to do. The problem was nobody ever considered what bad things could be done, because the people who designed these systems are not bad guys. Consequently, they simply didn’t think that way when the systems were designed.

So, after all the standards are met, after all the policies and regulations are complied with, somebody has to be willing to do something very unpopular (and sometimes expensive). Take a device, a system, a process, or what have you, hand it over to a bunch of clever people and ask them one question and then get out of the way. Ask them what if you wanted to inflict damage, do harm, or otherwise cause havoc with the system, how would you do it?

20 years ago devices were designed without much consideration for malicious hackers or criminals and here we are today doing our best to patch and mitigate vulnerabilities that in some cases were designed-in. Smart Grid technology is already being pushed out the door and implemented in major rural and metropolitan areas across this country (http://coloradoenergynews.com/2008/11/boulders-smart-grid-project-gets-serious/) and around the world. Whatever we install now will be with us for a very long time and we should at least be asking the right questions.

Regards,

Perry

“Achilles certification is the
standard for industrial cyber security”

Ernie Rakaczky, Invensys

Introduction to the Achilles
Satellite Webcast
Schedule a Private Demonstration