Blog

Last week the first set of standards to be implemented by the Smart Grid were announced by NIST. Having defined standards to follow and work with is usually a good thing (unless your standard gets rejected), but standards come with more implications than most realize. In the past, electric utilities have relied on a combination of security by obscurity, and also the fact that fewer devices were networked to make cyber security a non-issue. The Smart Grid has changed all of that. Once there are clearly defined standards, the obscurity goes away. That’s not a bad thing, but it is important to recognize.

The first step in hacking any system is always to get as much info on the system as possible. A set of standards is always a great place to start. The NIST standards include all the details on how communications should be done for each segment of the Smart Grid. They also include all the cyber security standards that will be used.

For example:

Say you wanted free electricity, or maybe you wanted your neighbor to pay 10 times as much, you could look at the OpenHAN, ZigBee, and ANSI C12.19 standards, and then the AMI-SEC standards to find the security that will be in place for data going back to the electric company. Or, if you wanted to target the transmission side of things, the IEEE C37.118, DNP3 and IEC 61850 standards will explain how to talk to the devices. To go with that, there’s the IEEE 1686-2007, IEC 62351, and NERC CIP 002-009 standards which each give details on the security required to be in place. Sure, there’s a lot more to hacking an electric utility than reading a standard, but there’s not much more that a hacker could ask for in terms of background information - full details how to talk to the system, and the security that you’re going to need to get past.

If there was no background information, finding a good starting point would be more difficult (though not impossible, which is why obscurity always fails). We now have a clear open list of standards (many on that list free to access, some, such as DNP3 costing only $300). Hopefully this should make it clear that obscurity can no longer even be an excuse. The IT world is well aware that if you do not do proper security testing on your applications and devices, sooner or later someone else will. The same will apply to the Smart Grid as the number of devices connected and its communication network grows.

Including in the list of standards one that requires “cyber security” is not the complete solution either. If it was that easy, governments would’ve made the Internet a safe and secure place by now. Security is constantly mentioned as something needed for the Smart Grid, but rarely in anything more than generalities. At the same time, there is a huge push to roll out Smart Grid systems as soon as possible. Every week it seems that more networks are being deployed, more devices made. Yet we still only have generalities and wishful thinking for the security side of things. We now have the standards that will make up the smart grid, we should get to actually working on the security.