Posts Tagged ‘smart grid security’

A Smart Grid Reference Library

Wednesday, July 21st, 2010

Whether you’re new to the smart grid concept, a developer looking for technical documentation, or involved in any aspect of planning for the grid, there is now a central online resource for information on all things “smart grid”. The Smart Grid Information Clearinghouse (SGIC) will officially go live in Fall 2010, but for the time being it’s available publicly in beta form:

“It is envisioned that the SGIC portal will be the essential gateway that connects the smart grid community to the relevant sources of information that are currently scattered and distributed on the worldwide web. The portal will also direct its users to other pertinent sources or databases for additional data, case studies, etc. It will serve as a decision support tool for both state and federal regulators in their deliberations for rule-making and evaluating the impact of their investments in the smart grid technologies and software.”

This site will likely prove to be an invaluable reference library for those involved in any aspect of the smart grid, with information available on a wide variety of subjects all aimed at providing awareness and furthering the development of the smart grid community.

Tags: , ,
Posted in Uncategorized | No Comments »

Government Introduces “Perfect Citizen”

Thursday, July 8th, 2010

The Wall Street Journal reports on a new computer network surveillance program being launched by the federal government. The project, dubbed “Perfect Citizen,” will be led by the National Security Agency (NSA) who have already contracted defense heavyweights Raytheon for the project.

Perfect Citizen will use sensor-based surveillance tools to monitor computer networks, both private sector and government-operated, that connect the nation’s critical infrastructure systems–including the power grid, nuclear plants, air traffic control and others–in an effort to detect and prevent serious cyber attacks.

According to The Wall Street Journal,

Perfect Citizen will look at large, typically older computer control systems that were often designed without Internet connectivity or security in mind. Many of those systems—which run everything from subway systems to air-traffic control networks—have since been linked to the Internet, making them more efficient but also exposing them to cyber attack.

The goal is to close the “big, glaring holes” in the U.S.’s understanding of the nature of the cyber threat against its infrastructure, said one industry specialist familiar with the program….

The information gathered by Perfect Citizen could also have applications beyond the critical infrastructure sector…serving as a data bank that would also help companies and agencies who call upon NSA for help with investigations of cyber attacks, as Google did when it sustained a major attack late last year.

We recently posted about the 60 MINUTES investigation into critical infrastructure security that not only declared the U.S. unprepared for cyber attacks on the infrastructure, but described how it was already being hacked.

Tags: , , , , , ,
Posted in Uncategorized | 2 Comments »

Understanding EAX’ Smart Grid Security

Tuesday, July 6th, 2010

Much of the latest smart grid and AMI technology relies on the open ANSI C12.22/IEEE1703 standard for the transport of meter data over networks. And this specification relies on a security mechanism called EAX’, a modification of the EAX mode cryptography scheme.

A new report provides a concise explanation of how this security protocol functions. Download the full PDF here.

As we recently posted, smart grid security is becoming a booming industry unto itself, with billions of dollars to be spent in the coming years.

Tags: , , , , ,
Posted in Uncategorized | No Comments »

Nice Work if You Can Get It: Security Retrofit for 800 Million Smart Meters?

Sunday, June 20th, 2010

CNET News has published a comprehensive report on the state of smart grid security. In it, they detail the growing concerns among security experts that smart meter technology is being rapidly expanded around the world without the built-in security considerations necessary to protect the utility infrastructure — and the people connected to it — from serious cyber-crime.

According to the CNET report, the vulnerabilities in today’s smart meters could allow for a number of malicious attacks, including the theft of private consumer data, the disruption of power to specific buildings, and even the targeted outage of entire utility grids. Many experts quoted in the article believe that US smart meter manufacturers and utility companies are treating security as an afterthought in order to quickly take advantage of Federal stimulus money.

There are about 250 active smart-metering projects worldwide, with about 49 million meters already installed and 800 million planned for installation…. Projects in the U.S. are being accelerated because of the $3.4 billion in stimulus funds set aside for smart-grid technologies. About 60 million smart meters will be deployed in the U.S. this year, covering about half of households…. Security appears to be a casualty of this haste….

“Since there is no federal mandate as to how much security to have in the meters, there aren’t the right motivation factors for security to be a major factor…It’s an afterthought.”

According to one expert, “Prominently missing are signed and encrypted firmware, secure (smart card) chips for key storage, unique cryptographic keys, and physical tamper protection.”

We’ve previously discussed the growing concern surrounding the security weaknesses in today’s smart grid technology. In addition, we recently reported on the 60 Minutes investigation into the malicious hacks that have already hit the nation’s critical infrastructures.

Tags: , , , , , , , ,
Posted in Uncategorized | 1 Comment »

HP: Smart Meter Rollouts Need More Security

Wednesday, May 19th, 2010

Under Obama’s American Recovery and Reinvestment Act, states have a limited window of time during which to invest their stimulus budgets into projects which will improve energy efficiency and make energy infrastructure more sustainable. To maximize their use of stimulus funds, states are quickly investing in smart grid technologies, a demand that tech innovator Hewlett Packard is eager to satisfy.

However, as an article in eWEEK Europe reports, HP may be shipping to meet that demand at the expense of security. At the company’s Executive Energy Conference in Dubai, HP’s utilities industry director Ian Mitton admitted that security has been an afterthought in smart grid and metering projects, with an emphasis being placed on early deployment to meet stimulus demand and experiment with the new technology. As we’ve previously discussed, security experts have been concerned about under-secured smart grid technology being rushed to market for some time.

Tags: , , , , ,
Posted in Uncategorized | No Comments »

New Smart Grid Security Document Released

Sunday, April 25th, 2010

pic7-44We’ve posted before about the National Institute of Standards and Technology’s (NIST) Smart Grid security strategy draft. And now the NIST has announced the second draft of its Smart Grid Cyber Security Strategy and Requirements document, which is currently available for public comment.

According to the NIST,

The second draft of the document contains the updated overall security strategy for the Smart Grid and updated logical interface diagrams, privacy, bottom-up analysis, and vulnerability class analysis sections. In addition, new chapters on research and development themes and standards assessment have been included. Finally, an overall functional logical Smart Grid architecture is included.

The full second draft is available here.

Tags: , ,
Posted in Uncategorized | 1 Comment »

Understanding “The Internet of Things”

Wednesday, April 7th, 2010

pic1-28Currently in its planning phases, the second annual “Internet of Things Conference” in Tokyo will take place this November. Discussing some of the conference’s proposed topics and how they’ll shape the future of the Internet of Things, a recent article on ReadWriteWeb explores the incredibly vast scope of this connected device landscape.

Some of the highlights include:

  • How the IoT–through the smart grid and other eco-initiatives–will encourage a greener planet
  • The creation of entirely new industries from relatively simple, novel tech ideas
  • The potential for connected technologies such as RFID and GPS to threaten personal privacy and security

As the Internet of Things continues its rapid expansion, the need to ensure device integrity and security–as an integral part of the design–will become increasingly critical.

Tags: , , , , ,
Posted in Uncategorized | 1 Comment »

Project costs 60x higher when security addressed late in the development cycle – IOActive Study

Monday, March 22nd, 2010

pic6-35A recent article on IntelligentUtility.com warns that, as the Smart Grid utility infrastructure continues to develop across the country, comprehensive security solutions need to be planned in advance and built-in as integral parts of the system.

According to IOActive, a security consultancy, “Studies show that overall project costs are 60 times higher when gaps in information security controls are addressed late in the development cycle, as opposed to projects where security is implemented in the design phase.”

Once it is understood and accepted that security controls must be built in from the design phase, the next question is: Where should they reside? The answer is everywhere. When you break down the AMI Stack into its different layers, the problem becomes much more manageable. …[Y]ou can begin to dissect the different components of AMI, from the meter itself, to the communications network, to the meter data management system (MDMS), and to the mission-critical billings applications. Security controls need to be approached holistically and be designed within and across these layers one by one. [...]

  • Do you manage encryption from an enterprise-wide perspective?
  • What access controls do you employ?
  • How will consumers authenticate themselves to the new portals?
  • How do you protect meter data as it flows through the network and once it is stored in the data center?
  • How will you manage thousands to millions of new network-connected devices in a secure manner?
  • What existing enterprise cyber security investments can you leverage across the emerging Smart Grid information infrastructure?

These questions, among others, are already being asked by the North American Electric Reliability Corporation (NERC). The more the public is sensitive to and understands these issues, the more they’ll begin to demand that action be taken.

Tags:
Posted in Uncategorized | 1 Comment »

Expert Warns of Industrial Control Security Risks

Sunday, January 10th, 2010

pic4-30Citing catastrophic Industrial Control Systems-related events such as the Bellingham, WA pipeline explosion in 1999 that killed three people, cybersecurity expert Joe Weiss recently discussed the lack of attention surrounding Industrial Control Systems (ICS) cybersecurity. In his article, he draws parallels between the current weaknesses in ICS security and the failures that led to major national security incidents such as the Detroit bomber and the 9/11 attacks.

As posted on the ControlGlobal blog:

Compare what happened with 9/11 and the Detroit incident to the lack of “connecting the dots” in Industrial Control System (ICS) cyber security. According to my ICS incident database there have been more than 170 control system cyber incidents – many of these of common origins and continuing to recur. There are many government, industry, and commercial organizations providing guidance for traditional IT threats…. However, there is no guidance on what to do or even what to look for to prevent ICS-unique cyber incidents.  And, it is ICS-unique cyber incidents that have caused some of the most significant cyber events to date including those that have killed people, and caused major outages and equipment impacts.

ICS security is difficult to detect and prevent because:
- There is still limited use of ICS-unique policies and procedures to prevent incidents,
- The work force still is not trained to detect ICS-unique cyber incidents…
- ICS cyber forensics are still lacking in even some of the newest systems, and
- Industry is still in denial about ICS security.

As the US utility infrastructure continues the transition to Smart Grid technology, the need for comprehensive, up-to-date cybersecurity in Industrial Control Systems will become increasingly urgent.

Tags: , , ,
Posted in Uncategorized | No Comments »

Mocana Speaker at the Smart Grid Conference

Thursday, August 27th, 2009

smartgridMocana’s own Phil Montgomery will be part of an expert panel on smart grid security at the Smart Grid Conference next week in Los Angeles. He’ll be talking about some of the challenges device manufacturers and integrators face when trying to rollout next-generation electricity infrastructure that’s greener, but tougher for hackers to compromise.

Designing security software for the smart grid is a non-trivial undertaking, and it’s a problem we’ve been working for a while now. Here’s what we think is missing in some of the other smart grid security implementations we’ve seen:

  1. Smart grid security needs to interoperate with multiple security standards, and help utilities (and integrators) avoid vendor lock-in. The package should be a comprehensive solution that enables smart grid devices to interoperate with virtually any security specification, including those from Zigbee, HomePlug, AMI-SEC or IEEE1686. It should let implementers choose the algorithms and keysizes that work best for a particular device—whether that’s elliptic curve (ECC), RSA, AES or something else entirely. That keeps follow-on projects open to the best technologies at the lowest prices, and avoids taxpayers dollars being held hostage to one vendor’s proprietary approach.
  2. Smart grid security needs to scale. And we mean, really really scale. The software should enable utilities to achieve the tremendous per-byte security efficiencies they need in order to handle millions of meters and thousands of servers while maintaining high-availability and fail-over capabilities.
  3. Smart grid security needs to be efficient. The software should be comfortable working in resource-constrained environments, without a lot of spare memory or processor power. These new meters are smart, yes. But supercomputers they ain’t, and cryptography is notoriously compute-intensive.
  4. Smart grid security needs to be FIPS-Certified. All government agencies and most contractors require FIPS-certification of cryptographic engines in the solutions they buy — and its a difficult certification to achieve. Smart grid security software should be available to integrators in both source code, *and* as a government-certified FIPS 140-2 Level 1 validated binary. While we’re at it, it’d be nice if the engine supported NSA’s Suite B algorithms, providing secure communications between high-assurance (classified) and basic-assurance systems for those smart grid implementations interfacing directly with government agencies.

Tags: , , ,
Posted in Uncategorized | No Comments »