Am I reading an oxymoron in this title?  Or what!

In a recent article in CNET news, Elinor Mills investigates potential new security vulnerabilities by adding smart metering onto our legacy North American electricity distribution architecture.

First of all North America has not fully implemented a smart electricity architecture or “Grid”.  A smart grid would not have allowed the type of cascading meltdown that occurred in August 2003, and as far as I know that grid has not been sufficiently modified as to be considered ubiquitously smart.  Has anyone got a different perspective on the status of the grid upgrade?  For a look at this article please click to: http://www.ere-security.ca/index.php , RSS feed, April 9, 2010.

The issue with adding smart meters with IP addresses does not compromise the security of the rest of the smart grid, in my humble opinion.  This would be more of an issue if many key devices on the grid had IP addresses and were managed accordingly.  But again, a smart IP grid is not there yet.

The CNET article goes on to explore the possibility of the smart meter’s being compromised and the countermeasures being implemented by various vendors.  I’ve even read some articles identifying concerns that smart meters are possibly an entry point into a household’s network for hacking purposes.  This sounds like dark magic to me, especially if the smart meter is in no way connected to the household’s network.  The bottom line, I believe, is that smart meters in and of themselves do not present a security threat or a vulnerability to the grid.

However…….

Opening the control technology used by electrical distribution networks to a wider network certainly does pose a plethora of threats to the control technology and, therefore,  to the entire control network.

The electrical distribution industry has standardized on SCADA control technology, and SCADA networks are sacrosanct.  They control and monitor actual electrical equipment, and errors can result in death, damage to equipment, and power outages.  So opening a SCADA control network to encompass smart meters expands access points exponentially.  For more information please see http://www.ere-security.ca/SCADA_CIP.html

The problem then becomes securing the vastly greater scope of network against all the usual security suspects.  The utility industry relies on a security standard called NERC CIP  http://www.ere-security.ca/NERC_CIP_Compliance_Audit.html

In our experience as security and NERC CIP compliance auditors, we’ve seen nightmare scenarios regarding the unauthorized access  vulnerabilities just on SCADA networks.  I don’t want to give anybody any ideas, so I’m not going to be any more specific here.   But you get the idea.  If it is difficult as is to keep SCADA networks secure, imagine expanding the scope of access to the network by hundreds of thousands of locations.

My idea is that a smart grid is one with superbly controlled access and authentication.  Access and authentication controls of course are composed of: logical controls, physical security, and people behavior.  So some smart meters are the least of the worries for ensuring the availability and dependability of a smart grid.

Have a secure week.

Regards, Ron Lepofsky, CISSP

President,

ERE Information Security and Compliance Auditors

www.ere-security.ca

Tags: Information Security, IT Security, SCADA, Smart Electricity Architecture, Smart Grid

This entry was posted on Wednesday, April 21st, 2010 at 12:34 pm and is filed under Information Security. You can follow any responses to this entry through the RSS 2.0 feed. You can leave a response, or trackback from your own site.