ERE Information Security Auditors
Home | Site Map | Contact Us | Blog
This text is replaced by the Flash movie.
 Executive Strategies for Managing Risk
Audit Tactics for Managing Risk

Posts Tagged ‘Smart Grid’

What’s the threat? Smart Grid or Dazed Defenders

Tuesday, February 15th, 2011

The Government Accountability Office recently warned that the quick uptake of smart grid infrastructure is likely to result in more cyber attacks. I think what they actually mean is lots of destruction and damage as the result of new cyber attacks.

It strikes me that the GOA, Department of Homeland Security, Stuxnet-nail-biters, and the like all have the impression that Smart Grid technology introduces some mystifying vulnerability into the electrical grid mix. I don’t think so.
Smart Grid technology is simply new. Any new technology brings to the table potential vulnerabilities both intrinsic to the technology and how it is implemented within an existing infrastructure. In this case the existing infrastructure is a continent covered by legacy electrical networks.
Legacy can be secure if it doesn’t leak like a security sieve. Unfortunately not so with our legacy electrical networks. The powers that be have bolted onto them SCADA real time monitoring and management systems which is no problem in itself. However, the fact that some SCADA servers reside on poorly secured networks does present serious security vulnerability.

So where does Smart Grid technology fit into all this? Quite simply; the exact same was as does SCADA. What I mean is that if the SCADA host networks are hardened then they would also be more secure for hosting Smart Grid network technology.

But Smart Grid experts will metaphorically jump down my throat and point out that since Smart Grid technology communicates with customers’ very own houses and places of business, it therefore opens a Pandora’s Box of new problems.

Hogwash.

If the host servers for the Smart Grid technology are properly isolated and secured from the rest of the SCADA network and from the rest of an electrical utility’s administrative network, there is very little increased chance of a security breach.

The way to properly secure these Smart Grid servers has been well known for many years. NERC CIP standards are written expressly for electrical utilities. If rigorously deployed they are a material step towards Smart Grid network security. In my humble opinion a more comprehensive set of security control points within COBIT, upon which IT SOX compliance is based, should also be considered for hardening the electrical grid.

Dazed Defenders
So where’s the gap between implementing high confidence security standards for the Smart Grid and the current worry storm?

 The gap is usually found in utility managements’ unwillingness to adequately fund network security. I’ve spoken with lots of in-house IT security folks at electrical utilities and most of them know exactly how to solve the Smart Grid security shortfall. Unfortunately their management seems confused on the issue. You may wonder why management is confused if their security experts aren’t. I think there are two reasons why:
• Executives are more receptive to network security studies than to actual security solutions.
• In house security experts speak technology and not Return on Investment to their execs.

The solution? Have all security-befuddled executives to call me for a 10 minute clarifying conversation.

Have a secure week. Ron Lepofsky, CISSP, CISM www.ere-security.ca

Tags: , , ,
Posted in Security Postings | 1 Comment »

Securing the Smart Grid

Wednesday, April 21st, 2010


Am I reading an oxymoron in this title?  Or what!

In a recent article in CNET news, Elinor Mills investigates potential new security vulnerabilities by adding smart metering onto our legacy North American electricity distribution architecture.

First of all North America has not fully implemented a smart electricity architecture or “Grid”.  A smart grid would not have allowed the type of cascading meltdown that occurred in August 2003, and as far as I know that grid has not been sufficiently modified as to be considered ubiquitously smart.  Has anyone got a different perspective on the status of the grid upgrade?  For a look at this article please click to: http://www.ere-security.ca/index.php , RSS feed, April 9, 2010.

The issue with adding smart meters with IP addresses does not compromise the security of the rest of the smart grid, in my humble opinion.  This would be more of an issue if many key devices on the grid had IP addresses and were managed accordingly.  But again, a smart IP grid is not there yet.

The CNET article goes on to explore the possibility of the smart meter’s being compromised and the countermeasures being implemented by various vendors.  I’ve even read some articles identifying concerns that smart meters are possibly an entry point into a household’s network for hacking purposes.  This sounds like dark magic to me, especially if the smart meter is in no way connected to the household’s network.  The bottom line, I believe, is that smart meters in and of themselves do not present a security threat or a vulnerability to the grid.

However…….

Opening the control technology used by electrical distribution networks to a wider network certainly does pose a plethora of threats to the control technology and, therefore,  to the entire control network.

The electrical distribution industry has standardized on SCADA control technology, and SCADA networks are sacrosanct.  They control and monitor actual electrical equipment, and errors can result in death, damage to equipment, and power outages.  So opening a SCADA control network to encompass smart meters expands access points exponentially.  For more information please see http://www.ere-security.ca/SCADA_CIP.html

The problem then becomes securing the vastly greater scope of network against all the usual security suspects.  The utility industry relies on a security standard called NERC CIP  http://www.ere-security.ca/NERC_CIP_Compliance_Audit.html

In our experience as security and NERC CIP compliance auditors, we’ve seen nightmare scenarios regarding the unauthorized access  vulnerabilities just on SCADA networks.  I don’t want to give anybody any ideas, so I’m not going to be any more specific here.   But you get the idea.  If it is difficult as is to keep SCADA networks secure, imagine expanding the scope of access to the network by hundreds of thousands of locations.

My idea is that a smart grid is one with superbly controlled access and authentication.  Access and authentication controls of course are composed of: logical controls, physical security, and people behavior.  So some smart meters are the least of the worries for ensuring the availability and dependability of a smart grid.

Have a secure week.

Regards, Ron Lepofsky, CISSP

President,

ERE Information Security and Compliance Auditors

www.ere-security.ca

Tags: , , , ,
Posted in Information Security | 5 Comments »
Home | Point in Time Audit | Doc Audit/Authorship | 7x24 Monitoring | Knowledge Transfer | ERE Differentiators | About Us | Site map | Contact Us | Blog
Copyrights © 2007-2008. All rights reserved.  Non-security resources 1|2|3|4|5|6|7|8|9

   AddThis Social Bookmark Button