Internet Security Systems - AlertCon(TM)

Blinkered Thoughts on 'Smart Grid' Security

Posted by Gunter Ollmann on March 21, 2009 at 10:57 AM EDT.

A colleague pointed me to a CNN headlined news story this morning titled 'Smart Grid' may be vulnerable to hackers.

It's an interesting piece largely focused upon several implied risks associated with the "smart" part of the new grid proposals - i.e. the interconnected nature of the newer devices. There are of course the usual smatterings of sensationalist "hackers can break this".

I've been involved in several aspects of Smart Grid security for some time now - ranging from embedding security in to the smart meters themselves through to penetration testing of national power grids and nuclear plants. And yes, while it's true that there are ways of breaching most of the technologies out there (and several of the technologies that are still only twinkers in the eyes of an engineer), this applies to any technology (not just in the power utilities) - past, present and future.

Without getting in to the nitty-gritty of particular technologies and their respective security flaws, I think many people underestimate the advances that have been made in overall system security as we progress towards a Smart Grid infrastructure. Sure, for many the use of wireless communication technologies in household power meters raises the specter of past security failings in technologies such as 802.11b WEP - but a lot has been learnt in the meantime. Just as many security consultants will point to old security flaws, and actively look for them in newer technologies, the engineers developing these new smart grid solutions aren't ignorant of the past either.

Yes there are security flaws. I know firsthand of several such flaws, and I can point out several new vectors for attack that power distribution systems haven't had to worry about in the past. However, proposals to not pursue this newer and vastly more efficient Smart Grid technology for fear of security flaws - in my opinion - are based upon ignorance of where the technologies are at today.

I've heard many times that a hacker could break in to a home's wireless power meter and do all kinds of nastyness (and in some cases it's probably true - with enough time and effort). That's as maybe. However, today (and for the last 50+ years) you can do much more damage and conduct all kinds of fraud with a $2 pair of wire cutters.

I've also heard that someone could hack in to a nuclear power plant and shut it down, which would affect millions of houses and businesses in the country. Frankly you could cause the same wide scale disruption by simply crashing a couple of rental cars into two power distribution centers simultaneously - which would likely cause a widespread cascade failure. Or, on a more provincial level, simply throwing a bicycle over the fence of a local distribution center and on to the pylons will be enough to interrupt
power to thousands of local houses and businesses. Which particular threat are you trying to protect against? Lets not get distracted from what theses new technologies offer us.

There are thousands of security aspects to Smart Grid, and there are going to be security flaws. But we (speaking on behalf of those of us in the security business) often spend a disproportionate amount of time picking holes in future and proposed technologies rather than properly acknowledging the security flaws already present within today's deployed systems. In a perfect world we could take a time-out before advancing to a new technology - making sure it was perfect before implementation.

Sorry, but nothings perfect, and you can't guarantee anything will be secure against a motivated attacker.

Comments or opinions expressed on this Weblog are the opinions of the authors alone. They are not necessarily reviewed in advance by anyone but the individual authors, and neither IBM Internet Security Systems nor any other party necessarily agrees with them. The views expressed by outside contributors and links to outside websites do not represent the views of IBM Internet Security Systems, its management or employees. All content on this Weblog has been made available on an “as-is” basis, and IBM Internet Security Systems shall not be liable for any direct or indirect damages arising out of use of this Weblog.