If lengthy requirements were a measure of success, then smart grid technology is well on its way to being an anomaly in the environmental controls space. But I'm not going to try to hold my breath for that to happen.

In mid-March the Advanced Metering Infrastructure Security (AMI-SEC) Task Force released a 64-page set of security requirements for remotely accessible electric meters. The AMI-SEC Task Force includes a bunch of utilities, the Electric Power Research Institute, the U.S. Department of Energy, some people from Carnegie Mellon University, among others -- a group that one would hope would have a clue when talking about controlling electric systems and security. At first blush this is good timing because the Obama stimulus package contains more than $4 billion for smart grid technology, which depends on remotely accessible electric meters that won't be easy for a bad guy to control.

There are a lot, perhaps hundreds, of individual security requirements in this document. But many are, to say the least, high level and non-specific. For example, requirement FIN.37: "The security function shall protect the integrity of transmitted information"; and requirement AAC.3: "The security function shall enforce the [assignment: access control security function policy] on [assignment: list of subjects, objects, and operations among subjects and objects covered by the security function policy]."

It is fine to have such requirements but it is merely wishful thinking until specific technology is developed and agreed upon.

It is good to see that someone in this industry is paying at least some attention to security. I've looked at many
IP-based building control systems, including lighting and environmental control systems, and I have yet to find one that even pretends the system has any network security. All of the ones I've seen do not even mention network security or they assume that the products are deployed on isolated private networks. Somehow these manufacturers expect that you will build multiple networks in each building. Some of the systems do not even understand virtual LANs and may mean multiple physical Ethernet switches in each network closet. Some, but not all, building access control systems are a bit better, but network security does not seem to be a major concern.