The Government Accountability Office recently warned that the quick uptake of smart grid infrastructure is likely to result in more cyber attacks. I think what they actually mean is lots of destruction and damage as the result of new cyber attacks.
It strikes me that the GOA, Department of Homeland Security, Stuxnet-nail-biters, and the like all have the impression that Smart Grid technology introduces some mystifying vulnerability into the electrical grid mix. I don’t think so.
Smart Grid technology is simply new. Any new technology brings to the table potential vulnerabilities both intrinsic to the technology and how it is implemented within an existing infrastructure. In this case the existing infrastructure is a continent covered by legacy electrical networks.
Legacy can be secure if it doesn’t leak like a security sieve. Unfortunately not so with our legacy electrical networks. The powers that be have bolted onto them SCADA real time monitoring and management systems which is no problem in itself. However, the fact that some SCADA servers reside on poorly secured networks does present serious security vulnerability.
So where does Smart Grid technology fit into all this? Quite simply; the exact same was as does SCADA. What I mean is that if the SCADA host networks are hardened then they would also be more secure for hosting Smart Grid network technology. But Smart Grid experts will metaphorically jump down my throat and point out that since Smart Grid technology communicates with customers’ very own houses and places of business, it therefore opens a Pandora’s Box of new problems.
Hogwash.
If the host servers for the Smart Grid technology are properly isolated and secured from the rest of the SCADA network and from the rest of an electrical utility’s administrative network, there is very little increased chance of a security breach. The way to properly secure these Smart Grid servers has been well known for many years. NERC CIP standards are written expressly for electrical utilities. If rigorously deployed they are a material step towards Smart Grid network security. In my humble opinion a more comprehensive set of security control points within COBIT, upon which IT SOX compliance is based, should also be considered for hardening the electrical grid.
Dazed Defenders
So where’s the gap between implementing high confidence security standards for the Smart Grid and the current worry storm? The gap is usually found in utility managements’ unwillingness to adequately fund network security. I’ve spoken with lots of in-house IT security folks at electrical utilities and most of them know exactly how to solve the Smart Grid security shortfall. Unfortunately their management seems confused on the issue. You may wonder why management is confused if their security experts aren’t. I think there are two reasons why:
• Executives are more receptive to network security studies than to actual security solutions.
• In house security experts speak technology and not Return on Investment to their execs.
The solution? Have all security-befuddled executives to call me for a 10 minute clarifying conversation. Have a secure week. Ron Lepofsky, CISSP, CISM www.ere-security.ca