With all the stories out this week about security threats to the smart grid, you might get the impression that your smart meter’s gonna leave you susceptible to diabolical plots from the likes of Kim Jong Il, Somali pirates and the Joker. There are real concerns, but computer security companies, policy makers and trade groups are making more and more noise about smart grid security at this early stage of the grid’s development in an effort to set standards and to create voluntary programs before federal laws are set. And for those who have a product to sell, it’s also an effort to build a market — grid security will be a big business.
This week the North American Electric Reliability Corp. (NERC) said it has made progress on some “milestones” (more like incremental steps) for smart grid security. NERC says its Board of Trustees has approved the first revisions of its eight cyber security standards, and is working on a second set of revisions to come out later this year. NERC will also soon start assessments, or cyber war games as The Wall Street Journal calls them, with power companies to figure out how best to respond to “cyber incidents.” In addition, NERC has created an alerting portal to inform power companies and personnel when a breach is under way. (We can see it now: ALERT! METERS IN FRESNO ARE UNDER THE CONTROL OF THE PIRATE BAY.)
Standards, procedures and alert systems are a good start, but the electric utility industry is also turning to the good ol’ defense industry. According to The Wall Street Journal, NERC is in negotiations with a defense contractor for the position of “searching for breaches by cyberspies.” It’s not as crazy as it sounds. According to a report in The National Journal last year, Chinese hackers may have already used what little infotech intelligence there is on the current power grid to cause two major blackouts. And the WSJ also reported back in April that Russian and Chinese spies had hacked into the U.S. power grid.
Policy makers and companies are doing this structural security work so that the industry can meet certain criteria in advance of laws coming down the pipeline. There are at least three proposals for smart grid security laws under discussion. But most of these smart grid security steps are being taken because it will be a lot less expensive to build security requirements into the infrastructure at the beginning than to add them on down the road. According to executives at computer security firm IOActive:
Studies show that overall project costs are 60 times higher when gaps in information security controls are addressed late in the development cycle, as opposed to projects where security is implemented in the design phase.
IOActive says that the smart grid lacks a formal Secure Development Lifecycle (SDL) — a computer security guide which was championed by Microsoft — to dictate the development of security technologies and products. If there’s anything that software developers have learned over the past decade, it’s that they need guidelines to save time and expenses when developing new tools, and power companies and smart grid policy makers will likely lean heavily on this experience.
If they don’t, well, computing security companies have some fun tricks up their sleeves. In April, IOActive says it found programming errors on some smart meter platforms, which enabled the team to take over the smart meter system, including being able to manipulate on and off functions, and expose usage data. The same process could be used to push a worm into the smart meter system, says IOActive. And to prove the point, IOActive’s team has actually created such a worm, which it will show off at a computer security conference next month in Las Vegas.