With billions of dollars of public and private smart grid investment in place and billions more in forecasted network hardware and software shipments, will enthusiasm for the smart grid be dampened by security concerns? Current smart meter deployment trends and reported security breaches point towards that possibility. A recent Pike Research report entitled “Smart Grid: 10 Trends to Watch 2011 and Beyond” maintains that “security will become the top smart grid concern”.
Making the dumb grid smart
Power and utility companies made a difficult start when it came to securing the smart grid. Their basic network grid topology was built on stand-alone facilities offering limited interactive networked intelligence from the substation, distribution and transmission side, with even fewer capabilities on the user demand side. With limited network capabilities in place, power companies pushed to offer end user network intelligence for every user on the demand side of the grid.
This approach may seem backwards for most network and security people but it was necessary to show smart grid utility ROI and power generation savings quickly. The basic demand side theory was that if you could gather intelligence from the power grid demand side first, you could immediately reduce peak load consumption offering tremendous capital and raw material recurring savings. The problem was that these end network communication devices were rushed out without sufficient security in place, and over time, not surprisingly, security breaches occurred.
Consider this power grid communication infrastructure, and then try to securely deploy an interactive network to a real time database connected to every electricity user. Quite a daunting task.
Security breaches confirmed and the criminal element defined
Security breaches in power plants have now been documented and the recent Stuxnet attacks have been called “without precedent” and “a game changer” by Sean McGurk, head of the Department of Homeland Security’s Cybersecurity Center. Pike Research reported:
“The technical analysis on Stuxnet continues, and it appears to be a very sophisticated attack not aimed at the electrical infrastructure. But if nothing else, the threats security experts have been warning of for years have now moved from theory to reality. Since the industry is taking greater notice, especially regulators and government (including the U.S. Congress), utilities will need to determine what cyber security measures are required – even as standards and regulations are still evolving.”
Network intrusion detection experts like Josh Wright from InGuardian confirmed the vulnerability of smart meter security. They have now detected vulnerabilities in wireless Zigbee systems that are targeted to be the premier network technology in smart grid Home Area Networks (HAN). In his recent presentation the Killer Bee, Practical ZigBee Exploitation Framework, Mr. Wright clearly demonstrated current Zigbee security concerns in a variety of smart grid end user devices.
These vulnerabilities and needed corrections were further documented in another Pike Research report, Smart Meter Security. A recent Pike Research report not only defined security vulnerabilities in smart meters but targeted tremendous opportunities addressing these security issues. The report, entitled “Smart Meter Security,” assesses the security risks to Smart Metering, using ISO27002:2005 as a baseline to identify topics for consideration. The study reviews Smart Metering against all 11 security clauses of ISO27002:2005 to identify six key security opportunities including event correlation improvements, security software on meters, identity management and authorization, network resiliency, meter worm prevention, and end-to-end data encryption.
With known vulnerability, who wants to hack the grid anyway? Mike Ahmadi, organizer of the Smart Grid Security East Conference and Vice President Of Operations for the security firm GraniteKey, targets the accessibility of data then adds volume to dollars in a formula that will attract organized crime.
“I think about this a lot when I consider Smart Grid technologies, as well as health care information technologies. As these technologies grow we are going to see new sources of information emerge, and in our inherent somewhat lackadaisical manner of dealing with security at the decision making helm of our corporate culture, we will create plenty of early opportunities for aggregation and inference. The quicker an attack leads to cash for the attacker, the greater the likelihood that the attack moves from theory to reality.”
He adds, “This is, however, only part of the theory. The other part has to do with volume. For organized crime to get involved, the volume needs to be big enough to take the risk. Remember, organized crime is just as concerned with risk as corporations are. Therefore a quick path to cash that does not include a large enough volume is not necessarily a win for organized crime.” The smart grid certainly qualifies in volume requirements.
Big time security and big time bucks
For every problem lies an opportunity and indeed these opportunities are outlined by Pike Research in their smart grid security revenue projections. With opportunities come different ideas on dealing with the security problem.
Grid Net has just released a white paper entitled “Assuring a Secure Smart Grid”. The white paper begins by stating “to build a secure, resilient, mission-critical Smart Grid network, utilities require technology that is secure, reliable, and self healing. The growth of the Smart Grid and the advanced security technology will necessarily go hand in hand. The electricity grid is the foundation infrastructure on which rests not only economic performance, but also public and personal health, safety and welfare. Without robust security in place, the Smart Grid-will not -and should-be built and deployed.”
By applying over 40 standards, Grid Net’s approach to the smart grid security is “multi-layer.” The core architecture delivers an end-to-end secure solution, which begins with PolicyNet SmartNOS and Smart Grid devices (smart meters, routers, inverters, and customer devices), proceeds to data encryption for both data storage and data transport on the network, and concludes with PolicyNet SmartGrid NMS at the Utility NOC. The PolicyNet software suite is based on three foundations – Architecture, Process, and Response-that take a “defense-in-depth” approach to security to provide robust end-to-end security.
SmartSynch came out with a hardware product called the GridRouter which is a smart grid solution that serves as an IP-addressable, external interface offering WAN, LAN and HAN connectivity to a variety of smart grid devices. The GridRouter acts as a wireless “pipe” capable of transmitting and receiving data over public wireless networks using Internet-based or other open standards. Through the GridRouter and its use of public wireless networks, utilities can quickly and affordably spot-deploy smart grid applications, including load profile and control, power quality monitoring, distribution automation, and standby generator control. The GridRouter also enables utilities to support homeowner-focused smart metering programs such as demand response, demand-side management and real-time pricing. It uses an IPsec Security Platform using Public Key Infrastructure (PKI) VPN Subtunnels to Connected IP end-devices with Digital Certificates and AES 256-bit Encryption connecting VPN Tunnels to Each GridRouter Port.
WirelessWall offers a standards based, FIPS 140-2 solution to securing at Layer 2 with a unique approach – implementing an IEEE Robust Secure Network for everything. According to CTO Phil Smith, “WirelessWall is elegance through simplicity. It can best be described as WPA2-Enterprise in software (AES 128-bit CCMP, 802.1x and EAP-TTLS mutual authentication).” Billed as a high-throughput and lightweight encrypting firewall, a central part of the WirelessWall advantage is providing uniform security across multiple domains which in the case of Smart Meters, would be HAN (Zigbee) and backhaul (WiFi, WiMax, broadband, Mesh, etc.). Phil goes on to say, “without WirelessWall, it is like the Tower of Babel. Management complexity makes it operationally infeasible and cost prohibitive to use different security methods for each type of network. Inconsistency and complexity lead to vulnerabilities. Our strength is securing end-to-end at Layer 2 to provide cohesion, uniformity and interoperability. “
FYRM Associates offer a completely different approach in addressing need smart grid security needs. Tony Flick has worked for over eight years in the security industry and is currently a Principal with Tampa-based FYRM Associates. He has presented at Black Hat, DEF CON, ShmooCon and OWASP chapter meetings on Smart Grid and application security concepts related challenges in his book - Securing the Smart Grid. Tony sees a different approach needs to be taken in addressing smart grid security:
“A secure smart grid can be implemented through effective security controls. By focusing on security controls, rather than individual vulnerabilities and threats, utility companies and smart grid technology vendors can remediate the root cause issues that lead to vulnerabilities. As history has shown, these security controls are much more difficult and some times impossible to be added on; they need to be integrated from the beginning to minimize implementation issues. Additionally, new threats and attacks will arise and thus, the operating effectiveness of the implemented security controls must be assessed on a regular basis to ensure smart grids are protected against the ever-evolving threat landscape.”
Every security approach has advantages and disadvantages. Some have complexities that will add to the cost of deployment, while others may put loads on the network that can affect recurring cost in bandwidth and potentially unacceptable network latency. Some may be simple but only be part of the required solution, while others will be continued upgraded.
Security solutions may differ, but the clear message in the smart grid is to get effective security deployed and get it deployed now. With billions of dollars in deployments on hold, there must be a concerted effort to fund immediate, short term and long term security solutions for the smart grid or the smart grid is not going to get smart anytime soon.
* * * * *
About the author
Larry Karisny is the Director of Project Safety.org and a consultant supporting local wireless broadband, smart grid, transportation and network security platforms. ProjectSafety Business and Technology Cluster researches and deploys leading-edge standards based technologies supporting secure migration paths to current and future wireless networks and network applications.