Saturday, March 13, 2010

The Smart Grid Privacy Smoke Screen

Whenever I watch news on network media I view everything being said with quite a bit of cynicism. Heck! Security professionals are NOTORIOUSLY cynical. The security professional mindset is designed to quickly wade through layers of what can be seen on the surface and find that which cannot be seen, which tends to tell THE REAL STORY.

Back to the news for a moment. When I see a major topic wrapped with lots of sensationalistic coverage splattered all over the airwaves and news sources, I immediately ask "Okay, what is REALLY going on." Why is everyone talking about who does or does not have the right to use the word "retard" (for example). What is the real agenda, or what are they trying to prevent us from paying attention to.

I know it may sound conspiratorial, but I see this a lot with security, and I assume it happens everywhere else.

Let us discuss security for a moment.

There are some things in the world of security that are complex, and some that are not so complex. There are good ways to protect systems using low cost, medium cost, and high cost components and procedures. When making a determination about what is the best choice (from a financial perspective) organizations that must implement security must always balance the risks with the costs. This is simply how it is done. Many of the risks associated with security are driven by compliance. If an organization does not comply with "the rules", they can be held liable for a failure to perform due diligence. This is, by far, the biggest driver (and headache) for any organization. Security generates no ROI in this case, it simply acts as insurance. Nobody I know likes to pay their insurance premiums, but they all must.

The other way security ends up in systems is when it has been attacked. Generally the more significant the attack (i.e. the more costly the attack), the better the security solution. I do not want to spend too much time on this particular topic, but it does warrant a mention. This is the holy grail of security professionals, by the way.

In cases where security becomes a topic of discussion, and consequently a major bone of contention among vendors who are subject to security mandates, what frequently happens is that the conversation takes a direction that serves the lowest common denominator. Rather than talk about the "real" issues, we tend to talk about issues that seem to be of utmost concern, but really do not matter nearly as much as the "real" issues. This is often because the more important issues are quite a bit more complex (and consequently more costly) to deal with. By shifting the focus to the less complex issues, organizations tend to appear as if they are solving a problem (and consequently performing due diligence), but they are actually avoiding the bigger issues.

For the last several days I have been reading through piles of comments submitted to the California Public Utilities Commission (CPUC) regarding Smart Grid deployment. Within these documents there are quite a few comments regarding Smart Grid security, but the overwhelming language talks about security as it relates to privacy (i.e protection of consumer usage information).

Okay, I do indeed believe privacy is important, and hold it near and dear. California was one of the first states to enact privacy laws, and has definitely led the pack in this arena. I definitely get it. Privacy is indeed important.

Sadly, however, it is a smoke screen. The focus on privacy takes our focus off of the real security challenges we face as we deploy the Smart Grid. Privacy, as it turns out, is not as challenging an issue as preventing large scale attacks of the Smart Grid which could theoretically bring down large SCADA systems. Why do I believe this? Because it simply does not have the WOW effect from a hacker community (and media) perspective. You see, EVERYTHING that is computer/network/system related can be hacked at some point. In an ideal world, the good guys try to keep ahead of the bad guys. The bad guys are always working on taking down what the good guys have built, and the most interesting things to take down are the ones which have the most impact. Hacking my meter (or any one's meter) to see how much power I use just does not get you very much attention these days in the world of hacking. Taking down a generator, however, does.

So as I read through countless pontifications about how crucial it is to ensure our privacy, and consider the extraordinarily low risk of a breach of privacy causing our lives to change in any considerable way (let's face it, how many of us truly feel we have any privacy these days?), I cannot help but think about what an effective smoke screen this is when we consider Smart Grid security. NISTIR 7628 is fully aware of where privacy sits on the scale of things to watch out for, and the February 2010 draft clearly points this out, listing privacy as a tertiary concern as it relates to security.

Yet the public comments floating around the CPUC seem to indicate that privacy is "what it is all about". I certainly do NOT see any discussions of any value indicating otherwise. Nearly every security professional I have spoken to about Smart Grid security finds this focus a bit absurd in light of both the know (non-theoretical) and assumed (theoretical) security dangers.

I think the public should consider this as they strive to educate themselves about security and the Smart Grid.

No comments: