Sunday, January 31, 2010

Smart Grid Security

We have been working on Smart Grid security lately, and it is indeed quite interesting. It is essentially the single largest global technology project mankind has ever witnessed. The intent of the the project is to place every single node electricity touches on the Smart Grid. In stage 1 it is limited to Smart Meters replacing the classic analog meters found throughout the world. In stage x it will extend to everything in the home (ostensibly).

There are several technologies and protocols being used for communications on the Smart Grid, and all present interesting security challenges. The good news is that security is indeed a part of the discussion, and perhaps being given more attention than I have seen in the past with many large initiatives. The bad news is that the rollout is moving forward despite not having standards solidified.

This does not mean security is not being implemented. It is indeed being implemented and the key players in the ecosystem are learning as they go. Hey! This is usually how it is done. Nothing is new here. What I find interesting is that with standards not locked down yet (NIST Guidelines do not get very specific), it may mean that systems will have to be retrofitted in the event of a major security flaw. Since the minds behind the architecture seem to be aware of this, the security design seems to be quite layered, which is a good thing. This should help stop scalable hacks.

The lingering question I keep asking is "Why are equipment manufacturers not concerned with standards that may render their products obsolete?"

I would posit that this is because of 1 (or more) of these reasons:

  1. Major manufacturers are influencing the standards to fit into their roadmaps.
  2. Major manufacturers are planning a "version 2" with better security, and are likely to get paid again when they must replace "version 1"
  3. Major manufacturers are not liable for non-obvious flaws, and have performed enough due diligence in "version 1" to safely hold onto the massive revenues the project brings in.
There are perhaps more reasons, but I am sure the 3 I mention are close to the mark. As a security professional, I am excited about the possibilities this project brings. Much of the information I have gathered has shown me that there are a lot of great security minds working on the Smart Grid, and the collaborative nature of the project is likely to lead to good security that can be built and managed collectively. This project is a huge "pie" with lots of wedges to share, and security is large enough to share with many security professionals, who are all likely to walk away quite full regardless of how many choose to join the project.

Exciting times indeed!