Wednesday, March 23, 2011

RSA SecurID and The Smart Grid

The compromise of RSA's SecurID system is one of several security-related hot topics this week.  I am still not sure how significant the compromise is (some say it is not overly significant, others claim it is a massive problem), but one thing is quite clear to me and many others I know in the security world - It is not a major surprise that their security has been compromised.

Security gets compromised.  That is what happens with security.  Some organizations have great track records.  As I understand it RSA SecurID has a 20 year track record.  Cryptography Research claims an 8 year perfect record for their CryptoFirewall product (used to protect, among other technologies, pay tv).  DES and SHA1 had their days in the sun, but all good things come to an end, and the newer and (hopefully) better technologies take their place.  Heck!  There was a time when the Mac loving world believed that Macs were immune to security compromises.  Think again!

RSA will fix whatever is broken.  They are a good company with a long history of knowing what they are doing.  Sure, they make mistakes along the way, but they are a good provider of security products.  The fact is that a compromise helps build better security.  As users of security technologies, we should EXPECT compromise at some point, and be prepared for it.  I am a careful driver, who does not text as I drive, and stays within the speed limit (more or less), and I wear my seatbelt and back up out of parking spots nice and slow.  Nonetheless, I am fully aware that operating my motor vehicle puts me at high risk for an automobile accident.  I can avoid automobile accidents entirely only by never getting anywhere near an automotive vehicle.  In the world of technology it is the same story.  If I play in the cyber world I am going to face cybersecurity incidents.

That brings me to the Smart Grid, and perhaps more specifically Smart Meters (or AMI in general).  Utility Commissions throughout the US (and perhaps the world) are hoping that rate cases cover AMI products that are going to be "good to go" for somewhere around 15 or 20 years.  This strikes me (and others I have spoken to) as somewhat of a pipe dream.  RSA SecurID is built to function as a sort of "Fort Knox" of security systems, and it lasted about 20 years.  AMI products are simply not designed that way today, and it may be a while before they are.  Simply put, utilities do not require that level of security and do not want to pay for it...and neither do consumers today (who will ultimately foot the bill due to recovery rules).  It is more likely that AMI systems rolling out TODAY (and not 3 years ago) may remain "secure" for a maximum of 10 years.

Think about this for a minute.  They are sitting on the outside of homes.  There are no set requirements for security.  The protocols, designs, and general security knowledge of vendors vary.  This is new territory and we are in the earliest stages of deployment.  We have to expect that we are not likely to get this right on the first few tries.  We have to also expect that we are going to learn (and have learned) some valuable security lessons as we proceed.

This creates a bit of an issue for utility commissions and consumers, because we have to pay for replacing devices that fail to remain secure over time.  As consumers, we are used to having to upgrade technology as time progresses.  Who keeps a computer or cell phone for 10 years today?  Okay, there are some who do, but not many.  Technology simply moves too fast and a few years down the line anyone who uses technology to get things done simply accepts that in order to continue reaping the benefits of technology, upgrades are a given.

Ahhh...and that is the key!  The consumer needs to experience the benefits.

I have a Smart Meter on my house and since I switched to off-peak pricing I have seen a drop in my power bill of approximately 30%.  I simply do not use power very much in the middle of the day.  Sure, it goes up a bit in the summer when I use my AC more, but it plummets in the winter.  This is significant for me because my winter bills used to eclipse my summer bills.  As a consumer, I am happy to have a Smart Meter on my house because these savings would not be possible without a Smart Meter (or so I am told).  As a consumer, if I see a benefit, I will pay to play.

As a consumer I am also aware that I have not experienced any security-related issues...yet.  It could be a long time before I do, but I am aware that the high tech nature of the Smart Grid opens up a gaping hole from a security perspective.  That is the nature of technology.  As a user of pocket computers (that is what we should be calling mobile phones and devices), I am aware of the major security holes that tag along with the technology, and also pray that bad things will not happen on the mobile device front.  Nonetheless, I know that it is indeed quite likely that somewhere within the next decade an enterprising attacker will figure out a way to exploit our favorite new technologies, and we are not likely to go back to doing things the old fashioned way as a result of the compromise.

Let us accept the fact that this is the world we live in, continue working to build better security, avoid freaking out when things go wrong, and reap the benefits that inevitably come with new technologies.

We live and we learn.

No comments: