May 12, 2011 By Larry Karisny
In watching smart-grid deployments early on I always wondered when the smart-grid security flashing red light bulb was going to go on. Andy Bochman is an IBM security lead who hates security fear mongering but even he couldn't deny the facts about a series of power-grid security breaches this spring in a recent blog post. And when U.S. senators like Richard Burr start calling to slow down the implementation of smart-grid technology you know there's a problem. I appreciate the recognition and concerns of power-grid security issues but just stopping the smart grid isn't an answer or even an option. We need to understand that even current legacy power-grid networks have serious security flaws. In fact the only way to protect these current legacy-grid designs from security breaches is to give these power-grid components visibility through secure interactive network intelligence (the smart grid). So like it or not we need to use these new smart-grid technologies to add security even on our current power grids.
The Threat Recognized
When I fear monger I like quoting the greatest fear monger of them all, Richard Clarke. In his book, Cyber War: The Next Threat to National Security and What to Do About It, he warns of both present day legacy power-grid vulnerabilities and future cyber attacks on the grid. From gas pipelines exploding to blinding the greatest military power in the world, Clarke defines just how catastrophic it would be to have a national power outage. A Wired article earlier quoted Matthew Carpenter, senior security analyst of InGuardian as saying: “The cost factor here is what’s turned on its head. We lose control of our grid, that’s far worse than a botnet taking over my home PC.” It's not like we are losing a few family pictures. In fact there are reports that if we have a national power outage, by day eight we could lose as much as 30 percent of our GNP.
Hurry Up, Wait, and Hurry Up Again
So what happened and why are we just now recognizing power-grid security problems? Well, it's the old story: hurry up and wait and hurry up again. We were in a hurry to gain the saving benefits of the smart grid so we start building it and putting security on the back burner. We then validated some security vulnerabilities and recognized that these potential security breaches in the power grid could be catastrophic. So we put a road map together for what we need to do to fix these security problems -- even for legacy and existing smart-grid networks already staged or deployed. So why will they do something now? Because, if we don't get security in the smart grid -- and fast -- we will lose a lot of money.
A Trillion Here a Trillion There
In my article "Will Security Start or Stop the Smart Grid?" I warned that if we did not address security first it could bring smart-grid deployment and investment to a halt. So how important is this and how much money are we talking about? First let's put the smart grid into perspective in both investment and return on investment. The Electric Power Research Institute (EPRI) estimated the costs for a fully developed smart grid could reach $476 billion with benefits up to $2 trillion. These dollar amounts are no small potatoes and could affect global competitiveness. CleanTechGrid lists hundreds of companies with thousands of employees that are currently working in the smart-grid industry. With job creation and energy savings like this we can't just stop building the smart grid. IBM gets it and predicts one trillion devices connected by 2015.
The smart grid is just one part of this massive marketplace. From smartphones, ATMs, retail kiosks, traffic systems, meters, buildings to sensors -- all these devices will be connected to local wireless IP infrastructure and all will need security. With network infrastructure like Florida Power and Light FiberNet already in place, power companies could be the anchor tenant and supplier that municipal wireless networks have been looking for. The smart grid is the beginning of more intelligent wireless applications and we can't afford to stop it now.
The Road Map is Done
NIST has recently refined some guidelines as they pertain to smart-grid security. A recent NIST Tech Beat release, "Smart Grid Panel Agrees on Standards for Wireless Communication, Meter Upgrades" lists a series of “Priority Action Plans,” or PAPs. PAP 2’s goal is to specify wireless technology performance that is "grid-worthy." These seem to be realistic goals and requirements and at last puts smart-grid vendors on notice that they need to fill important gaps to assure the interoperability, reliability and security of smart-grid components. Security is no longer just an afterthought. It needs to be an integral part of smart-grid solutions and must be deployed in every step along the way.
To get us back on track we need solutions that offer grid-worthy security that can be economically and rapidly deployed. This solution has to be vendor-agnostic and capable of working with both legacy and new grid networks. This security must also be able to work with multi-protocol hybrid network combinations. Last but not least, these security technologies need to be fast, have low overhead and be scalable. Seems like a tough request but again and again, I see the smart grid and many edge device security requirements point toward layer 2 security. A recent paper by the Grid-Interop Forum called "Interoperability and Security for Converged Smart Grid Networks" highlights these unique layer 2 security capabilities that were approved by NIST for federal systems and explains how useful these same capabilities could be in securing the smart grid. With a lot of money on the line and a lot of pressure to rapidly get the smart grid secured and up and running, we are left with few other alternatives. We need to start testing and investing in these layer 2 security solutions and get them deployed on the power grid. We can't afford not to.
Reprint courtesy of MuniWireless. Larry Karisny is the director of Project Safety.org, consultant, writer and industry speaker focusing on security solutions for public and private wireless broadband networks. Next speaking engagement, Smart Gird Virtual Summit June 29th-30th, "Securing the Emerging Smart Grid: A Panel Discussion."