January 24, 2011 By Larry Karisny
Karisny: There was a recent article in SearchSecurity titled, “IBM predicts rising mobile threats, critical infrastructure attacks in 2011." Are you sharing the same feelings of when, not if, it comes as it relates to a major breach of our electrical power grid?
Bochman: My focus in the last several years has been almost exclusively on critical electrical infrastructure, to include the current grid as well as the few dozen spots where the emerging smart grid is starting to show itself. The grid is so large and so complex that it doesn't take a Nostradamus to predict successful attacks on it in any coming year, especially as one of the primary enablers of new smart grid functionality involves massively interconnecting systems that were previously protected, at least in part, by their isolation.
2010 saw a very single-minded Stuxnet penetrate, but not disrupt, many enterprises with industrial equipment, including the military and utilities. More broadly aimed variants of Stuxnet may in the works, or in the wild already. But I don't necessary forecast extraordinary trouble, as the promulgation of fear, uncertainty and doubt (FUD) doesn't help anyone. Some security professionals like to put folks into fetal positions with scare stories. But I prefer to remember what my broker tells his clients during downturns, "generally speaking, the world doesn't end."
Karisny: We have seen a multitude if IEEE standards, different directions NIST, FERC and NERC, and organizations like Grid Net and GridWise Alliance positioning for the multi-billion dollar power grid security market. With all this posturing does there seem to be any agreed-upon direction as to security models suitable for what you earlier called in a Huffington Post article CIP or critical infrastructure protection?
Bochman: I'd say that even though it's only a set of high-level guidelines, the embryonic NISTIR 7628 has the broadest fan base so far. I could be very wrong, but my sense is the NERC CIPs won't be with us for the long run. No one seems to value them. We're waiting for practical implementation guides from the NIST CSWG teams in 2011 before state PUCs and other U.S. and international grid security standards groups can point to 7628 as something approaching implementation-ready. As for enforceable standards, well, that's the GAO's primary complaint re: FERC. And FERC can't fix that -- only Congress can.
Karisny: There were big mistakes early on with smart meters security and now even questionable security in using ZigBee wireless network for the home Area Network (HAN). What was done wrong and how can we move forward on securing the demand side part of the smart grid?
Bochman: As the smart meter article noted, "Prominently missing are signed and encrypted firmware, secure (smart card) chips for key storage, unique cryptographic keys, and physical tamper protection." These omissions (and others) were symptomatic of the root cause: a rush to deploy ahead of firm best practices, security standards and business models. Some security pros may question my response, but I'd say we need to slow down a bit, breathe, review what we've done so far and check for gaps, before locking in standards, encouraging vendors to build to those standards, and encouraging utilities to deploy Smart Grid components in significant numbers. And yes, with millions of Smart Meters already out there, I realize this is a somewhat belated point!
Karisny: With all the complexity in security do you see any simple and economical solutions available?
Bochman: Not really. While the impulse to simplify is a good and desirable one from a business point of view, I'm afraid we're going to have to meet the complexity of the smart grid with complex security solutions. That said, some tried and true security tenets bear repeating:
And this: in case those three don't work every time - have plans B, C and D tested and ready
Karisny: Is there some kind of new solution that can be started with migration paths to future security solutions?
Bochman: Sure, though it's clear that many "future proofed" solutions bring with them added risk. Let's say you want to make your smart meter (or any other smart grid device) software remotely upgradeable so you can add additional functionality or fix security problems on the fly and en masse. Remote control functionality always opens additional pathways for attackers, should they be clever enough to subvert whatever controls (or their lack) to prevent unauthorized access and use. For practical reasons, though, upgrade-able software and firmware is the only game in town, as fully manual updates to hundreds of thousands or millions of devices at a time would take a small army many months or years to accomplish.
Karisny: With all the guide line direction being given by a variety of organizations, is here any place to prove out these security solutions in an actual field test settings?
Bochman: Sure, and it's happening right now, in dozens of pilot deployments already under way, with many more slated to begin in 2011 and 2012. In addition, several universities (see: the Trustworthy Cyber Infrastructure for the Power Grid (TCIPG)) and DOE national labs like PNNL, INL and Sandia are doing substantial research involving security, often using test beds that simulate field conditions.
Karisny: With threats now of fines and security assessments taking place, do you see power companies getting serious about grid security in 2011?
Bochman: This is a tough question to answer without a qualification first. If you equate heightened NERC CIP compliance activities with "getting serious about security," then the answer is yes. However, one of the primary critiques of the CIPs as currently constituted in version 3 is that they are less than tightly aligned with the goal of making utilities demonstrably more secure against cyber threats. Some utilities complain that CIP compliance activities divert human and financial resources that could have been used to improve their organization's actual security posture. Some say the CIPs have increased security awareness and are helping. The ground truth is likely that both are right.
Karisny: You have early on spoken in smart grid panels and have been a key speaker in various smart grid conferences. Is there any underlying security issue you have come away with when participation in these events and what are you upcoming speaking engagements?
Bochman: For me, the number one takeaway from the 2010 conferences was complexity. Trying to get our arms around the very many pieces of smart grid security challenge, including old and new technology, evolving business models, standards and guidelines, workforce awareness and training, the shifting threat landscape, recovery and survivability strategies ... it's just a heck of a lot to hold in main memory. But without consideration and attention given to all these things, you're not really doing the job.
I'll be a panelist at the Jan 31 FERC Technical Conference on the Smart Grid Interoperability and Security Standards. Will also speak at a few conferences over the next several months. Right now those likely include:
Karisny: You have the most popular blog as it relates to smart grid security. What are you hearing from those who following your blog?
Bochman: Mostly a hunger for more and better knowledge, especially among folks who are new to the domain. That includes cyber security pros who want or need to learn more about the electric sector, and utility personnel who need to get smarter on security issues and approaches. The blog exists to serve the community by facilitating knowledge transfer and letting folks know about upcoming events like new legislation, standards, conferences, best practices and lessons learned, etc. And so far, according to the feedback I get from (usually) happy readers, it seems to be working pretty well.
Karisny: What are your 2011 forecast in critical infrastructure protection deployments and research throughout the year?
Bochman: With so many balls in motion, it promises to be a thoroughly exciting and challenging year in the smart grid security space. At IBM, we're putting the finishing touches on a white paper that considers the current and possible future of smart grid security standards. When that's done, I plan to help advance work begun last year on EV and V2G security. We've been getting a lot of questions on that topic the last few quarters and that may very well become a 2011 white paper as well.
Larry Karisny is the director of Project Safety.org, consultant, writer and industry speaker focusing on security solutions for public and private wireless broadband networks supporting smart grid, municipal, critical infrastructure, transportation, campus, enterprise and home area network applications.