CYBEREYE—Commentary

Government seizes opportunity to build security into new critical infrastructure

Development of a new generation of intelligent power grids for energy distribution is a high priority for President Barack Obama’s administration, and $4.5 billion has been included in the economic stimulus package for the Energy Department to pursue this goal.

It makes good sense. A Smart Grid that can monitor where power is being distributed and how it is used could help the environment, as well as the economy, by improving the efficiency of an aging infrastructure that has been in place for decades. This is the network equivalent of installing traffic cameras on highways and at intersections to better understand and control traffic.

And what also makes sense is that security is not being ignored in this rush to develop new technology. Part of the $4.5 billion in stimulus money will be going to the National Institute of Standards and Technology to fund creation of guidelines and standards for securing what will be a new critical infrastructure.

The Smart Grid would have two-way communications so that managers can monitor activities and control performance down to the individual customer level. One of the first pieces of this infrastructure to be deployed are smart meters that not only can report power usage to utilities for billing but also provide information on energy demand and patterns of use that can be analyzed to provide more economical service. They also can be used to remotely shut off service to a customer. The same kind of controls also could be applied to any point in the distribution system.

In the end, the Smart Grid is a large Supervisory Control and Data Acquisition (SCADA) network with all the vulnerabilities of SCADA networks, said Curt Barker, NIST’s chief cybersecurity adviser.

“No brand new vulnerabilities,” Barker said. “What is a little different is the scale of the system,” and the potentially catastrophic results of exploiting those vulnerabilities.

The saving grace of SCADA networks controlling vital systems so far is that they have usually been developed as silo systems with little interconnections and often with proprietary technology. This does not make them invulnerable, but it makes them harder to attack on a large scale, providing a low return on investment for hackers and attackers.

This is beginning to change, as users move to benefit from the economies of standardized, interoperable, Internet-based systems. The Smart Grid presumably would be built from scratch as a standards-based, interoperable IP network. Sort of like a new Internet. And we know how secure the Internet is.

But we have a chance now to learn from the mistakes of the past and design this new network with security in mind from the beginning. NIST has been given the job of developing the guidelines for this and the Federal Energy Regulatory Commission will have the power to mandate them as standards for the industry.

NIST has demonstrated under the Federal Information Security Management Act its ability to develop comprehensive standards and specifications for IT security. It has demonstrated under Homeland Security Presidential Directive 12 its ability to do this quickly by developing technical standards for the Personal Identity Verification card. NIST’s job with the Smart Grid will not be as big as its job under FISMA. A lot of workable standards already exist: NIST’s job will be to identify and harmonize them and fill in the gaps. And it will not be as rushed as it was under HSPD-12.

Standards alone cannot protect a network and there is no reason to believe the Smart Grid will be invulnerable. But we can hope that it will be an intelligent, flexible network with a minimized attack surface that can be easily defended.

Reader Comments

Wed, Apr 1, 2009 Ross Sterling, VA

I can't see any downside to building intelligence into the powergrid and it should enable more competition to cable and telecos.

Tue, Mar 31, 2009 John Zavgren New Hampshire

I can't overemphasize the significance of this infrastructure investment. And the presumable fact that this is to be an IP based network is VERY significant, because layering an IP network on top of the power distribution grid will provide a fantastic synergistic business opportunity. If the power grid were also an ISP, then the sales of Internet access could probably more than offset the R&D and build out costs. Regardless, there are smart grid concepts that can be implemented without a smart grid. For example, if electric meters were able to generate cryptographically signed incremental measurements, say every hour, then the readings could be transmitted to the power company by any available means. A home owner could collect them and email them to the power company for credit for off peak power usage. Duplicates and forged readings would be ignored. No dedicated IP network would be required.

Tue, Mar 31, 2009

"The Smart Grid presumably would be built from scratch..." Well, I might assume that, if a government office were to do the work (as opposed to just setting standards). It will be contracted out to some commercial outfits to develop the systems, and I'll presume they'll use the lowest-cost build option to maximize profits. Why spend all that time (= money) to write a new TCP stack, services, etc. when lots of packages exist for practically nothing, which can be modified for the purpose at hand. I expect Smart Grid to turn out to be running "internet 1b".

Tue, Mar 31, 2009 Josh Tulsa, OK

Well, this will surely signal the end of internet freedom and the beginning of internet 2, along with internet taxation, internet censorship, and taxation of our power consumption for carbon regulation... this is most unfortunate.

Please post your comments here. Comments are moderated, so they may not appear immediately after submitting. We will not post comments that we consider abusive or off-topic.

Please type the letters/numbers you see above