Is U.S. sleeping on smart grid security?
Panel warns of complacency about potential threats to a complex electrical infrastructure
- By William Jackson
- Dec 14, 2010
The United States could be creating a smart grid power distribution system with a false sense of the threats it will face and of its ability to secure it, a panel of security professionals said Tuesday.
The nation’s critical infrastructure has been identified as a high-value target, and the Homeland Security Department has been given the responsibility for overseeing the security of its various components. But the lack of successful, high-profile attacks against the infrastructure has led to a sense of complacency, panelists said.
“We have a tendency to underestimate the capability of people who are planning to do nefarious things with our computer networks,” said Tom Cross, IBM X-Force advanced research team lead, in a Webcast from GCN's sister publication Federal Computer Week and IBM.
But the Stuxnet worm discovered earlier this year is an illustration of the ability of well-financed teams determined to attack the control systems of our physical infrastructure.
“These are people with the capability of making a sophisticated piece of malware, and they have used that malware in the real world to attack industrial control systems,” Cross said. Although there have been no confirmed instances of physical systems being damaged by Stuxnet, the threat is not hypothetical, he said. “It is real.”
As smart grid approaches, security concerns follow
Stuxnet reveals vulnerabilities in industrial controls
That threat has emerged while the United States is developing the smart grid, a power distribution system that will enable the two-way flow of data and electricity, and will merge the power grid with the Internet.
The existing power grid is “the most complex piece of machinery ever created by mankind,” said Ron Melton, director of Battelle PNW’s Pacific Northwest Smart Grid Demonstration Project. That complexity will be increased with the overlay of new functionality, and with the increased functionality comes increased vulnerability.
The smart grid is an evolving environment, not an entity, Melton said. It will integrate and share information across multiple domains with new and legacy systems, and it will need to be robust, resilient and provide a high level of integrity for the data it will use to make automated decisions. But many of the systems for the grid are just now being developed and software development in this area is not mature. Network security products typically have not yet been integrated into this evolving system.
The grid is emblematic of a shift away from stovepiped, proprietary industrial process control systems, also called system control and data acquisition systems, toward more networked and integrated systems based on off-the-shelf technology. It is these types of control systems that Stuxnet apparently targeted.
Stuxnet was discovered in June, but apparently had been spreading for a year before that. It is a complex piece of malware that exploited four zero-day vulnerabilities to infect systems and used stolen keys for digital certificates to sign malicious code to ensure it would run under Windows. It appears to target a specific type of frequency converter drive that controls the speed of centrifuges operating at frequencies used for uranium enrichment. Because of this targeting and the fact that the bulk of the known infections are in Iran, some have speculated that the Iranian nuclear power program was Stuxnet’s target.
Stuxnet apparently is the first malware that successfully crossed the line from cyberspace to the physical world, where it can damage control systems. The worm’s complexity and the amount of intelligence required to target a specific piece of equipment means that such piece of malware is unlikely to become common in the wild. But Cross said that we can expect to see more examples of such threats and that the U.S. infrastructure will have to be hardened to withstand them.
William Jackson is freelance writer and the author of the CyberEye blog.