Is U.S. sleeping on smart grid security?

Panel warns of complacency about potential threats to a complex electrical infrastructure

The United States could be creating a smart grid power distribution system with a false sense of the threats it will face and of its ability to secure it, a panel of security professionals said Tuesday.

The nation’s critical infrastructure has been identified as a high-value target, and the Homeland Security Department has been given the responsibility for overseeing the security of its various components. But the lack of successful, high-profile attacks against the infrastructure has led to a sense of complacency, panelists said.

“We have a tendency to underestimate the capability of people who are planning to do nefarious things with our computer networks,” said Tom Cross, IBM X-Force advanced research team lead, in a Webcast from GCN's sister publication Federal Computer Week and IBM.

But the Stuxnet worm discovered earlier this year is an illustration of the ability of well-financed teams determined to attack the control systems of our physical infrastructure.

“These are people with the capability of making a sophisticated piece of malware, and they have used that malware in the real world to attack industrial control systems,” Cross said. Although there have been no confirmed instances of physical systems being damaged by Stuxnet, the threat is not hypothetical, he said. “It is real.”


Related stories:

As smart grid approaches, security concerns follow

Stuxnet reveals vulnerabilities in industrial controls


That threat has emerged while the United States is developing the smart grid, a power distribution system that will enable the two-way flow of data and electricity, and will merge the power grid with the Internet.

The existing power grid is “the most complex piece of machinery ever created by mankind,” said Ron Melton, director of Battelle PNW’s Pacific Northwest Smart Grid Demonstration Project. That complexity will be increased with the overlay of new functionality, and with the increased functionality comes increased vulnerability.

The smart grid is an evolving environment, not an entity, Melton said. It will integrate and share information across multiple domains with new and legacy systems, and it will need to be robust, resilient and provide a high level of integrity for the data it will use to make automated decisions. But many of the systems for the grid are just now being developed and software development in this area is not mature. Network security products typically have not yet been integrated into this evolving system.

The grid is emblematic of a shift away from stovepiped, proprietary industrial process control systems, also called system control and data acquisition systems, toward more networked and integrated systems based on off-the-shelf technology. It is these types of control systems that Stuxnet apparently targeted.

Stuxnet was discovered in June, but apparently had been spreading for a year before that. It is a complex piece of malware that exploited four zero-day vulnerabilities to infect systems and used stolen keys for digital certificates to sign malicious code to ensure it would run under Windows. It appears to target a specific type of frequency converter drive that controls the speed of centrifuges operating at frequencies used for uranium enrichment. Because of this targeting and the fact that the bulk of the known infections are in Iran, some have speculated that the Iranian nuclear power program was Stuxnet’s target.

Stuxnet apparently is the first malware that successfully crossed the line from cyberspace to the physical world, where it can damage control systems. The worm’s complexity and the amount of intelligence required to target a specific piece of equipment means that such piece of malware is unlikely to become common in the wild. But Cross said that we can expect to see more examples of such threats and that the U.S. infrastructure will have to be hardened to withstand them.



About the Author

William Jackson is freelance writer and the author of the CyberEye blog.

Reader Comments

Mon, Dec 20, 2010 Rick Carter Salem, OR

Smart Grid (SG) for lack of a better term, should be relegated to a proprietary system devoid of any third party intervention under the guise of marketing products and services. Once again we find ourselves at the mercy of lobbyists that have convinced Congress that SG is all Roses and no thorns...BS. there are way too many entry points in the SG matrix which opens vulnerabilites for insidious entry and access....

Thu, Dec 16, 2010 Reality Check Washington, DC

One of our greatest failures in protecting the power grid is self-imposed -- we continue deluding ourselves with the fiction that DHS can contribute usefully. In reality, the DHS Office of Infrastructure Protection (OIP) was severely mismanaged until well into 2009 and hasn't recovered. Senior leadership's myopic and uninformed fixation on physical barriers, while intentionally ignoring technology threats, made OIP simply a bloated and ineffective bureaucracy that entangled others in a web of unproductive committees. The Department of Energy has all the skills, knowledge and resources needed to protect the power grid; it's essential that we take DHS out of the role of hindering technology infrastructure protection efforts by DOE, other agencies and the private sector.

Thu, Dec 16, 2010 roger roster

The smart grid and alternate energy sources like solar and wind, is what should be driving us in the US. The US already has the highest per capita consumption of energy in the world and much of it is being wasted before it even reaches the consumer. Alternate energy sources and the smart grid seem to be the most plausible answer and consumers who will be paying the bills need make their voice heard here. There is much we need to read and know about how these technologies of the future will work and one website that is rather educative is that of Pacific Crest Transformers.

Please post your comments here. Comments are moderated, so they may not appear immediately after submitting. We will not post comments that we consider abusive or off-topic.

Please type the letters/numbers you see above