Smart-Grid Security: Under Construction

Itron, inc., is testing its smart-grid technology with the Department of Energy’s Idaho National Laboratory to make sure revolutionary IT applications to critical infrastructure don’t create new vulnerabilities.
Fear not, says Itron, the nation’s leading producer of smart meters, these tests are part of an across-the-board effort undertaken by government and private industry to make the smart grid’s seals against infiltration airtight.
Itron's Smart Grid

Itron's Smart Grid

It’s a sensitive subject, as high-profile electronic attacks on infrastructure like the Cal ISO incident have emerged concurrent with the Obama administration’s prioritization of national cybersecurity, but with a focus on the power grid in particular. In fact, Obama cited smart-grid security specifically as a reason for crowning a “cybersecurity czar.”

The new position came after a series of reports emerged, from an anonymous article in The Wall Street Journal claiming spies had infiltrated national power grids to a report published by cybersecurity firm IOActive that a hacker could boost power to millions of homes at once, causing the grid to fail.

Mike Davis, IOActive security consultant, told The Register, “We can switch off hundreds of thousands of homes potentially at the same time. That starts providing problems that the power company may not be able to gracefully deal with.”

He said the vulnerabilities arise from the “vast majority” of smart-meter systems using no encryption or authentication processes to prevent malicious infiltration.

Itron disagrees, and has hired cybersecurity firm Certicom to encrypt its smart meters, and has designed its networks so that all commands must pass through “trust centers” that are “diligently locked down with certification and authorization, in our opinion to the highest security levels available,” Rich Creegan, VP of marketing at Itron, told Greentech Media.

For intrusion response, Itron works with Industrial Defender, a cybersecurity firm specializing in industrial and utility control systems upgrading to newer technology. Creegan said the company serves as “the watchdog, minding the perimeter, so to speak, and makes sure the right people are getting into the right places.”

The concern about smart-meter security arises from its close, direct interface with households, able to turn on and off utilities, send signals to appliances to turn off during peak energy demand times, and potential abuses therein. Creegan said this “two-way command and control” necessitates “dilig[ence]” about the system’s security.

Erfan Ibrahim, power delivery technical executive for the utility group Electric Power Research Institute, offered, “It’s not true that smart meters are being put up without any meter-to-meter authentication and encryption.”

He explained that security gaps detailed by IOActive’s report arise from pilot projects, meant to find and correct problems within a system, but not ready for implementation.

“I don’t want to suggest that we’ve solved the cybersecurity problem,” he qualified, saying “elementary” hacking techniques are well in hand. But “sophisticated scenarios where the hacker really knows the system and could exploit the vulnerabilities,” pose a difficult problem.

Todd Nicholson, Industrial Defender‘s CMO, said insider threats are a primary concern for his company’s clients. He said insider threats range from a disgruntled employee seeking revenge to a college intern uploading malware that wreaks havoc within a network. But he added that “extending an IP-based network all the way down to the meter level” means both inside and outside threats an increased threat.

Ibrahim concluded a centralized architecture could be a major flaw in the smart-grid’s design, saying, “you don’t want a single point of failure.”

In an arch, the keystone placed at the top holds all the other pieces in place. If it is removed, the arch collapses. There shouldn’t be a keystone at the top of the smart grid.

email
Filed in: Cloud, Industry News Tags: , ,

You might like:

Serco Introduces UK-Based Cyber Training Program; Richard Preece Comments Serco Introduces UK-Based Cyber Training Program; Richard Preece Comments
NSA Adds NYU School of Engineering to Exclusive Cyber Security List NSA Adds NYU School of Engineering to Exclusive Cyber Security List
HP Looks to Extend Data Protection with Cloud, Encryption Solutions HP Looks to Extend Data Protection with Cloud, Encryption Solutions
Accenture-Siemens JV to Offer Utilities Grid Mgmt Tools, Services Accenture-Siemens JV to Offer Utilities Grid Mgmt Tools, Services
© 2014 ExecutiveBiz. All rights reserved.