Old Security Habits and the New Smart Grid

This weekend brought us a new security vulnerability message about next generation power, wrapped in the traditional trappings of today's Internet and cybersecurity messaging. The CNN headline reads, "'Smart Grid' may be vulnerable to hackers", and the story looked like any of a hundred similar flags waved over software applications, newly delivered services, government infrastructure, etc. The news was that a security firm, IOActive, had worked with a noted researcher, Travis Goodspeed, to implement and demonstrate exploits around potential weaknesses in the new Smart Grid infrastructure. The thrust of the article, and others, like this one, by Robert McMillan at InfoWorld, is that the Smart Grid is now showing itself to be vulnerable by virtue of smart meter vulnerabilities. Recommendations for resolution, from IOActive and others involved in the security consulting business, are to require third-party audits of these systems prior to their deployment.

I think that model is wrong. I am not saying that third-party testing isn't important, but it misses the underlying problems that have allowed the insecure system to exist in the first place. Systems like the Smart Grid need to be developed with a fuller understanding of the purpose, threats, and environment, in which these components will be working.

The report from IOActive does not detail the exact vulnerabilities that are exercised in their report, but a couple of online articles point to work that Travis Goodspeed did in identifying a vulnerability on a specific micro controller. From his blog :

a stack-overflow exploit targeting TinyOS 2.x on a Tmote Sky wireless sensor node, which uses the Texas Instruments MSP430 micro controller

which is a micro controller reported to be used on smart grid devices. This blog post was written over 18 months ago.

I have two concerns, if this is the way in which Smart Grid security is undertaken and understood:

Flaw-oriented Security

In flaw-oriented security, effort and focus are like the spotlight in an old prison-break movie. Alarms sound ("Prisoner is Loose!") and the searchlight moves to the escapee, following him around until he is either caught or escapes over the wall. During the time that the light is on him, the rest of the yard is dark, all the guards are training their attention on him, and the rest of the prison and grounds are pretty much up for grabs. In security, this can be related directly to the evolution of the Internet security model. First it was the perimeter, then the vulnerability assessment systems, then the detection systems, and on and on. The searchlight kept moving, but the vulnerabilities, and the attackers, knew how to move out of the light into an area without the illumination and focus.

Testing-Oriented Validation

In a testing-oriented security culture, either components or full systems are assessed for security prior to deployment or in a simulated environment. This is critical, but it is neither sufficient, nor is it efficient on its own. A simple analogy would be to automotive testing. Everyone has seen crash-test commercials, which are done at the end of manufacture, but few would recommend that as the first test. Even if you move back a step to the system level, like the brakes, one does not wait until the full brake system is installed to see if it will work. Each component, to as discrete a level as is possible, is tested prior to assembly to both simplify the test and any diagnostics in the case of failure. This level of analysis also allows for the definition and enforcement of critical performance criteria prior to component construction in terms of functionality and tolerances.

These two concerns highlight the requirement for a new style of thinking around Smart Grid security which centers on planning for the success, and the benefits, of the Smart Grid. This entails much more than securing these building block components. The visualization of security must include the expected expansion of both deployment and capability that are foreseeable even now. Google has continued to advocate and make progress with its Google PowerMeter initiative, which while a data-consumer at inception could easily grow to be more proactive. In the existing "proactive" category are companies like Tendril, Inc that are creating technologies to facilitate the sharing of data and control between providers, grid, and consumers. There are others, responding to the requirement for interactive technologies. In the words of Dan Delurey, Exective Director of the Demand Response and Smart Grid Coalition,

“Wide-scale smart grid development requires many different enabling technologies all working together to provide value and scalability to utilities that in turn translates into consumer engagement and empowerment."

One of the primary missteps that has caused the greatest security pain during the ongoing evolution of Internet-enabled business and services has been a lack of foresight. Organizations didn't (and many still don't) consider the risks of connecting various systems to the Internet, and didn't think about the nature of the information that they would be likely to share in the future. Even today, applications are rolled-out without sufficient thought to their internal architectures, and their likely exposure of client and internal data.

The Smart Grid cannot afford the same stumbles as the Internet has had, and must take a more thoughtful approach to technology choices. Components must be specified, and then validated, according to the critical characteristics of such a core utility, and with a substantial sense of gravity to balance reality against the excitement and hope for the new power infrastructure. Configurability, features and speed to market, must be tempered with consideration of reliability, security, and recoverability, and that validation must occur before these systems are either settled upon in roll-out plans or actually implemented.