A person doesn't need to have an advanced degree to see certain things clearly. In this case, it's pretty obvious that smart grid security is not keeping pace with the threats.
Dangers are assessed with the downside scenarios in mind. If a threat is minor but the ramifications of it are dire, it generally gets attention. But the reverse-if the danger is glaring but the negative consequences slight-it often doesn't make sense to put a lot of money and effort into correctives.
That brings us to Katie Fehrenbacher's story at Earth2Tech, which was a follow-up to the Black Hat convention in Las Vegas last week. The piece focuses on the state of smart grid security, and the inescapable conclusion is that both the dangers and the ramifications of failure are great.
That usually would mean that crews are striving to address the problems. That, alas, isn't so. Fehrenbacher offers plenty of details, and it's difficult to identify what is most troubling: The fact that attacks already are common, that supervisory control and data acquisition (SCADA) systems are configured in a manner that doesn't conform to security best practices, or that fixes to vulnerabilities are not rushed out as they become available.
Concerns about smart grid security aren't new, of course. There is a new urgency in security circles due to the stimulus. This mostly upbeat story on the smart grid in Texas, for instance, has this rather ominous paragraph:
In 2009, the Obama administration provided nearly $4 billion to upgrade and digitize the nation's electric grid and other utilities using "smart grid" technology. Since then, utility companies have been scrambling to roll out programs to install the new technology before federal funding dries up, often without regard for security, said Jonathan Pollet, the founder of the security consulting firm Red Tiger Securities.
There are a number of issues. The MIT Technology Review, which also uses the Black Hat conference as a jumping off point, says that smart grid technology is deployed in homes-including those of hackers. These folks can fiddle with them at their convenience, and even inject malware into systems from the comfort of their own basements. Another commentator is uneasy about the lack of security knowledge in the utility industry and, by way of example, mentions problems on encryption deployment.
Smart grid appendages to existing networks can serve as access points for malware. It is abundantly clear that more attention has to be paid to securing these entry ramps, and it must be done immediately.