Tuesday, March 1, 2011

Thoughts from Smart Grid Security East


Thoughts from Smart Grid Security East...
Note: I'm not naming names here, because (a) some of these honest comments could get people in trouble back in the office, (b) I recognize that these comments are out-of context and paraphrased, and the speaker might not have meant exactly what I heard.  
(My opinions are in italics.)

An interesting observation from a meter vendor:
Security is starting to come from meter vendors because their customers (the utilities) are insisting on it.  It is a market-driven commercial need.

His advice to consumers who are concerned about security and privacy:
  • Ignore the 'tinfoil hat brigade' in Marin County. Do your own research.
  • Ask the tough questions of your utility, and / or your PUC:
    • What data is the company gathering?
    • How long will they retain it?
    • How will they protect it?
    • Who else gets it, why and under what conditions?
 In my opinion, this will only increase as PUCs get up to speed on security and start demanding it of utilities.  PUCs, ask your utilities these questions.

The utilities need a financial reason to spend the money on security and privacy.  There is a need to educate the business professionals about the need for security. From a business standpoint, by itself, security is a negative ROI item.  You can spend money on it, and have no ROI.  In fact, if you do it right, you'll never have any ROI on it, because the ROI impact of security is a negative ROI for not doing it.
Other interesting comments overheard:

One software company rep claimed to have achieved "absolute development security."  Move over IBM and Watson.  Heck with artificial intelligence, these guys have developed artificial omniscience.

If you're interested in a good analysis of insider threats, Google the Verizon insider threat study.  (This from a former Secret Service agent.)

(From a equipment supplier) We do security testing on our competitor's products, but we don't keep our findings secret.  We call or e-mail them if we find anything.  It does me no good to hide the results of my testing on my competitor's equipment from my competitor. If I try to screw him, I screw myself.

(From another supplier on the same panel)  In other industries (finance, for example) there is a common association for sharing vulnerabilities and certification processes. That needs to be done for Smart Grid. It is happening to some extent organically, but it needs to happen intentionally.

Equipment vendors are doing what they can, but the buyers need to be held accountable for secure implementations. True in part, but the buyers are dependent on the vendors to tell them how to secure the implementations.  The components have to be secure, but so do the combinations of components, and the operations and systems they interact with.

The problem of long lifespans of security-related equipment.  The ability to upgrade field equipment remotely is critical.  For example, in residential meters, a truck roll to upgrade a meter may cost more than the device.

The appliance vendors still may not have come completely to terms with the need for a software upgrade path.   How do you upgrade a refrigerator's firmware?  Appliance upgrades are not likely to be allowed to come through the Utility AMI network. 

Meter vendors have to treat whatever is on the customer side as inherently hostile. They do not know whether the equipment is currently patched, so they must limit what data can come from the customer side of the meter to that which is absolutely necessary.

From a security standpoint, passing “content” (consumer information, appliance firmware or consumer instructions) either way over a “control” network is a bad idea, particularly if equipment on the customer side of the meter is passing commands to (or through) the meter.  It creates too much opportunity for an attack vector.
This makes “prices to devices” a far more viable option from a security standpoint.  For example, if;
  • the utility broadcasts pricing information to the customer and/or the customer's equipment (via the AMI network, or through another channel), 
  • equipment on the customer side responds to that pricing information without discrete commands from the utility and
  • the utility simply reads the meter as needed,
the result is an "air gapped" communications system.  Far more secure for the utility and the customer.

All in all, a very interesting conference, and I was only there for half the day today (the morning was spent in travel mode.)
More to come tomorrow...

No comments:

Post a Comment