CIO & Smart Grid Master: Securing the Smart Grid

Friday, June 04, 2010

Securing the Smart Grid

Recently, hype around the Smart Grid, smart homes and smart meters has reached a fever pitch. Yet, many consumers are still figuring out what the term, “smart grid” actually means. According to a March 2010 Harris Poll, “two-thirds of Americans have never heard of it (68%) and 63% have not heard of a “smart meter.” It’s actually a pretty simple concept, though enormously difficult to deliver and implement the reality. The electricity grid is the vast, diverse collection of devices and equipment that delivers electricity from utilities to consumers. The Smart Grid refers to connecting those devices and that equipment into a network that is monitored and managed by computing resources. How one interprets “computing resources” is pretty broad, but Grid Net’s objective is to enable the Smart Grid with a secure, reliable, real-time, all-IP, standards-based and scalable software platform that can run on any device and leverage any type of broadband communications resource.

My own experience implementing the first Smart Grid network in the U.S. at Austin Energy, and now at Grid Net working with utilities in their Smart Grid deployments, has given me a unique perspective on security, and I’m not the only one. Security is a huge area of concern for every utility executive that I know. At the 2009 Black Hat security conference, security consultancy IOActive reported that it was able to simulate a smart meter worm that infected about 15,000 home meters (out of 22,000 homes) and subjected the devices to the control of the worm’s designers. At the time, IOActive’s Mike Davis stated that, “the vast majority of smart meter systems use no encryption or authentication processes to prevent someone from uploading malicious software or turning meters on and off en masse."

Let’s be clear: any time that you connect devices into a network, you face security risks. But networking our nation’s electricity grids poses even greater security hazards, since most devices are located in physically unprotected / vulnerable locations and simply cannot be protected by the “four walls” of a data center or a physical plant.

But even worse: some Smart Grid vendors are offering technologies that are actually accelerating the threat of viruses and worms spreading the damage from a single device getting hacked.

For example, vendors that rely on radio-frequency (RF) mesh networks are peddling an architecture that relies on “peer-to-peer” networking – in this case, using the meter as a network link – and that thereby increases the risk of ‘man-in-the-middle’ and impersonation attacks. In the RF mesh scenario, smart meters are the first, and highly vulnerable, line of penetration for hackers and virus-spreaders. Think of mesh network infrastructure as a self-propagating home botnet that makes the threat of spreading malware very, very real. It’s a scary thought.

While open standards for RF mesh networks are beginning to emerge at the physical and media access control layers, the networking specifications still lack definition as to how they will implement the robust, proven security methods and technologies described in the National Institute of Standards and Technology (NIST) specifications. Lacking open standards and the pervasive, granular implementation of proven, broadly-adopted, leading security methods and technologies, RF mesh networks remain virtually defenseless against attacks.

In designing the smart grid, utilities should hold their vendors accountable for implementing a multi-faceted security approach to their offerings. This should include the following:

Security starts at the edge device - While smart meter hacks are inevitable, utilities can protect their smart grid from a massive network virus or worm by implementing granular security architectures. Embed unique, standards-based hardware and software security into every network node and device. That way, the device can be detected and isolated before it proliferates a virus.

Use only standards-based security, and use it everywhere - By incorporating security standards throughout the smart grid, utilities can leverage the collective best efforts of tens of thousands of engineers, universities, government agencies and white-hat hackers, as well as hundreds of millions of dollars of investments in the latest security technologies. Moreover, standards-based security ensures faster upgrades and “future-proofing,” an idea essential for utilities to stay ahead in the never-ending “hack-patch” cycle of cyber security.

Make security pervasive and granular - Data encryption and IP security schemes are necessary but, by themselves, nowhere near sufficient. Instead, utilities must require that vendors deliver pervasive, granular security architecture in their solution offerings by incorporating government-grade security into: smart meters and other distribution network edge devices, embedded applications, the smart grid communications network infrastructure, smart grid network operating systems, data being stored and transmitted, and utility enterprise systems.

Security is a marathon, not a 40-yard dash - Maintaining a safe, secure smart grid requires continuous vigilance and the stamina to sustain ongoing investments in security oversight, critical software patches, software upgrades and process improvements. That’s because security threats are never-ending: hackers enjoy a challenge, and they intend to keep at it.

It’s time for utilities and their vendors to start building security protocols into every aspect of the smart grid fabric. It’s also time for utilities to hold their vendors accountable for flawed architectures and vulnerable technologies. The risks are too great to take lightly.

No comments:

Andres Carvallo BIO

Andres Carvallo is an award winning engineer, speaker, author, and executive. Andres is globally recognized by the IEEE as one of the early developers of the smart grid concept and technology. Andres championed Austin Energy's industry leading smart grid program design and implementation from 2003 – 2010 and he architected the Pecan Street Project in 2009. Andres co-authored the best selling book "The Advanced Smart Grid", has received 34 industry awards since 2005, and is a popular speaker and guest lecturer. Andres is currently the EVP of Energy Solutions and Chief Strategy Officer at Proximetry. Andres has over 27 years of experience in the Energy, Telecommunications, Computer and Software industries. Andres has held since 1992 P&L responsibilities and senior executive titles while being responsible for the strategy, development, and commercialization of over 40 products at six start-ups and leading global companies like Philips Electronics, Digital Equipment, and Borland. Furthermore, Andres started his career as a product manager for Microsoft Windows in Redmond, WA.

How to Run IT as a Business?

It all starts with my focus on the customer as the center of the lifecycle. The Lifecycle rules a discovery, planning, and maturity model process that orchestrates a framework. The framework, called RunITbiz, is made out of the 12 critical elements for Running IT as a Business. The elements are rationalized into demand and supply modules. At the core of the RunITbiz framework is a Service Oriented Architecture that leverages all legacy systems while powering new systems built on new open standards (Web Services, XML, BPEL, etc) including cutting edge Web 2.0 tools (Blogs, Wikis, AJAX, RSS, etc).

My RunITbiz Framework has two main modules. One module focuses on Managing IT Demand as a Business and the second one on Managing IT Supply as a Business. Each module has six critical elements to master. Here are the modules and critical elements:

Running IT Demand As A Business: 1. IT Governance, 2. IT Structure, 3. Portfolio Management, 4. Business Alignment, 5. Financial Management, 6. Marketing & PR

Running IT Supply As A Business: 7. Enterprise Architecture, 8. Vendor Management, 9. Process Management, 10. Project Management, 11. Service Management, 12. Quality Management

I wish you great success in your transformation. And if you have any questions, don't hesitate to reply to any post in this blog or contact me.

Top 20 Geek Blogs

1) Lifehacker - http://www.lifehacker.com/ - Lifehackers' motto says it all: "Don't live to geek, geek to live." This blog offers timesavers of just about every stripe, from Firefox shortcuts to tips from the "Getting things done" faithful.

2) IT Toolbox Blogs - http://blogs.ittoolbox.com/ - IT Toolbox has a number of "in the trenches" IT pros who talk about technology and management issues. There are specialist blogs dealing with security, databases and project management, among other subjects. It's a versatile site.

3) Valleywag - http://valleywag.com/ - Bring in the noise, bring in the snark. Valleywag is for those who believe that the tech industry lives or dies by the scuttlebutt pinging around Silicon Valley. And it's amusing for those of us who prefer that the lotus-eaters of Northern California stick with the dishing and tongue-wagging, leaving the rest of us to get the real work done.

4) Kotaku - http://kotaku.com/ - Kotaku is the snarky, gamer uber-blog. It has everything from reviews and gossip to cheat tips. Just about anything you'll ever need, including which game to buy and how to play it.

5) Danger Room - http://blog.wired.com/defense/ - Wired's military and defense blog writes about some of the coolest and scariest military technologies -- not to mention scandals, debates and other military news. Lots of video and imagery are included.

6) Gizmodo - http://gizmodo.com/ - Gizmodo's got the scoop on all the latest toys and cool and wacky inventions -- from high-def TVs and coffee makers to booze belts and USB drives. You've got to love a site that publishes photos of a solar-powered bathing suit. Yeah, they also blog about serious technology news too.

7) O'Reilly Radar - http://radar.oreilly.com/ - This is where you can read Tim O'Reilly (founder of O'Reilly publishing) and others discuss networking, programming, open source, intellectual property, politics and Web 2.0, emerging technology.

8) Techdirt - http://www.techdirt.com/ - Techdirt is a newsy, "tell it like it is" blog that frequently features debates on the hot issues in the Internet and computer fields. Scandals are a specialty. Simplicity is its hallmark.

9) Groklaw - http://www.groklaw.net/ - Groklaw's raison d'etre is needling SCO in its long-running patent fights against IBM and Novell, but the discussion sometimes veers toward other issues that involve technology, intellectual property, and government regulations.

10) Hack a Day - http://www.hackaday.com/ - Want to learn how to add USB to a cheap Linux router? Create a snake robot? How about an XBox 360 laptop? Hack a Day has these basement projects and many more. This site is for the serious techie. At the same time, it's good for a laugh or a new hobby.

11) Engadget - http://www.engadget.com/ - As Coke is to Pepsi, so Engadget is to Gizmodo. It's all about gear, gossip, techish issues and the occasional rant. It's got great product photos, and the editors have access to pre- and early-release gadgetry. Also, some really funny home-made junk. But we prefer Gizmodo.

12) Feedster - www.feedster.com/feedpapers/Technology - Like drinking from the hose. This Web page brings together blog sites about technology, sports, celebrity gossip, food, personal experiences -- you name it. It also offers a blog search feature that allows you to input words or phrases, and it has a very cool RSS aggregator for news feeds. It also injects some great humor into technology news. An all-around great site.

13) Forever Geek - http://forevergeek.com - Forever Geek is a great site with a myriad blogs on diverse topics, from technology and general interest news to movie and game reviews. Definitely a geek paradise. If you want to learn about the upcoming Iron Man movie or read a review of Photoshop CS3, this is the place to go.

14) Rough Type - http://www.roughtype.com/ - Nick Carr -- of "Does IT Matter?" fame -- has a sharp-minded blog that discusses all manner of issues and trends relating to technology. Always an entertaining read, Rough Type often locks horns with companies, people, technologies and policies that rub Carr the wrong way.

15) Smorgasbord - http://www.smorgasbord.net/ - Billed as a site for gadget- and game-loving geeks, this blog also serves up articles that cross over into the political and celebrity news of the day. The combination of entertainment value and tech news make Smorgasbord a top contender.

16) The Unofficial Apple Weblog (TUAW) - http://www.tuaw.com/ - TUAW offers collection of independent bloggers -- that is independent but not undecided or uninformed. It's a good source for Apple-related news. The only reason it didn't make the top 15 was its singular topic focus.

17) Elliot Back's blog - http://elliottback.com/wp/ - A self-professed computer scientist, Elliot posts everything from his opinions on why XML sucks, to the Titanic's passenger list and reviews of movies like 300. This site is diverse and well composed, offering great tips on topics such as increasing system performance and blocking spam.

18) Ed Foster's Gripelog - http://www.gripe2ed.com/scoop/ - There is a new crop of blogs that highlight poor customer service for consumer electronics, bad UIs and outright rip-offs, but Ed Foster has been doing it longer than anyone else. Check out these recent topics: Defective DRM, tricky warranties on plasma TVs and bad mobile phone service.

19) Gadgetell - http://www.gadgetell.com/ - This is a great site if you want to get the latest gadget and game news along with some topical opinion pieces.

20) 4sysops - http://4sysops.com/ - This is a very useful with well-written tips and how-to's for Windows admins.

Favorite Books

Blink - Malcolm Gladwell
Building the Real-Time Enterprise - Michael Hugos
Built to Last - Jim Collins
Crossing The Chasm - Geoffrey Moore
Dealing With Darwin - Geoffrey Moore
Earth: The Sequel - Fred Krupp
Freakonomics - Steven Levitt
Good to Great - Jim Collins
Hot, Flat, and Crowded - Thomas Friedman
Information Revolution - Jim Davis
Jack - Jack Welch
Perfect Power - Robert Galvin
Player Manager - Joy Palmer
Synchronocity - Joseph Jaworski
The Tipping Point - Malcom Gladwell
The World is Flat - Thomas Friedman
Transparent IT - Jack Wilson

About Proximetry

Proximetry develops and commercializes AirSync™, a comprehensive communications network and device management software platform for the energy industry. AirSync delivers secure, scalable, closed-loop control, and policy-based management of devices to build and manage large complex networks built upon multiple vendor platforms that incorporate a vast array of communications technologies. AirSync™ provides the essential tools for energy organizations to provision and manage mission-critical devices and networks. Founded in 2005, Proximetry is privately held, headquartered in San Diego, California, and backed by Munich Venture Partners, Aeris Capital, Investec, and Rembrandt Venture Partners. For more information, please visit www.proximetry.com

Cisco on Proximetry

Why is AirSync Better?

1) ALL other NMS/OSS products in the market use only SNMP to provide monitoring and alarms for devices, AirSync supports SNMP and it also uses a lightweight protocol (pre-CoAP) to manage devices with closed-loop control and policy-based functionality via an agent. AirSync’s pre-CoAP protocol solves the disadvantages of SNMP for the Smart Grid (i.e. too chatty, non-stop polling, and no integrated firmware management).

2) All other NMS/OSS products are focused on telecom WAN management only (i.e. routers, switches in telco domain) while AirSync can manage the WAN and its elements, it also can go deeper into the FAN, LAN, and PAN (including the AMI network). Furthermore, AirSync manages all devices hanging on those networks(e.g. electric/gas/water meters, inverters, IDEs, RTUs, Programmable Logic Controllers, premise gateways, premise routers, and sensors in general). It is important to note that All other NMS/OSS products in the market do not manage smart meters and/or any sensors on the edge of a FAN, LAN, or PAN, but AirSync does.

3) All other NMS/OSS products in the market do NOT provide any firmware management capabilities or if they do it is very limited. And they DO NOT support FANs, LANs, and PANs. And they DO NOT provide closed-loop control of any edge devices from any vendor on any network using any topology. AirSync delivers all of the above.

4) AirSync has unique features to manage ALL networks with many configurable enhancements like shaping the traffic and QoS management by having an agent on the device side unlike All other NMS/OSS products in the market which depend only on SNMP and lack such an ability.

Bottom line: All other NMS/OSS products in the market deliver only classical and limited WAN NMS/OSS capabilities. AirSync delivers all that far better and it can also support FAN/LAN/PAN/device/firmware management functions and help manage deeper into all the networks. AirSync has a well-defined NBI that can be used to interface with any NMS/OSS and provide the utility with an integrated management system with the utility's preferred GUI but with all the advantages of AirSync.