Smart Grid Security Jitters

Posted on April 21, 2010 by Gib Sorebo

Over the last couple years, those in the Smart Grid security community have witnessed a number of news reports on vulnerabilities with Smart Grid technology that are not particularly flattering. For example, a widely circulated AP article called into question the security of various smart meters currently being deployed. However, the article left out some of the caveats noted during their interviews that utilities and vendors are working hard to identify and fix flaws discovered and that there are effective defense-in-depth measures available that would significantly limit the effects of a successful attack. These considerations are addressed in a clarification published by one of the companies cited in the article. Unfortunately, this is the inevitable result of a rapidly growing technology that is not well understood by many and a news media that may believe bold statements make more interesting reading than balanced reporting.

For readers of my blog, there is no question that I loathe sensationalism in this area, so I admittedly have a bias. However, I think it’s clear that we need to put things in perspective. The sky isn’t falling but neither is it smooth sailing. On the opposite side, we have Jesse Berst, founder of Smart Grid News, remarking that “because we've solved the cyber (security issues) for other big consequential infrastructures (like financial and Internet) and I think we can solve it to that same degree of safety for this one." While need to interpret this comment as meaning that solutions exist to make the risk manageable rather than implying that all flaws have been eliminated and all attack thwarted, one still wonders whether the analogy will hold. After all, cyber attacks on financial systems don’t lead to blackouts, explosions, or physical harm to individuals in real time. Risks may indeed be manageable in a future Smart Grid, but where lives are on the line, one cannot easily conclude that the types of attacks being successfully launched against financial sector IT resources would be acceptable in the electricity industry. There will always be acceptable level of fraud in the financial services industry, but there will never be an acceptable level of death in the electricity industry. As long as we continue to focus on what our ultimate objectives are, we’ll be in a much better position to “solve” the challenges we face.

Contributors

Gib Sorebo

Security Associate Director, Accenture

critical infrastructure security operations

View More Blogs

Blogs posted to the RSAConference.com website are intended for educational purposes only and do not replace independent professional judgment. Statements of fact and opinions expressed are those of the blog author individually and, unless expressly stated to the contrary, are not the opinion or position of RSA Conference™, or any other co-sponsors. RSA Conference does not endorse or approve, and assumes no responsibility for, the content, accuracy or completeness of the information presented in this blog.