[Infowarrior] - Feds’ Smart Grid Race Leaves Cybersecurity in the Dust

Richard Forno rforno at infowarrior.org
Wed Oct 28 23:45:50 UTC 2009 

Threat Level Privacy, Crime and Security Online
Feds’ Smart Grid Race Leaves Cybersecurity in the Dust
	• By Kim Zetter
	• October 28, 2009  |

http://www.wired.com/threatlevel/2009/10/smartgrid


Amid the government-funded rush to upgrade America’s aging electric  
system to a smart grid comes a strange confluence of press releases  
this week by the White House and the University of Illinois.

Tuesday morning, President Obama, speaking at Florida Power and Light  
(FPL) facilities, announced $3.4 billion in grants to utility  
companies, municipal districts and manufacturers to spur a nationwide  
transition to smart-grid technologies and fund other energy-saving  
initiatives as part of the economic stimulus package.

FPL will receive $200 million to install 2.6 million smart meters and  
other technologies that promise to reduce energy costs for customers.  
CenterPoint Energy in Houston, Texas, gets $200 million to install 2.2  
million smart meters (.pdf) and more than 550 sensors and automated  
switches. Baltimore Gas and Electric in Maryland is another $200- 
million recipient.

Strange, then, that another press release distributed Monday by the  
Information Trust Institute at the University of Illinois announces a  
grant of $18.8 million to four academic institutions to fund a five- 
year research project into securing the power grid. The project is  
supposed to make certain that the smart meters and other devices  
implemented by power companies can resist hackers and other attackers.

The latter grant, from the U.S. Departments of Energy and Homeland  
Security, provides funding to the Institute, along with Dartmouth  
College, the University of California at Davis in California and  
Washington State University for a research program called Trustworthy  
Cyber Infrastructure for the Power Grid.

“It reflects a strong consensus that cybersecurity and resilience will  
be critical to the realization of a modernized, reliable, and  
efficient power grid, so that it will be able to guarantee delivery of  
electricity to consumers and maintain critical operations, even when  
malicious cyber attacks occur,” reads the press release.

The only problem is, by the time the research project is completed,  
most of the nation will have already adopted untested and unsecured  
technologies.


Richard Clarke

How do we know they’re insecure?

Earlier this year IOActive, a computer security firm in Washington  
state, was contracted to examine the security of smart meters deployed  
by an unnamed utility company in the northwest. Mike Davis, an  
IOActive security consultant, and his fellow researchers developed a  
malicious worm that, in a simulated attack, was able to spread from  
meter to meter to take out power in more than 15,000 homes in 24  
hours. Davis says IOActive submitted his findings to the Department of  
Homeland Security. DHS, in response to a Threat Level FOIA request,  
said it can’t find the report in its files.

“Given the degree of seriousness that the Obama administration is  
applying to cybersecurity and the smart grid, we can look forward to  
the kind of things happening here that happened to Brazil, where  
hackers successfully brought down the power,” says Richard Clarke (at  
right), chairman of the Good Harbor security consulting firm and  
former special adviser to President George W. Bush on cybersecurity.

Clarke is referring to veiled reports made last year by the CIA’s  
chief cybersecurity officer, Tom Donahue, that extortionists had taken  
down the power grid in multiple regions outside the United States. The  
location of those outages has never been publicly identified.


“Smart grid” refers to the transition from the current, outdated power- 
grid infrastructure to a more technologically advanced structure that  
allows expanded real-time monitoring and energy delivery that’s more  
efficient and cost effective for utilities and consumers. The  
technology promises to solve a number of problems, but it also (as the  
Illinois press release states) could “introduce new problems, such as  
increasing the vulnerability to cyber attack as power grid resources  
become increasingly linked to the internet.”

“The concern is that the existing technologies can’t offer [security]  
guarantees, and that we could even open the door to new risks if we  
carelessly put together new systems that don’t have resilience and  
security guarantees built in from the ground up,” explained Ilesanmi  
Adesida, dean of the College of Engineering at Illinois, in the  
Information Trust Institute’s press release.

So why would the federal government accelerate the adoption of  
insecure technologies at the same time it touts cybersecurity as one  
of the nation’s biggest national security concerns?

According to the Department of Energy, the government has the smart- 
grid security issues under control.

Spokeswoman Jen Stutsman said all the entities awarded smart-grid  
funds under Obama’s $3.4 billion stimulus grant were required to  
submit a cybersecurity plan with their proposal.

“Each application was examined by at least two interoperability and  
cybersecurity experts, and it was a central component to the selection  
criteria for each of the awards,” Stutsman said.

Stutsman wouldn’t identify the experts who reviewed the cybersecurity  
plans or provide details about the plans applicants submitted.

According to the grant-proposal requirements, each applicant was  
required to submit a summary of known cybersecurity risks (.pdf) and  
explain how the applicant would mitigate them. They also had to  
identify the cybersecurity criteria they used for selecting vendors  
and technologies and the cybersecurity standards or best practices  
they planned to follow. And they had to explain how they would adapt  
to new standards that might emerge — such as those being developed by  
the National Institute of Standards and Technology.

Stutsman, addressing why the government would urge the move to smart  
meters before researchers had fully examined them, said that DoE “has  
spent years researching cybersecurity issues” and is “constantly and  
on a continuing basis … putting in place policies and programs that  
will help us gather more information.”

While the department is modernizing the electrical grid and using  
knowledge it already has, she said it will continue to apply new  
information as it becomes known. The government, she said, will  
continue to monitor utilities and others “to ensure that we are taking  
every step we can to secure the country’s electric grid.”

Himanshu Khurana, principal scientist for the Information Trust  
Institute’s power-grid research project, noted that many of the grants  
to utility companies and municipalities are for a three-year period.

“So there is still time between something being announced and  
everything being deployed for making sure that the technologies” are  
evaluated, he said.

Separate to his Institute’s research grant, Khurana belongs to a team  
that has been contracted by one of the utility companies that received  
a federal grant. His team’s job will be to help evaluate the utility  
company’s network and the technologies it plans to deploy and perhaps  
develop needed software.

“So people have reached out to cybersecurity experts and formed  
appropriate teams,” he said. “Now, it’s hard to provide assurance  
right now that everything is going to go safe. But the plan is  
feasible and there has been a lot of weight given to cybersecurity in  
the administration’s grants.”

Clarke is not so confident.

“We have no way of having any confidence that there’s any  
cybersecurity plans since we don’t know anything about the  
qualifications of the experts who examined them or the criteria  
they’re using to judge them,” he said. “In the absence of someone like  
the NSA or the cybercenter at DHS [to certify every smart-grid  
proposal], there’s no reason to believe they’re taking security  
seriously.”

More important than asking companies to submit a cybersecurity plan  
for future technologies, he says, is to require that utility companies  
and energy distributors pass an audit for their current state of  
security.

He says he’s spoken with auditing firms that have examined utility  
companies and energy distributors and found that — in every case —  
they were able to infiltrate the company’s production SCADA system  
(Supervisory Control and Data Acquisition) from the public internet in  
less than an hour.

“No grant should be given to any company that doesn’t pass an audit  
today with its existing system,” he said. “Paper audits are worthless.  
Real-world audits are what count. So if the company today has  
flagrantly bad performance with regard to cybersecurity, then it  
shouldn’t win an award for new technology until it fixes that problem.”

Photo of U.S. grid courtesy U.S. Commerce Dept. Photo of Richard  
Clarke by John Earle; courtesy Good Harbor Consulting.

More information about the Infowarrior mailing list