Part #2 – Second in a Series on Smart Grids

By Jim Tiller, Vice President, Security Professional Services, North America, BT Global Services

In my last post, “Will the future of Smart Grids include smart security?,” I talked about the impact of the Smart Grid (SG) and asked if Smart Grid’s inventors’ have learned the lessons of the Internet age and built security into the technology from the start.

The fact is, if security is not in the fabric of SG technology, it could be highly disruptive to the core of our energy systems.

So what proven security practices can help ensure we’re moving in the right direction?

• Vulnerability and penetration testing – Although SG is using many standardized technologies, there are some unique attributes in implementation that represent new forms of vulnerabilities.  Everything needs to be tested on a regular basis — applications, protocols, infrastructure, firmware, and hardware all need to be reviewed for security flaws. 
• Security event monitoring – Today, monitoring information systems is typically associated with servers, security systems (e.g., firewalls, IDS, etc.), databases and applications.  Not only must this be replicated in the SG environment, but must include embedded systems.  This means vendors of SG products and solutions must incorporate the means to produce information relative to the operational nature of the devices so that we can gain visibility into potentially undesirable activities.
• Application security – No security discussion is complete without discussing application security.  Although akin to testing, application security is about sound development practices with security deeply ingrained in the development lifecycle.  Today’s web-applications are complicated and sophisticated and, regrettably, complexity is often security’s nemesis, forcing developers to take a hard look at functionality versus stability.  Although, there have been some advancements in secure SDLC, it is likely this will increase rapidly in the SG space.
• Identity and access management – Having a mechanism to identify, authenticate and authorize users and systems interacting with the SG environment will be critical to its overall success.  Just as much as you don’t want someone logging into your bank account, you don’t want unauthorized people interacting with how power is being delivered to your home. 
• Risk assessments and threat analysis – The introduction of information systems, especially when connected to the Internet, establish a broader threat profile.  Risk management within the utility sector is far more complicated than in other industries because risk appetite is relative to a very broad community.  It isn’t simply protecting the business, but protecting citizens and the sound delivery of an essential.  Therefore, comprehensive risk assessment that includes an acute focus on threats will need too be performed regularly and through every step of implementation.
• Security governance and standardization – Unlike Internet security regulations, like SOX and GLBA, which surfaced quickly to ensure consistency in the protection of public and private information — there are few security standards and requirements that vendors must follow in the design and implementation of SG, which can spell disaster.  The silver lining here is that based on the Energy Independence and Security Act (EISA) of 2007, NIST has become far more involved in producing such materials, and making reasonable progress with the first Smart Grid Cyber Security Strategy and Requirements standard to be finalized in the spring of 2010.  We should expect NIST to become the center point for security standards in this sector, thanks in part to the American Recovery and Reinvestment Act (ARRA) of 2009, which has clearly helped establish the organization as the source for standards behind developing regulation in the federal government and industry regulators, such as NERC.

As we have experienced with the Internet, what is done today for security during the embryonic stages of SG development will resonate for decades in ways we cannot fully appreciate right now.  Those involved in the development and implementation of SG, from vendors and providers to the government and standards bodies, are aware of the importance of security and are working to create a solid foundation.  However, there is still a lot more work that needs to be done and the best way forward is to learn from the past.