Meet the Bloggers Twitter BTSecureThinking YouTube Channel Blogroll About BT Looking for more?
BTSecureThinking Resources center

SecureThinking > SecureStrategies

Monday, March 22, 2010

Will the future of Smart Grids include smart security?

Part #1 – First in a Series on Smart Grids

By Jim Tiller, Vice President, Security Professional Services, North America, BT Global Services

Smart Grid (SG) represents a fundamental shift in the distribution and management of electrical power that will become the foundation of more efficient energy usage in the future.

The impact of SG to the power industry is analogous to the dramatic change the Internet has had on global business, economics and social behaviors we see today.  Of course, associating the embryonic stage of SG with birth of the Internet raises questions around security. 

The question is — have the inventors of SG technology learned the lessons of not including security in the fabric of a highly disruptive and foundational technology?

SG is simply the beginning

SG stands on its own as a dramatic change; it seeks to add greater control and intelligence in the consumption of electricity that will extend from generation, through distribution, and all the way to devices in your home.  SG will start with the obvious, such as household appliances, and will move to overall power consumption, and eventually become the foundation for matrix power management  

Have we learned a lesson?

So, have the inventors of SG technology learned the lessons of not including security in the fabric of a highly disruptive and foundational technology?  In some ways, yes.  There are multiple layers of security that have been incorporated, and many solutions providers have employed elements of proven technologies.  This act alone is testament to the desire to ensure security is built-in from the beginning, which is a far cry from other scenarios in history. 

However, there are some not-so-secure features in connection with how the SG space is evolving, including implementation of proprietary practices when existing, proven solutions exist.  Granted, there may not be many standards that map directly to the emerging technology; and modification may be needed to address legacy technologies.  But when it comes to network security, encryption and key management, there is a vast array of options born from traditional IT solutions.

Security is key

With this in mind, it should be no surprise that security is of great importance.  If a simple virus can disrupt business, imagine the implications for a country’s utility infrastructure.  There is more than enough evidence demonstrating that the existing utility infrastructure in the United States is vulnerable to attack.   However, if the infrastructure is not enhanced in a meaningfully secure fashion, we’re simply increasing the number of vulnerabilities and the potential for exploitation.  The more deeply rooted a technology is, the greater the importance of stability, scalability, and, of course, security.

  1. Does Zigbee enhance the Smart Grid?
  2. Proven Security Practices for Smart Grid Security
  3. Guest Post: The Rule of All
  4. Security Around the World: EMEA
  5. Cloud Security Q&A: Different Approaches for SaaS, PaaS and IaaS

Posted at 2:02 PM
Tags: , , , , ,

Bookmark and Share

4 Responses to “Will the future of Smart Grids include smart security?”

  1. Proven Security Practices for Smart Grid Security « SecureThinking says:
    March 24, 2010 at 1:58 pm

    [...] my last post, “Will the future of Smart Grids include smart security?,” I talked about the impact of the Smart Grid (SG) and asked if Smart Grid’s inventors’ have [...]

    Reply
  2. Does Zigbee enhance the Smart Grid? « SecureThinking says:
    March 26, 2010 at 2:23 pm

    [...] Part #1 — Will the future of Smart Grids include smart security? [...]

    Reply
  3. Craig says:
    April 26, 2010 at 9:40 pm

    Jim,
    Can you give a couple examples of your statement, “This act alone is testament to the desire to ensure security is built-in from the beginning, which is a far cry from other scenarios in history.” Are you referring to other government sponsored changes or just private industry examples?

    Reply
  4. Jim says:
    August 3, 2010 at 3:43 pm

    @Craig – Sorry for the (very) long delay in responding to your question, I just happened to see this today, ouch.

    What I mean by other scenarios in history is both government and private sector developments in technology that were not created with security as a dominating feature of the solution. Just look at TCP/IP v4, security is virtually non-existent. The private sector is most challenged with this, especially in the application development space due to massive business pressure to reach deadlines – get it to work then secure it – which is actually quite understandable.

    As far as example, just look at early versions of certain protocols, such as SS7, NetBIOS or even IPX/SPX. Or even, staying on topic, the development SCADA, with DCS with PLC and RTU based systems that eventually included such things as DNP3 and ICCP – none are really what I would consider having included security capabilities. But like a lot of things, security is stacked on… like IEC 62351 for SCADA protocols, or TLS, SSL, IPSec for TCP/IP.

    There is – again, understandably – the desire to get it working and then secure it. But, we’re in the 21st century now and have a lot of experience and understanding of security threats, certainly more than 10-15 years ago. So, lack of security in early “stuff” can be explained away, but that is far from the case now. So, my point is, if we’re developing new “stuff” it must start with security and move outwardly from there.

    BTW… I have a lot of examples, but I figured the ones above would give a basic picture. If you want more and to discuss this topic further, please post it – I promise I will check for comments better in the future!

    -jim

    Reply

Leave a Reply