"Hacking" a smart meter or an entire grid requires no physical access -- just access to the same Internet connections used to manage the network. Reprinted with permission of MuniWireless.
With all due respect to the power companies, why should they even know how to spell IP? Their history in communications was to build stand-alone power facilities and substations connected with point-to-point microwave communication links (many times upgraded to their own dark fiber point-to-points). With this kind of money and private network capabilities, why would you ever worry about security? You lived on you own island with your own power and communications grid and everything was just fine.
Then came the smart grid. By definition, the smart grid requires a two-way digital technology to control appliances at consumers' homes to save energy, reduce cost and increase reliability and transparency. A big change for power companies and admittedly a whole new learning curve with many power companies like PG&E setting up their own test labs to begin learning this. (See Inside PGE's Smart Grid Lab -- Chris Knudsen, director of the technology innovation center at PG&E, shows what they're tinkering with).
It didn't take long for problems to occur. Again, you need to understand that even smart meters were just dusted off 20-year-old designs that were lying around waiting for someone to push the power companies into the 21st century. These designs were never meant to securely send and store data real time. It wasn't long before serious security issues were found and were reported by respected security firms like InGuardian and IOactive. And we are not talking about someone hacking your PC. When it comes to the power grid, the costs of remote hack attacks are potentially more dramatic. "The cost factor here is what's turned on its head. We lose control of our grid, that's far worse than a botnet taking over my home PC," said Matthew Carpenter, senior security analyst of InGuardian, speaking at a panel at the RSA Security Conference in San Francisco. So now with little knowledge of the Internet and security the power companies have billions of dollars of grants in hand with one big problem. The grants mandate an iron-clad security platform.
To add to the smart-grid security problems some people think the power grid is the main target in the new battle in cyber wars. Richard Clarke, the former federal anti-terrorism czar, has now turned his attention to a new national security threat, putting an attack of the power grid on the front lines. In a recent Newsweek article, Clarke was quoted as saying, "The U.S. government, [National Security Administration], and military have tried to access the power grid's control systems from the public Internet. They've been able to do it every time they have tried. They have even tried to issue commands to see if they could get generators to explode. That's the famous Aurora experiment in Idaho. Well, it worked. And we know there are other real cases, like the power grid taken out in Brazil as part of a blackmail scheme. So the government knows it can be done, the government admits it can be done, the government intends to do it to other countries. Even the Chinese military has talked publicly about how they would attack the U.S. power grid in a war and cause cascading failures."
So what can we do to secure the grid now while upgrading it to smart-grid capabilities?
Ed Smith, CEO of WirelessWall has one word, "Attack." Having a military background he understands that you begin an attack by crippling an enemy's communication and critical infrastructure. His civilian background has a long history of situational crisis management, using rapid response teams to facilitate the successful conclusion to crisis situations. Armed with security that exceeds the DoD 8100.2 (DoD Directive on wireless security) and FIPS 140-2 End-to-End Security that was developed for the U.S. Navy to provide secure, mobile shipboard networks, Smith knows he has an immediately implementable data security solution that is simply not being recognized.
"People in the civilian sector are not upgrading their security for business reasons, basically to save money, not for security reasons," said Smith. "That can be tolerated if you are protecting data that involves a loss of money, but it is inexcusable when the lack of protection of data involves the loss of life. Let there be no doubt that an attack on critical infrastructure is an act of war and it is absolutely appropriate to use an available military solution to protect civilian lives.
"We can't afford not to put good enough security in our power grids," continued Smith. "My company has offered our platform of higher security to VISA and others in the financial industry and made it clear that the retail industry POS terminals Data Security Standard (PCI DSS) has already been hacked, but nothing will be changed unless there are more attacks that cause greater losses. The PCI DSS standard will have to be raised, and ultimately will, but the smart power grid protection has to be implemented now."
Like the old David and Goliath story, the power companies need to start embracing smaller company expertise and leverage their learning curve. Like the security story of WirelessWall, the expertise of how to build these wireless network platforms resides in the companies that have had their products tested in real-world municipal, public safety and military environments. Companies like Tropos Networks, Trillium (SkyPilot), Mesh Dynamics, Strix Systems and Proxim, just to name a few, they were the trail blazers that learned along the way and can now bring tested wireless network expertise to the smart grid.
With secure wireless solutions out there, power companies need to leverage the expertise of these wireless pioneers that have been there, done that and are ready to support a secure a wireless smart grid network with their tested solutions.
Larry Karisny is the director of Project Safety.org and a consultant supporting local wireless broadband, smart grid, transportation and security platforms.