SmarTown™

Smart-Grid Security Will Force New Ways of Thinking

2012-01-05T18:45:00.001-05:00

Ignoring critical infrastructure security problems is no longer acceptable.

January 4, 2012 By Larry Karisny

Editor’s Note: Larry Karisny is the director of Project Safety.org, a smart-grid security consultant, writer and industry speaker focusing on security solutions for the smart grid and critical infrastructure.

Security attacks are real, validated, and are becoming more costly. According to security expert John McNabb, electric utilities assume they suffer about 10 percent losses to theft each year. The Edison Electric Institute estimates that in 2009, electric power companies earned more than $352.5 billion. That puts electricity theft alone at more than $35 billion, and doesn’t include the cost of peak production premiums and power outages that cost an additional $80 billion annually. All this could be curtailed by making the power grid intelligent and secure.

Adding intelligence to just the demand side of the power grid could produce savings estimated to be as high as 26 percent — a finding announced last month that came from a smart grid contest in Texas. Even with the cost of smart-grid upgrades estimated at $1.5 trillion by 2030, the efficiencies of adding secure intelligence to the power grid seem cost-effective. But none of this will happen without effective security.

Power grid security isn’t just about money. Personal security and national security are at stake. Appearing before the Senate Armed Services Committee in June, then-CIA Director Leon Panetta said, “The next Pearl Harbor could very well be a cyberattack that cripples our government, security and financial systems.” Power companies are beginning to take these threats seriously and are even beginning to disclose these threats in SEC filings. Con Edison isn’t the first utility to disclose cybersecurity as a serious threat in SEC filings, but it’s perhaps the first to describe cyberattacks as a stand-alone risk category. Failure to disclose such breaches or to follow North American Electric Reliability Corp. (NERC) compliance can cost power companies a million dollars a day in mandated penalties.

The threat of endangering personal data from hacked smart meters was recently demonstrated by Tony Flick and Justin Morehouse in a presentation at Defcon 18, which is available in its entirety on YouTube. Flick earlier wrote “Securing the Smart Grid: Next Generation Power Grid Security”, warning of these projected breaches. Threats to personal security and the national power grid are reaching critical mass.

Smart-Grid Security Chaos, Compliance and Collaboration

So how are we doing on securing power infrastructure? The latest Pike Research report on grid security said, ”Utility cybersecurity is in a state of near chaos.” With concerns about the chaos of vendors and regulations, Pike Research also observed a dawning awareness by utilities and vendors during the past 18 months of the importance of securing smart grids with architecturally sound solutions. But correcting these problems might be slowed down by spending billions of dollars on meeting federally mandated security compliance — rather than investing in the development and testing of security solutions.

There are signs, though, of a focused collaboration from the public and private sectors in methodologies to rapidly deploy grid security. A new demonstration project will be conducted jointly by partners Sensus, EnerNex and the Department of Energy’s Oak Ridge National Laboratory addressing this critical need for security. The three partners will collaborate on the project, dubbed the Automated Vulnerability Detection (AVUD) system. The system uses function extraction (FX) — a disruptive new technology platform that can detect and fix software-hardware issues before they become big problems. The system is designed to keep a step ahead of security threats rather than playing catch up as we are now doing.

Intrusion Prevention and Detection Are Key

Complexity within the smart grid boils down to several points. The “smart” part of the grid is a sensor talking to a communication link connected to a database. This is further simplified by the sensor and database information being basically a machine-to-machine application passing consistent data though the network.

In the simplest terms, security breaches occur basically for two reasons. The network wasn’t secure to begin with or someone got in that shouldn’t have. The industry separates these categories into two separate security solutions: One is called Intrusion Prevention Systems (IPS), and the other is called Intrusion Detection Systems (IDS). The two capabilities, combined in a security system, can pretty much keep the bad guys out.

The problem is we can no longer look at IPS and IDS solutions of the past when trying to secure the enormous amount of data now in the grid data. The old way of doing this is just too expensive, too complex, too slow and frankly doesn't get the job done. We must look for ways to simplify and improve security solutions.

New Applications Require New Thinking

Adding security solutions to the smart grid likely will be a massive task. With predictions of 1 trillion intelligent devices connected by 2015, we must learn quickly. These devices are no longer just computers or telephones. There are now billions of microchip devices with small processors offering specific “Internet of things” functionality that often doesn’t require any human intervention. These machine-to-machine devices are the new nerve endings of networks and applications; these devices offer intelligence to a variety of venues, from national critical infrastructure to intelligent home systems. The difference today is that we now have moved the demarcation of network intelligence from typical communication radios or gateways to intelligent microprocessing chips within smart devices. With this type of volume and small processing power, we need to look at new ways of adding security to intelligent networks and applications. Large companies like IBM, Lockheed Martin and Accenture are positioning themselves for a piece of this new $40 billion smart-grid security market. They are spending millions on development and are looking for partners and acquisitions in support of their solution product portfolios.

TLC Secure Inc., a company focusing on intrusion prevention in smart-grid security, looked at the potential complexity of managing Public Key Infrastructure and decided to offer a Layer 2 vendor and protocol-agnostic solution. Phil Smith CEO of TLC Secure Inc. said, "Sensors and their internal communication ports have been defined as the new point of breach in smart meters, as have SCADA operations in the smart grid. By encrypting at Layer 2, we secure everything above it and solve a lot of the vulnerabilities —and the problem of too much diversity and overcomplicated Layer 3 solutions with too little interoperability. This yields stronger blanket security, and greatly simplifies it as well.”

A white paper by John McNabb and companies like InGuardian and IOActive have already verified breaches in smart meters. Layer 3 network security alone is no longer the defining demarcation point of network security. Realizing this, TLC developed a security solution “offering true end-to-end IPS by securing the weakest link of smart networks, from database to the smart meter chipset."

Smart Networks Require Real-Time Detection

With many smart-grid database feeds now being real time, even Intrusion Detection System security needs to be looked at differently. A recent white paper written by Dr. David Chalk presented a new way of looking for real-time data anomalies, in a detection technique called “cyber forensics.” Rather than waiting for an unknown virus to be recognized by a massive global database, Decision Zone's approach historically mirrors what the smart application should be doing and then detects in real time any changes in these defined anomalies. Smart-grid sensor data is relatively simple and consistent, so these application parameters can be securely checked in control systems while flagging any changes in the defined application.

Chalk said, “Just the smart grid alone will collect massive amounts of data. With this much data being collected, typical IDS data-centric approaches for protection of the smart grid won't work. A paradigm shift to ‘process-based audit’ is needed. Decision Zone uses a discovery technology to generate the underlying process then adds a live causal audit application that can then identify any anomalous event to the underlying process prior to failure.“

Conclusion

We are trying to use older security technologies to secure more networks and network applications than we ever have. There is a rule of thumb in security that must be addressed if we are to move forward in protecting these massive intelligent networks: If we make the security solutions too expensive, too difficult to operate or too slow, people won't use them.

We must find simpler and more economical ways of addressing these critical needs in intelligent security. Securing the smart grid will be the defining proving ground for the new security solutions that will safeguard intelligent applications today and in the future. We need to focus on the funding and development of these critical security technologies if we are to enjoy the benefits of the future’s intelligent network applications.

2011-10-31T19:19:00.007-04:00

At Issue: How to Protect the Smart Grid From Cyberattacks

Electricity systems and the smart grid are becoming big targets for hackers. Photo courtesy sylvar / Flickr CC

October 31, 2011 By Wayne Hanson

Vehicles speed toward a railroad crossing as a train approaches. But the warning lights stay off and the gates remain open. Traffic signals blink out at numerous busy intersections, snarling traffic for miles. Pressure in a residential gas line spikes but sensors fail to warn the utility. A nuclear power plant overheats but the safety systems indicate things are normal.

Such systems — termed Supervisory Control and Data Acquisition (SCADA) — run unnoticed when functioning properly, but a malfunction can mean catastrophe. And now, added to the normal vulnerabilities in any mechanical or electrical system, are some new threats. These systems are now targets of cyberattacks from individual hackers, groups with some social or political agenda — even nations intent on creating havoc.

The threat is not science fiction. In an experiment caught on video and released on the Internet, an electrical power generator is hacked and damaged remotely. According to CNN, the experiment, dubbed “Aurora,” was conducted in 2007 by the U.S. Department of Energy. “DHS acknowledged the experiment involved controlled hacking into a replica of a power plant's control system,” said a CNN article. “Sources familiar with the test said researchers changed the operating cycle of the generator, sending it out of control.”

For more than 10 years hackers have managed to disrupt, damage or stop the operation of critical infrastructure. A report from the Black Hat information security conference outlines some of the better-known incidents. In 2000, hackers gained control of Russia’s Gazprom natural gas pipeline network, and in 2003, a worm attack shut down an Ohio nuclear power plant safety system. And computers seized in Al-Qaeda training camps had data on SCADA systems for dams and other infrastructure.

According to one industry paper, less well-known but more insidious attacks have been occurring for at least five years. Perhaps the most sophisticated attack of all was a Stuxnet worm attack on Iran’s uranium enrichment program, blamed by some on the U.S. and Israel.

In September, the Department of Homeland Security released a bulletin warning of threatened attacks on infrastructure by so-called “hacktivists.”

So what can utilities and local governments do to reduce vulnerability? One common-sense approach is to avoid exposing these systems to the Internet. A tutorial by DPS Telecom says: “For security reasons, SCADA data should be kept on closed LAN/WANs without exposing sensitive data to the open Internet.”

But removing SCADA networks from the Internet might prove expensive. “Using the Internet,” reads another industry report on the subject, “makes it simple to use standard Web browsers for data presentation, thus eliminating the need for proprietary host software. It also eliminates the cost and complexity of long-distance communications.”

As systems become more complex, intelligent and networked, some security problems may be solved while others are created. Larry Karisny, a frequent contributor to Digital Communities on the subject of the smart grid, answered some questions about this arcane but essential subject.

Digital Communities: How does one differentiate between all the different types of industrial control systems?

Karisny: The capabilities between these systems are beginning to blur in functionality as the technical limits that drove the designs of these various systems are no longer as much of an issue. From legacy telephony connections to small embedded controls attached to an industrial computer via a network, we are entering a whole new world in critical infrastructure system design. When you start interconnecting these system design functions you start detecting existing security problems or need to find new ways to secure these needed power-grid upgrades.

Historically weren’t SCADA systems closed and very hard to penetrate? For example, to disrupt the electrical supply in the past, someone would have to attack the physical components?

One of the biggest fears of power grid attacks is physical. When reviewing the components of the power grid, there were potential single-operator catastrophic physical vulnerabilities found in facilities. With a single lock on a door and no way of viewing the operator, video cameras are now put in power grid locations — understanding that even physical components and human intervention can add to security vulnerabilities. Some of the most catastrophic power generation failures were caused by a combination of equipment failure and operator error and/or human error. Adding intelligence to SCADA systems can actually offer instantaneous information that could detect and detour catastrophic energy production errors. Keeping the power grid dumb is really not an option in securing today’s power grid.

Some say, “For security reasons, SCADA data should be kept on closed LAN/WANs without exposing sensitive data to the open Internet.” Is that principle being violated? If so, why?

I recently participated in a webinar Duqu, the Precursor to the Next Stuxnet hosted by Security Week with Kevin Haley, director, of Symantec Security Technology and Response. Interestingly some SCADA system breaches in Europe were stand-alone closed systems. With investigations still in process, even these seemingly closed systems were breached without access from outside networks.

As for open Internet connecting to sensitive data, the answer is not just “Don't put Internet access in” — but also keep it out. I was in an SRI International research extension and showed the research facility director 10 SSID’s capable of campus wireless Internet access, including an unsecured connection from the coffee shop down the street. Add this to your closed LAN/WAN port access with some SCADA OS [operating system] software offering backdoor vulnerabilities, and what you consider a closed system may not be closed at all.

Some regions are rolling out smart-grid projects which provide feedback to households so customers can adjust energy use, get better rates at off-peak hours, and even generate their own power and feed it into the grid to “run the meter backward.” Won't all these additional network access points increase the vulnerability of the grid to hackers?

The main business case for adding intelligence to the power grid (smart grid) was based on collecting electrical demand-side usage information. By knowing peak and off-peak electrical usage (combined with rewarding or penalizing end-user habits) peak power production capital overbuilds and production operational costs could be greatly reduced. Some estimates showed that power production could be reduced by as much as 30 percent, sometimes completely eliminating the need of building a new power plant to the grid.

In addition, if new alternative energy resources were to be added to the power grid there needs to be measured intelligence capabilities to credit the addition of these new energy sources. Without adding intelligence to the electrical demand-side network edge, these demand-side benefits in our current power grids could not be achieved.

As millions of smart grid edge devices (smart meters) were deployed, security concerns became an issue. These security concerns are nothing new to power companies. Legacy electromechanical meters have been run backward for years and are one of the main reasons (preventing electrical theft) China and India are upgrading to smart meters. We need to add network edge intelligence to our power grids while securing the collection of information from the device chip set to the local power-grid data collector. Connecting millions of these smart meters with end-to-end security needs to be done and can be. Smart grid networks should be designed to limit potential network demand-side breaches while isolating internal SCADA systems and networks from demand-side systems and networks.

What can local governments do to lower the vulnerability of critical city and county utilities and other SCADA-managed systems?

Power companies are not the only entities needing to upgrade security for their SCADA systems. SCADA is used in many critical infrastructure systems including manufacturing, production, power generation, fabrication, refining, water treatment and distribution, wastewater collection and treatment, oil and gas pipelines, electrical power transmission and distribution, wind farms, public safety, civil defense, large communication systems, buildings, transportation systems, airports, ships and even space stations. As these systems begin to connect to other control systems they all need one thing in common: a private local wireless and secure IP network.

With tight city and county budgets, building a private IP network for most cities and counties is out of the question. Collaboration with multiple government agencies and private-sector communication entities needs to occur if they are to accomplish the building of this secure network supporting critical infrastructure systems and applications. Building a network for the smart grid offers a big opportunity here. The power company could be the seed anchor tenant because it already owns massive communication fiber-optic and wireless infrastructures and has deep pockets in capital investment for supporting these needed local network upgrades.

Cities and counties have the relationships with the power companies and sometimes even publicly owned assets to support these network build-outs. The smart grid should be viewed as the first step in building the networks we need in securing local SCADA critical infrastructure. Collaboration by the public and private sectors can make this happen. In addition, edge security solutions available today could allow the economical and secure sharing of these needed local wireless IP networks for multiple users and applications. These steps would address the vulnerabilities while reducing the costs of these critically needed security requirements of city and county critical infrastructure.

2011-10-26T20:01:00.010-04:00

The Stuxnet 2, Coming to a SCADA System Near You!

Smart Grids

Hackers Target Critical Infrastructure

October 26, 2011 By Larry Karisny

With a new Stuxnet 2 (W32.Duqu) now found and the Department of Homeland Security warning of a possible security attack by Anonymous, it probably is a good start to define some security solutions to protect these critical infrastructure targets. Breaching these supervisory control and data acquisition systems (SCADA) could bring our country’s safety and economy to their knees.

One good thing that came out of designing intelligence for the smart grid was we that had to take a look at how to securely integrate some old, transitioning and new-grid technologies into stand-alone, local or regional control centers. A big part of these control centers are SCADA systems that monitor and control industrial, infrastructure and facility-based processes. These control systems in many more areas than the power-grid facilities. They can be found in manufacturing, production, power generation, fabrication, refining, water treatment and distribution, wastewater collection and treatment, oil and gas pipelines, electrical power transmission and distribution, wind farms, civil defense sirens systems, large communication systems, buildings, airports, ships and space stations, just to name a few. Some of the debilitating security warnings that were found in the smart grid unfortunately are not limited just to power-grid SCADA infrastructure.

No matter how new or old the technology, there are tremendous concerns about how to secure these core supervisory control systems and their interconnected intelligent networks. Whether physically pulling down a mechanical switch, pushing a button on an electromechanical device or operating an intelligent smart grid from a centralized network operation center (NOC) — they all have inherent security vulnerabilities. There are those who say that we should delay any digital intelligent modernizing of our power grid. So while moving forward, we need to do this in stages, watching security at every point.

Richard Clarke’s bookCyber War warns of cyber-attacks on the smart grid but also demonstrates an existing ability to breach and take down our legacy power grid infrastructure. Simply doing nothing is not an option in securing the power grid or any critical infrastructure. Countries like India, China and Brazil are moving forward with smart-grid deployments as fast as they can. They recognize the benefits that intelligent networked systems would offer in eliminating power theft while improving their global energy cost competitiveness. They see these benefits far outweighing any catastrophic system security breach and have massive smart-grid deployment in process. So what are the real answers in addressing critical infrastructure security today? Just three things need to be done, and they need to be done simultaneously.

Evaluate Current Security Vulnerabilities

From physical security, to legacy and extended networks, there is a lot of work to be done to address critical infrastructure security. Critical infrastructure facilities can't just hunker down and hope an attack doesn't happen. From simple personal procedures to complete intrusion detection studies, the potential vulnerabilities must be targeted before they are breached. There are automated methodologies that are being developed, though, that may rapidly address these requirements.

To expedite and future-proof security evaluations, Sensus, EnerNex and the Oak Ridge National Laboratory (ORNL) are working on an advanced security demonstration project called the Automated Vulnerability Detection system (AVUD). This project is aimed at developing a cyber-security system for smart energy meters and other advanced grid technologies. The project will use a Function Extraction (FX) technology evaluation platform developed by ORNL to find and fix security issues before they actually cause problems. The initial project is targeting advanced meter infrastructure (AMI) systems. With millions of smart meters ready to deploy, this can't happen soon enough.

Focus on Prevention

If there was ever a security industry award for the best metaphor, the word “virus” perfectly explains what can happen without preventive measures in systems and network security. Just like measures against colds and flu, it seems we are now beginning to focus more on prevention than detection. This is why intrusion prevention systems (IPS) are so critical in SCADA systems. IPS can securely cloak systems with frame-to-frame encryption even to the layer 2 level. This could eliminate port and application vulnerabilities right down to the device chip set. It can eliminate man-in-the-middle (MITM) spoofing/sniffing risks or denial-of-service (DoS) vulnerabilities while enabling strong security on even legacy devices.

Because IPS is inline with the traffic flows on a network, it can shut down attempted network edge attacks, stop attacks by terminating the network connections or user/device session origination. Attack responses can include targeting from the user account, IPS address or other attribute associated with that attacker, or blocking all access to the targeted host, service or application. It seems like an obvious first choice. Don't let the security breaches in.

Detection and Prevention a Natural Mix

Then there is an intrusion detection system (IDS). This system is passive, watching packets of data traverse the network from a monitoring port, comparing the traffic to configured rules, and setting off an alarm if it detects anything suspicious. With Stuxnet 2 (W32.Duqu) now a big concern, we need systems that can detect these now more serious security attack methodologies. These new attacks are now targeting information for SCADA systems used to control machinery and other key critical infrastructure operations.

Although IDS has great value, just seeing the problem is not enough. There must be system security solutions put in place to immediately react to security breaches. This is why bundling both IPS and IDS solutions together seems to be the direction many companies are taking in their security product lines, including recent corporate mergers and acquisitions.

In Conclusion

The AVUD project by Sensus, EnerNex and the Oak Ridge National Laboratory is a good sign of public-private sector cooperation in addressing critical infrastructure security. There has been too much oversight and finger pointing in the past and not enough action. Hopefully the responsible collaboration will be used as a model of how to work together in securing our critical infrastructure. This sure will be different than the “build first, then secure it” methodologies that have been so prevalent in the past. Look at security first and prepare for the future security risks. This is almost too good to believe.

Securing the Intellectual Property of Smart Grid Security

2011-08-28T20:50:00.002-04:00

Theodore Wood

A unique view to the realities of cybersecurity.

August 25, 2011 By Larry Karisny

Theodore Wood's job, at D.C.-based Sterne Kessler Goldstein & Fox, is the discovery and protection of intellectual property in things like smart-grid security. From international cyber security espionage to plain old American ingenuity, Wood offers a unique view to the realities of cybersecurity.

Karisny: Your Grid Industry Group responsibilities for Sterne Kessler Goldstein & Fox include an interesting intellectual property focus, especially in light of the recent cybersecurity attacks. I am beginning to wonder which IP we are protecting, Intellectual Property or Internet Protocol. How serious do you see these attacks and is our critical infrastructure like the power grid a target?

Wood: Our Grid Industry Group focuses on companies that innovate to protect and enhance the resiliency of our power grid. And cybersecurity is one of the primary areas where companies are heavily innovating. Therefore, we follow the cybersecurity challenges, technologies, and guidelines pretty closely. With respect to the cybersecurity attacks, I think you're referring to recent attacks on the IT (information technology) systems of targets such as Sony's online gaming site, various government sites like the senate and the CIA, companies such as Google, a host of credit card companies and several others. We absolutely see these attacks as extremely critical, primarily because they seem to demonstrate a level of success, persistence and an increasing level of organization by the attackers. Fortunately, it doesn't appear that our critical infrastructure has been attacked in the same way as these other sites. But there is little question that critical infrastructure, like the grid, will eventually be targeted. And a successful attack on the grid would be totally devastating, with national security implications.

We all are familiar with former CIA Director Leon Panetta's comments stating that the next Pearl Harbor could be a cyber attack that cripples our electric grid. I'm also reminded of a recent story by Good Morning America, relying on a report from the Department of Homeland Security. This story noted the possibility that sabotage by insiders at a major utility facility could provide Al Qaeda the opportunity for a massive September 11 anniversary attack. And Richard Clarke, in his new book entitled Cyber War, states that the "clearest example of vulnerability brought on by computer controls happens to be the one system that everything else depends upon: the electric power grid." These are just a few examples of recent public comments about vulnerabilities of our critical infrastructure.

Karisny: The words Cyber, Internet, IT and IP sometime get blurred when they are actually very different especially when it comes to security. Can you give some examples that may differ?

Wood: A big part of the reason for the increased risk is due to the Internet Protocol based networks that interconnect our critical infrastructure to global networks. The interconnected systems may be an IT system, or an industrial control system (ICS). Traditional IT systems include components such as routers, network interface controllers and servers. A traditional ICS includes components such as distributed control systems (DCS), supervisory control and data acquisition (SCADA) systems, and programmable logic controllers (PLCs), all of which are used in industries like water, transportation, manufacturing, oil and natural gas, and electricity. These ICS components do things like facilitate data collection from remote locations, control valves, trip breakers, operate relays, monitor alarms etc. Many of these ICS components are integrated with various legacy systems that were not developed with security in mind. The Internet Protocol considerations play a big role because most often the underlying protocol provides the extensive connectivity by which unauthorized and/or malicious persons, machines, or code gain access to these critical systems. But cybersecurity must also consider factors that are unique to each type of system, whether IT or ICS, to ensure that even if unauthorized access is made, damages can be minimized.

Karisny: Knowing networks are different, where should we be focused in protecting critical infrastructure security?

Wood: In my view, the IT/ICS distinction I just mentioned is significant to the discussion of where to focus cybersecurity solutions. Here is the significance: There is a growing recognition that cybersecurity solutions designed for IT systems may not apply to an ICS. Additionally, ICS have different performance and reliability requirements that typical IT support personnel may be unfamiliar with. On the other hand, there are some similarities between ICS and IT systems that create an overlap with some of the cybersecurity solutions. For example, many of the lower-cost IT solutions are now being applied to ICS. But many of these IT solutions fail to provide the security isolation needed by an ICS. As I mentioned earlier, ICSs are employed extensively in our critical infrastructure which creates these sorts of unimaginable consequences if attacked successfully.

A recent Homeland Security Newswire story ... pointed out that the large number of high profile cyber attacks on major corporations and government entities has driven a sharp increase in cybersecurity spending. I would submit, however, that the majority of this spending has been on IT cyber security and not necessarily critical infrastructure ICS cybersecurity. Therefore, we still need something to spur or trigger R&D, innovation, and investment in critical infrastructure ICS cybersecurity. I believe the trigger for this additional R&D, innovation and investment is quality intellectual property (IP). By providing creative incentives, the U.S. Patent and Trademark Office (PTO) can play a pivotal role in the development and protection of IP related to ICS cybersecurity. And if done correctly, this would help ensure that cybersecurity innovations and technologies are more commercially attractive for vendors to develop and for investors to fund.

Karisny: You come from a military background that addressed security on a "need to know" basis and we now live in an age of social networking. Is there some common-sense approach to protecting Intellectual Property in this very open world we live in?

Wood: When I was active duty Air Force, we would simply stamp everything as "secret" and ask questions later. I'm of course exaggerating, but only just a little. For very good reasons, many innovations related to cybersecurity and encryption have been kept by companies as "trade secrets." And there are still a lot of good reasons for protecting IP in this manner. The problem today, however, is two words: "social networking." Twitter, Facebook, LinkedIn discussion groups, and professional blogs provide excellent forums for in-depth technical discussions. I participate in many of these discussions and monitor many others. But when you read the content of these discussions carefully you can't help but wonder how much of the information being discussed, perhaps unknowingly, is some company’s trade secrets. And once publicly disclosed, a trade secret is no longer proprietary and can be used by a company's competitors. Social networking also, unfortunately I might add, provides a convenient way for a disgruntled employee to easily and maliciously disseminate large amounts of proprietary information. Therefore, the tendency to rely only on trade secret protection for all cybersecurity and encryption innovations may be too risky. So wherever possible, companies should protect their key IP by filing for patents early in the development process. Once you file for patent protection of your idea, most of the issues related to trade secret protection, such as those noted above, disappear.

Having said that, the military’s "need to know" based policy was directed at national security concerns. Some of the innovations for cybersecurity, even in the defensive sphere, may be considered as important to national security. The PTO has a procedure to filter such applications and process them separately, striking a balance between protecting national security and protecting inventor rights.

Karisny:. Do you think the stimulus funds directed towards smart meters and not security may be the cart before the horse?

Wood: Don’t want to go that far, but there is certainly an imbalance that must be corrected. Smart meters serve an important consumer function enabling a much more efficient use of electricity, which benefits electricity producers and consumers. As you may be aware from a recent Forbes article, about 75 percent of 2009 stimulus dollars were directed to smart meters. I'm not advocating reducing the amount of spending on smart meters. But I do believe that we need to increase the amount of spending in ICS cybersecurity. As I stated a little earlier, we need to create more incentives for companies and individuals to innovate and invest at the infrastructure end (ICS) rather than, or as well as, at the consumer (IT) end. Grid security used to be exclusively the concern of the power generation companies. But this is no longer true with the expansion of smart grid. A lot of new players are in positions to play a role in securing the grid. So healthy competition can also be used to trigger innovation in this field. Increased spending can certainly help this process.

Karisny:. If we are to address security in areas like the smart grid, how should you protect the Intellectual Property that in turn will protect the network? Power companies are saying who are you, come on in, lock the door, sign this very enforceable non-disclosure and don't expect to get your tested equipment back. What are your suggestions for Intellectual Property protection in this sensitive area of critical infrastructure security?

Wood: I believe the answer to this question is creativity and innovation. Before addressing the IP aspect of your question, I would like to comment on what I mean by creativity and innovation. This past June, I had the privilege of attending the annual conference for a group called the National Electric Sector Cyber Security Organization Resource (NESCOR), managed by the Electric Power Research Institute (EPRI). I think that NESCOR is a pretty creative and innovative concept. NESCOR is the research and analysis arm of National Electric Sector Cyber Security Organization (NESCO) which is a public-private partnership that serves as a focal point to bring together utilities, federal agencies, researchers, vendors and academics. And from what I understand, they're kind of a think tank that helps focus cybersecurity R&D priorities, collect and analyze critical infrastructure vulnerabilities and threats, as well as collaboratively develop solutions in real-time. This group was established by Congress and is funded by the Department of Energy to act as a quick reaction solutions oriented group of super smart people. I believe that groups like this public-private partnership will be crucial to the development of ICS cybersecurity. I also believe that groups like NESCOR make it easier for power companies to discuss potential vulnerabilities in a forum that focuses on solutions instead of penalties.

In my opinion, IP professionals should be involved in these public-private partnerships. By partnering with groups such as NESCOR, at a very early stage of the innovation and technology development process, the IP professionals can help companies develop effective IP strategies that identify and protect the correct IP -- IP they can [use] to facilitate early-stage funding.

Answering the question from a different perspective, the old power company model may have been adequate for earlier times. Then, threats to the grid were low and didn’t originate from all corners of the world. Also, the relevance of our economy and national security on the grid was much less than now. As mentioned earlier, in addition to the relative increase in threats to the grid, with smart grid, the number of stakeholders, or entities in a position to protect the grid, has increased. So while for some innovations, plain and simple secrecy and a non-disclosure agreement will do, I would suggest that a large portion of innovation should be protected not only by U.S. patents, but by international patents as well.

The U.S. is in a position to lead in this sector because we have to innovate now to protect our networks and grid, whereas other countries have nowhere near the same threat at the moment. The rest of the world, however, will eventually face the same problems. With this said, U.S. companies that innovate now may be in a better position to leverage their IP internationally.

Karisny:. There have been some reports of China breaching our power grids. When you have people like this who are not going to play by the rules what good is a legal IP document?

Wood: I'm aware of reports that claim hackers from China, and other nation states, have breached our power grid. You are right in that IP is not the answer to those elements. In fact in many of those cases, the goal of the hackers is the theft of IP. IP rights are designed to incentivize companies and individuals to innovate. A properly calibrated IP system, where companies or individuals can acquire IP rights in a timely manner, and be rewarded for their innovations, is what is needed to jumpstart critical infrastructure cyber security in resiliency-enhancing innovations. This process will ultimately help securitize our nation’s critical infrastructure. So, although IP rights are not a direct answer to hackers and other cyber criminals, as the threats get more frequent and more serious, the companies with IP rights in various solutions can stand to benefit tremendously from monetization of this IP.

Karisny: We are beginning to see the need for interoperable security all the way from DOD to someone's house. Living in Florida I have witnessed hurricane infrastructure destruction that makes it absolutely necessary for all government agencies and the private sector to securely and interoperably communicate. Could the smart grid be the beginning of this locally needed smart secure wireless IP infrastructure?

Wood: I think we have seen again and again that increased interconnectivity and interoperability produces huge benefits in efficiencies. So that is where we should go. The smart grid, as envisioned, will be an extensive part of this interconnectivity -- ultimately increasing the grid’s resilience to natural or other disasters (e.g., multiple built in redundancies). So, it stands to reason that the smart grid is a part of the extensive secure communication medium, such as you mentioned.

Karisny:. We are entering into a massive wireless device market with the majority of these wireless connections being machine to machine. Should machine to machine security and person to machine security be looked at differently?

Wood: There may be differences in the physical security measures. But, other than that, we should not make assumptions about whether the malicious infiltration is by a person or a machine. The massive growth in wireless devices, many of them directly or indirectly connected to the grid, dramatically increases the potential entry points through which malicious elements (rogue machines, malicious code, or persons) access the grid. The threat of massive denial of service attacks will increase. Harmful code can propagate to numerous entry points, making the defense against such harmful code difficult. These entry points will also make difficult the eventual cleanup of the harmful code. Each of these entry points should be monitored and protected against malicious machine as well as human access. In addition, the network perimeters around the critical infrastructure should ideally be protected in a layered manner. The critical systems themselves may be protected by restricting the entry points and implementing stringent access monitoring. These systems may also be protected by taking additional steps that may be necessary to protect the particular control systems.

Karisny: We are beyond media hype with the recent cyber security attacks. What should be our immediate response strategy be to these cyber breaches as it relates to your focus in our nation’s critical infrastructure.

Wood: Clearly we need to use the full force of our laws to track down and punish cyber criminals who attack our critical infrastructure. We also need to close the technical holes through which these attacks happen. In the short term, perhaps steps such as physically separating critical infrastructure networks may be part of the answer. However, in the long term, and from an efficiency standpoint, we want enhanced interconnectivity. In order to maintain this extensive interconnectivity we must have adequate monitoring, along with systems and strategies to protect, detect, and defend with respect to cyber threats.

Karisny:. You are based in the Washington, D.C., Metro area. Is DC listening as it relates to cyber attacks and if you could get your message all the way to the top, what would it be?

Wood: Washington already recognizes the urgent need for effective cybersecurity. But we must more efficiently harness American ingenuity to address the challenges we are facing in defending our critical infrastructure, especially the power grid, from cyber threats. One of the best ways to ensure proper ingenuity is focused on cybersecurity is to facilitate the protection of IP rights so that innovators can be rewarded for their work in this area.

Theodore Wood is a key member of the firm's Grid Industry Group, where he focuses on helping innovators involved with ensuring power grid resiliency in an evolving smart grid infrastructure. Wood's work before the United States Patent and Trademark Office includes patent application preparation and prosecution, reissue, reexamination, and appeals before the Board of Patent Appeals and Interferences. He has served the role of virtual in-house IP counsel for several high technology emerging companies, where he developed programs to identify, protect, manage and commercialize IP assets. Wood has worked on intellectual property matters involving many technologies, including electronics, computer graphics, computer architecture, networks, and network protocols, telecommunications networks, wireless communication systems, e-commerce and Internet applications, GPS location-based services, intelligent vehicle systems, automotive systems, and medical devices.

Larry Karisny is the Director of Project Safety.org , a smart grid security consultant, writer and industry speaker focusing on security solutions for the smart grid and critical infrastructure.

Cyber Wars Start, is the Power Grid Next?

2011-08-06T17:55:00.001-04:00

Smart Grid Security

August 4, 2011 By Larry Karisny

Recent reports have clearly demonstrated that cyber wars are real and happening. So what are the implications and when are people going to at last take notice? Forbes reported recent attacks included an unprecedented series of cyber attacks on the networks of 72 organizations globally -- including the United Nations, governments and corporations -- over a five-year period. The White House as of yet has not disclosed the organizations effected by this most recent attack dubbed "Operation Shady RAT."

So what are people who live, eat and breathe this stuff every day saying? I am part of a group that has been discussing this in a Smart Grid Security group headlined, "The next Pearl Harbor we confront could very well be a cyber attack that cripples our power systems, our grid, our security systems, our financial systems, our governmental systems." The discussion started 14 days ago and with the recent events I thought some of the comments are very appropriate and I would like to share them.

Theodore Wood, Partner and Patent Lawyer at Sterne Kessler Goldstein & Fox
"I believe we have to direct more of our immediate attention and grid-related stimulus spending toward enhancing the resiliency of the existing grid. William Pentland’s article in Forbes this past May, discusses his finding that about 75 percent of the 2009 federal stimulus dollars have been directed to advanced metering infrastructure (AMI). Our own research and analysis of IP in these areas supports this contention. However, in order to have a more direct impact on grid security, we need more direct investment in cyber resiliency strategies (hardware and software), including things such as strong encryption and key management techniques, network access control, intrusion response systems, rootkit detection, etc. I believe that an infusion of federal spending into these areas will spur R&D, facilitate development of quality IP, and help ensure that cyber security innovation and technology are more commercially attractive from both the vendors' and investors' perspectives."

Andrew Wright, CTO at N-Dimension Solutions
“I agree with Ted regarding the need for more economic stimulus for grid resiliency and cyber security. Of the $4.3 billion ARRA funding, most of it went to smart meters, MDMs [Meter Data Management], and consultants, and relatively little to real security. And in any case, that was 100 out of 3,300 utilities in the U.S. We need to change the economic equation so that utilities do not have to prioritize security against other technologies, and the best way to do that is to build security in. But that needs economic incentives for manufacturers to spend time on security functions rather than others. IP protections for grid resiliency is one way to do this.”

Joe Weiss, Managing Partner at Applied Control Solutions, LLC
"As an engineer, there is no doubt it is technically possible to do this -- I am not a threat analyst and so cannot say why it has or has not happened. Stuxnet should be a glaring example of its potential. I had this specific discussion with Richard Clarke many years ago and provided several reasons why it could happen and yet not be public. There are minimal control system cyber forensics so when there have been major infrastructure failures, it is generally not possible to determine if cyber was involved. There already have been numerous significant control system cyber incidents in the U.S. that have killed people, caused major electric outages, shut down nuclear plants, etc. When a critical infrastructure incident does occur, there is a reticence by the government to acknowledge it is a cyber incident. I believe the lack of control system cyber forensics and end-users unwillingness to report has stifled progress on securing industrial control systems."

Stacy Bresler at National Electric Sector Cybersecurity Organization
“Reporting cyber incidents or potential incidents is an issue. Being a former cyber security manager at a large asset owner, I understand the lack of willingness to report. Currently the mandate to report a cyber incident is to the ES-ISAC which is essentially the regulator despite claims of dividing lines within their organization. That alone is a deterrent for more reporting. I'm with Joe on this ... I don't think our intelligence agencies always have the facts put together before they make blanket statements. We do need better tools to help in forensic efforts but that needs to be coupled with proper training for those in the field. There are forensic experts out there and I believe ICS-CERT has a jump team on the ready ... but I don't think that is enough. We definitely do not have an aggregated view of what is really going on and we can't manage what we can't measure!"

Robert Cragie Consultant for HAN/Smart Energy/Security at Pacific Gas & Electric
"The 80/20 rule applies here. With a relatively small amount of effort you would get a huge improvement in security. ICS manufacturers and implementers have to wake up to the fact that their ancient systems need to be brought up-to-date using security procedures (business process, physical and cyber) commonplace in IT and telecoms infrastructures. The INL SCADA evaluation report highlights the woeful lack of security in electricity T&D substations, e.g. adding dial-up modems with no cyber security protection to substation equipment still using default passwords so a maintenance operator can control remotely. Stuxnet was clever but still propagated by the practice of passing USB flash drives around with the virus on. Back in the day, it was floppy disks which spread viruses in this way. Do we never learn?"

This is what the people who work on these issues are seeing. There is always some hype but there is also some things that are not disclosed. From simple fixes to a clear need to invest into new cyber security solutions, the war is on and the war is real. God bless our military and their efforts in securing our country but if our national power grid goes down our losses could be much greater.

Larry Karisny is the Director of Project Safety.org, smart grid security consultant, writer and industry speaker focusing on security solutions for the smart grid and critical infrastructure. Reprint courtesy of MuniWireless

Smart-Grid Security, A Trillion-Dollar Boom or Bust

2011-05-12T13:54:00.001-04:00

Smart Grids

May 12, 2011 By Larry Karisny

In watching smart-grid deployments early on I always wondered when the smart-grid security flashing red light bulb was going to go on. Andy Bochman is an IBM security lead who hates security fear mongering but even he couldn't deny the facts about a series of power-grid security breaches this spring in a recent blog post. And when U.S. senators like Richard Burr start calling to slow down the implementation of smart-grid technology you know there's a problem. I appreciate the recognition and concerns of power-grid security issues but just stopping the smart grid isn't an answer or even an option. We need to understand that even current legacy power-grid networks have serious security flaws. In fact the only way to protect these current legacy-grid designs from security breaches is to give these power-grid components visibility through secure interactive network intelligence (the smart grid). So like it or not we need to use these new smart-grid technologies to add security even on our current power grids.

The Threat Recognized

When I fear monger I like quoting the greatest fear monger of them all, Richard Clarke. In his book, Cyber War: The Next Threat to National Security and What to Do About It, he warns of both present day legacy power-grid vulnerabilities and future cyber attacks on the grid. From gas pipelines exploding to blinding the greatest military power in the world, Clarke defines just how catastrophic it would be to have a national power outage. A Wired article earlier quoted Matthew Carpenter, senior security analyst of InGuardian as saying: “The cost factor here is what’s turned on its head. We lose control of our grid, that’s far worse than a botnet taking over my home PC.” It's not like we are losing a few family pictures. In fact there are reports that if we have a national power outage, by day eight we could lose as much as 30 percent of our GNP.

Hurry Up, Wait, and Hurry Up Again

So what happened and why are we just now recognizing power-grid security problems? Well, it's the old story: hurry up and wait and hurry up again. We were in a hurry to gain the saving benefits of the smart grid so we start building it and putting security on the back burner. We then validated some security vulnerabilities and recognized that these potential security breaches in the power grid could be catastrophic. So we put a road map together for what we need to do to fix these security problems -- even for legacy and existing smart-grid networks already staged or deployed. So why will they do something now? Because, if we don't get security in the smart grid -- and fast -- we will lose a lot of money.

A Trillion Here a Trillion There

In my article "Will Security Start or Stop the Smart Grid?" I warned that if we did not address security first it could bring smart-grid deployment and investment to a halt. So how important is this and how much money are we talking about? First let's put the smart grid into perspective in both investment and return on investment. The Electric Power Research Institute (EPRI) estimated the costs for a fully developed smart grid could reach $476 billion with benefits up to $2 trillion. These dollar amounts are no small potatoes and could affect global competitiveness. CleanTechGrid lists hundreds of companies with thousands of employees that are currently working in the smart-grid industry. With job creation and energy savings like this we can't just stop building the smart grid. IBM gets it and predicts one trillion devices connected by 2015.

The smart grid is just one part of this massive marketplace. From smartphones, ATMs, retail kiosks, traffic systems, meters, buildings to sensors -- all these devices will be connected to local wireless IP infrastructure and all will need security. With network infrastructure like Florida Power and Light FiberNet already in place, power companies could be the anchor tenant and supplier that municipal wireless networks have been looking for. The smart grid is the beginning of more intelligent wireless applications and we can't afford to stop it now.

The Road Map is Done

NIST has recently refined some guidelines as they pertain to smart-grid security. A recent NIST Tech Beat release, "Smart Grid Panel Agrees on Standards for Wireless Communication, Meter Upgrades" lists a series of “Priority Action Plans,” or PAPs. PAP 2’s goal is to specify wireless technology performance that is "grid-worthy." These seem to be realistic goals and requirements and at last puts smart-grid vendors on notice that they need to fill important gaps to assure the interoperability, reliability and security of smart-grid components. Security is no longer just an afterthought. It needs to be an integral part of smart-grid solutions and must be deployed in every step along the way.

The Solution

To get us back on track we need solutions that offer grid-worthy security that can be economically and rapidly deployed. This solution has to be vendor-agnostic and capable of working with both legacy and new grid networks. This security must also be able to work with multi-protocol hybrid network combinations. Last but not least, these security technologies need to be fast, have low overhead and be scalable. Seems like a tough request but again and again, I see the smart grid and many edge device security requirements point toward layer 2 security. A recent paper by the Grid-Interop Forum called "Interoperability and Security for Converged Smart Grid Networks" highlights these unique layer 2 security capabilities that were approved by NIST for federal systems and explains how useful these same capabilities could be in securing the smart grid. With a lot of money on the line and a lot of pressure to rapidly get the smart grid secured and up and running, we are left with few other alternatives. We need to start testing and investing in these layer 2 security solutions and get them deployed on the power grid. We can't afford not to.

Reprint courtesy of MuniWireless. Larry Karisny is the director of Project Safety.org, consultant, writer and industry speaker focusing on security solutions for public and private wireless broadband networks. Next speaking engagement, Smart Gird Virtual Summit June 29th-30th, "Securing the Emerging Smart Grid: A Panel Discussion."

Japanese Earthquake and Tsunami, Spread and Secure the Grid

2011-03-17T12:23:00.001-04:00

March 16, 2011 By Larry Karisny

In a recent smart-grid summit at the Miami Beach Convention Center, the power went out right in the middle of a smart-grid security-panel discussion between Southern Power, Cisco and Atmel when the lights dimmed falling back to alternative power. To the audience, it was just a minor inconvenience. Florida after a hurricane is another matter, and Japan is now facing catastrophic events with the recent earthquake, tsunami and radiation leakage from the Fukushima nuclear power plant.

With Japan in mind, we need to further define the importance of smart grids, their design and their security requirements. As seen, the potential lose of power though natural or man-made causes can range from an inconvenience to a global catastrophe.

First and foremost the loss of life and the continued suffering of the Japanese nation is recognized and requires immediate global attention and support. We also need to learn from events as they relate to the policies and technology of global smart-grid initiatives.

A recent article by Christine Hertzog , Catastrophe and Grid Resiliency reported that the regional utility, Tokyo Electric Power Company (TEPCO) instituted rolling blackouts to address a 25 percent shortfall in generation capacity. This statistic alone clearly defines how centralized power and distribution (nuclear or not) are potentially big problems when destroyed by natural or man-made catastrophic events.

The results of centralized power production, transmission and distribution combined with limited power grid network intelligence is being clearly demonstrated in Japan. Another article in intelligentutility, Smart Grid More Attractive, Post-Japan noted if smart grid demand-response plans were in place, the utility (Tepco) could have avoided cutting power to Tokyo's rail service, which apparently compounded the national sense of confusion and resulting economic fallout.

This same lack of grid intelligence is responsible for many costly power outages. A study conducted by Lawrence Berkeley National Laboratory (Berkeley Lab) researchers Kristina Hamachi-LaCommare and Joe Eto for the U.S. Department of Energy’s Office of Electric Transmission and Distribution estimates that electric power outages and blackouts cost the U.S. about $80 billion annually. The need for grid intelligence and a more resilient and intelligent power-grid infrastructure is clear.

Although natural disasters offer chilling examples of power infrastructure devastation they really are not the biggest threat to our global power infrastructures. Limited power-grid security combined with centralized power production and distribution would cause massive outages if breached. These little publicized breaches have occurred globally and are becoming more of a concern in both existing legacy-grid networks and new smart-grid network designs.

A recent InfoSec Island article, Scientists Decry Cyberwar as Governments Respond by Dan Dieterle clearly reported the concerns of cyber attacks on our power grid quoting the concerns of high-level government officials and scientists. There is little doubt in the article about the potential of a power grid breach. The question is how to defend against an attack.

Both grid security and resiliency need to be built in all current production, transmission, distribution and demand grid sectors. We can accomplish this by designing power production sources with secure and interoperable micro grids that can support both existing and upcoming alternative power sources. Power production differs depending on what the source of power and cannot always be decentralized. A good example is Hydro One harnessing the power of Niagara Falls. There is no one size fits all when designing power requirements for a region but now is the time to recognize the importance of properly building more diverse and secure smart-grid topologies. The modern smart grid is designed to become more reliable, safe and secure. It is these very attributes that Japan needs today. As we support this great nation in their difficult time and address this terrible disaster, let’s also use this opportunity to reflect on building a smart-grid infrastructure that will securely serve our needs today and for many years to come.

2011-02-20T08:25:00.001-05:00

February 10, 2011

The Show Must Go On: Larry Karisny Partakes and Presents at Smart Grid Summit in Miami

By Jaclyn Allard

TMCnet Copy Editor

As TMC Smart Grid Contributor and founder of Intelligent Communications Partners, Jon Arnold (News - Alert), recapped from the recent Smart Grid Summit, “Leading the cybersecurity session was all-around good guy Larry Karisny of WirelessWall, along with speakers Tony Flick of FYRM Associates and Christopher Gorog of Atmel (News - Alert) Corp. Karisny has a strong background in this space, and cited extensive sources to document the threats, all of which were reinforced by Flick and Gorog’s technical expertise.”

Story continues below ↓

Karisny began his presentation, “How to Build Security with Intelligence,” and quoted a number of Smart Grid industry leaders including Vint Serf, the “Godfather of the Internet,” as well as Kim Zetter and Bob Lockhart, to name a few. Karisny from that point on took the Smart Grid Summit by storm, a highlighted speaker and moderator displaying his extensive knowledge of the smart grid industry.

Keeping newcomers to the Summit and fresh faces to the industry in mind, Karisny simplified the understanding of smart grid as a lot of networks, or a bunch of small clouds that are connected; however, this needs to be done on a layer basis. “Smart Grid is not your typical telco network; it is much more complex,” Karisny said.

As TMC’s (News - Alert) onsite editor, Stefanie Mosca, reported live from the show, all in all, Karisny left the audience with a number of suggestions on how to tackle smart grid security issues as they come, as well as offered proactive advice in targeting the security problems before they actually begin. Karisny highlighted that it is important to address the most crucial security issues first and using high-end, yet simple security solutions to do so.

Karisny admitted recently in an article that “To get the most out of an industry convention summit, be a moderator, speaker and audience participant. I had that opportunity at the Smart-Grid Summit in Miami Beach last week. While stranded visitors from the north enjoyed highs of 81 in Miami Beach, the summit proved to be one of the most informative smart-grid discussions ever.” And as Jon Arnold recognized, Karisny was all three – moderator, speaker and audience – helping to execute the Summit with so many stranded participants.

With all present parties pulling together, discussion such as building a strong grid foundation; power transmission and distribution; the growing voice of the customer; smart home killer apps, rural smart-grid opportunities, electric vehicles and public vs. private smart-grid networks continued with immense success.

Jaclyn Allard is a TMCnet copy editor. She most recently worked on the production team at Juran Institute, a quality consulting firm producing its own training and marketing materials. Previously, she interned at Curbstone Press, a nonprofit publishing press in Willimantic, CT, and fulfilled the role of Editor-in-Chief for the literature and arts journal published by the University of Connecticut. To read more of her articles, please visit her columnist page.

Edited by Jaclyn Allard

2011-02-05T13:21:00.006-05:00

Smart Grid Security: Generally Speaking, the World Doesn't End

January 24, 2011 By Larry Karisny

An interview with Andy Bochman, energy security lead IBM Software Group/Rational, and editor of the Smart Grid Security Blog. Article courtesy of MuniWireless.

Karisny: There was a recent article in SearchSecurity titled, “IBM predicts rising mobile threats, critical infrastructure attacks in 2011." Are you sharing the same feelings of when, not if, it comes as it relates to a major breach of our electrical power grid?

Bochman: My focus in the last several years has been almost exclusively on critical electrical infrastructure, to include the current grid as well as the few dozen spots where the emerging smart grid is starting to show itself. The grid is so large and so complex that it doesn't take a Nostradamus to predict successful attacks on it in any coming year, especially as one of the primary enablers of new smart grid functionality involves massively interconnecting systems that were previously protected, at least in part, by their isolation.

2010 saw a very single-minded Stuxnet penetrate, but not disrupt, many enterprises with industrial equipment, including the military and utilities. More broadly aimed variants of Stuxnet may in the works, or in the wild already. But I don't necessary forecast extraordinary trouble, as the promulgation of fear, uncertainty and doubt (FUD) doesn't help anyone. Some security professionals like to put folks into fetal positions with scare stories. But I prefer to remember what my broker tells his clients during downturns, "generally speaking, the world doesn't end."

Karisny: We have seen a multitude if IEEE standards, different directions NIST, FERC and NERC, and organizations like Grid Net and GridWise Alliance positioning for the multi-billion dollar power grid security market. With all this posturing does there seem to be any agreed-upon direction as to security models suitable for what you earlier called in a Huffington Post article CIP or critical infrastructure protection?

Bochman: I'd say that even though it's only a set of high-level guidelines, the embryonic NISTIR 7628 has the broadest fan base so far. I could be very wrong, but my sense is the NERC CIPs won't be with us for the long run. No one seems to value them. We're waiting for practical implementation guides from the NIST CSWG teams in 2011 before state PUCs and other U.S. and international grid security standards groups can point to 7628 as something approaching implementation-ready. As for enforceable standards, well, that's the GAO's primary complaint re: FERC. And FERC can't fix that -- only Congress can.

Karisny: There were big mistakes early on with smart meters security and now even questionable security in using ZigBee wireless network for the home Area Network (HAN). What was done wrong and how can we move forward on securing the demand side part of the smart grid?

Bochman: As the smart meter article noted, "Prominently missing are signed and encrypted firmware, secure (smart card) chips for key storage, unique cryptographic keys, and physical tamper protection." These omissions (and others) were symptomatic of the root cause: a rush to deploy ahead of firm best practices, security standards and business models. Some security pros may question my response, but I'd say we need to slow down a bit, breathe, review what we've done so far and check for gaps, before locking in standards, encouraging vendors to build to those standards, and encouraging utilities to deploy Smart Grid components in significant numbers. And yes, with millions of Smart Meters already out there, I realize this is a somewhat belated point!

Karisny: With all the complexity in security do you see any simple and economical solutions available?

Bochman: Not really. While the impulse to simplify is a good and desirable one from a business point of view, I'm afraid we're going to have to meet the complexity of the smart grid with complex security solutions. That said, some tried and true security tenets bear repeating:

Defense in depth
Least privilege
Need to know

And this: in case those three don't work every time - have plans B, C and D tested and ready

Karisny: Is there some kind of new solution that can be started with migration paths to future security solutions?

Bochman: Sure, though it's clear that many "future proofed" solutions bring with them added risk. Let's say you want to make your smart meter (or any other smart grid device) software remotely upgradeable so you can add additional functionality or fix security problems on the fly and en masse. Remote control functionality always opens additional pathways for attackers, should they be clever enough to subvert whatever controls (or their lack) to prevent unauthorized access and use. For practical reasons, though, upgrade-able software and firmware is the only game in town, as fully manual updates to hundreds of thousands or millions of devices at a time would take a small army many months or years to accomplish.

Karisny: With all the guide line direction being given by a variety of organizations, is here any place to prove out these security solutions in an actual field test settings?

Bochman: Sure, and it's happening right now, in dozens of pilot deployments already under way, with many more slated to begin in 2011 and 2012. In addition, several universities (see: the Trustworthy Cyber Infrastructure for the Power Grid (TCIPG)) and DOE national labs like PNNL, INL and Sandia are doing substantial research involving security, often using test beds that simulate field conditions.

Karisny: With threats now of fines and security assessments taking place, do you see power companies getting serious about grid security in 2011?

Bochman: This is a tough question to answer without a qualification first. If you equate heightened NERC CIP compliance activities with "getting serious about security," then the answer is yes. However, one of the primary critiques of the CIPs as currently constituted in version 3 is that they are less than tightly aligned with the goal of making utilities demonstrably more secure against cyber threats. Some utilities complain that CIP compliance activities divert human and financial resources that could have been used to improve their organization's actual security posture. Some say the CIPs have increased security awareness and are helping. The ground truth is likely that both are right.

Karisny: You have early on spoken in smart grid panels and have been a key speaker in various smart grid conferences. Is there any underlying security issue you have come away with when participation in these events and what are you upcoming speaking engagements?

Bochman: For me, the number one takeaway from the 2010 conferences was complexity. Trying to get our arms around the very many pieces of smart grid security challenge, including old and new technology, evolving business models, standards and guidelines, workforce awareness and training, the shifting threat landscape, recovery and survivability strategies ... it's just a heck of a lot to hold in main memory. But without consideration and attention given to all these things, you're not really doing the job.

I'll be a panelist at the Jan 31 FERC Technical Conference on the Smart Grid Interoperability and Security Standards. Will also speak at a few conferences over the next several months. Right now those likely include:

Smart Grid Security East
GTM's Networked Grid 2011
Gartner Security & Risk Management 2011
CleanTech 2011

Karisny: You have the most popular blog as it relates to smart grid security. What are you hearing from those who following your blog?

Bochman: Mostly a hunger for more and better knowledge, especially among folks who are new to the domain. That includes cyber security pros who want or need to learn more about the electric sector, and utility personnel who need to get smarter on security issues and approaches. The blog exists to serve the community by facilitating knowledge transfer and letting folks know about upcoming events like new legislation, standards, conferences, best practices and lessons learned, etc. And so far, according to the feedback I get from (usually) happy readers, it seems to be working pretty well.

Karisny: What are your 2011 forecast in critical infrastructure protection deployments and research throughout the year?

Bochman: With so many balls in motion, it promises to be a thoroughly exciting and challenging year in the smart grid security space. At IBM, we're putting the finishing touches on a white paper that considers the current and possible future of smart grid security standards. When that's done, I plan to help advance work begun last year on EV and V2G security. We've been getting a lot of questions on that topic the last few quarters and that may very well become a 2011 white paper as well.

2011-02-05T13:10:00.003-05:00

Who Owns Smart-Grid Security?

December 8, 2010 By Larry Karisny

Bob Lockhart is an industry analyst with Pike Research, which just released a study of smart-grid security. This article courtesy of Muniwireless.

Q: Who do you see as the responsible party for securing the grid; power companies, third-party security vendors or government entities?

Lockhart: In countries where the power grid is a government monopoly it’s pretty straightforward. In the USA however, there is no responsible party for securing the grid. Lots of organizations have a say but no one “owns” security of the smart grid. Some have tried to put NERC in that role but NERC’s remit covers generation and transmission. Most of what constitutes the smart grid happens in distribution, which today is outside NERC’s scope.

NIST has published some very good standards for Smart Grid security including the recent NISTIR 7628 series but they remain only standards. The Bulk Electric System has nothing analogous to HIPAA for health care information or PCI DSS for payment card processing. Compounding the issue, there is a fair amount of personally identifiable information (PII) flowing through smart-grid management systems. That PII comes under the jurisdiction of personal data privacy laws, but we have no national privacy legislation -- each state has its own laws.

Q: Where are we today when it comes to securely adding intelligent infrastructure to our utility and power grids?

Lockhart: Behind and losing ground. As with nearly every technology, the focus in smart grids has been to get it working, then later realize that security is an issue. Two dynamics make this even worse: first many security providers have equated smart grid with smart metering, ignoring the major innovations necessary in distribution automation and substations. Second, there has been precious little attention paid to security of industrial control systems (ICS), such as SCADA, some of which are so old that they are still analog. Since most information security experts have an IT background they do not understand that IT security solutions may not work and may actually disrupt an ICS network.

Q: With billions already awarded in federal grants and billions more put in by the power companies, where are all the smart grid projects?

Lockhart: In my analysis I only looked at smart grid cyber security projects of which there are precious few being funded by ARRA, though there are some. In the case of cyber security it is often difficult to credibly forecast an ROI -- after all an effective security program is one that you never see. So given funds to invest and an enterprise’s need to justify the investment via some measurable return, many are going to minimize security spending unless it’s necessary to comply with a regulation such as NERC CIP.

Q: What is the best start for securing the grid network infrastructure today? Is it just a process of add as you go?

Lockhart: It’s the same as securing any other environment. You start with an assessment of risks against most valuable assets and prioritize security investment based upon the results of that assessment. Some of the quantitative risk assessment methods can take years to reach completion and are not realistic for the current situation but there are qualitative techniques that yield useful analysis in a relatively short time. The keys to success are getting a complete asset list and fully understanding risks to each. Again there can be problems if no one involved in the assessment truly understands industrial control systems.

So it’s not really possible to say, for example, that every utility should immediately upgrade its identity management capability or deploy security event management. Each situation will be unique and requires someone to seriously think about what is at risk and what needs to be done.

Q: Some people are saying we should be addressing the transmission and distribution side of the grid first before the demand side. What do you think about that as it relates to security?

Lockhart: Well ideally security would be integrated as part of whatever smart- grid projects are undertaken by a utility. If it’s smart metering, then securing consumer data and resiliency in the networks should be part of the project. Those are much more expensive to bolt on later. Likewise if it’s updates to the distribution grid, maybe smarter transformers, then secure communications and other measures should be built into those projects as well. So the ideal situation is that security rides along with smart grid projects as undertaken by the utility. When that doesn’t happen, then you have to go back to the security risk assessment discussed above, and address the risks as prioritized, maybe taking some low hanging fruit early on -- simple measures that can be implemented quickly and with little expense. Early success in a security program can bolster it immensely within an enterprise.

One area of security that gets too little attention in smart grids is employee awareness. It is critical for employees of utilities, systems integrators and other involved entities to understand what security is implemented, why it is there, and their responsibilities to support it. This requires a proactive education program. Whether we’re talking e-mails, Web courses, or stand-up instruction matters less than that the points are gotten across to the workforce.

Q: Is here a one-size-fits-all security approach or is layer security going to be the rule of thumb for the grid?

Lockhart: Again, countries with a government monopoly grid can take a one-size-fits-all approach. On the down side for them, that implies that a single attack against their entire national grid could be successful and there is probably a single point of attack for that grid. Here in the USA we have over 3,200 utilities -- some with millions of customers, others with a few thousand. So obviously they are not going to all be running on the same infrastructure and therefore the same security approaches will not work for all. It is not unthinkable that some smaller utilities will end up clients of service providers running cloud computing environments. Those will probably be private clouds, but still a centralized, third-party cloud. Personally I think that’s a good thing because small enterprises cannot afford as sophisticated security as a large-scale integrator of clouds will implement.

In either case layered security or defense-in-depth will be the preferred solution. In my studies and work with clients I’ve been emphasizing not only the need for well-known network and endpoint security controls but also that networks need to be resilient. Whether we’re talking smart metering or ICS, endpoints and central systems need to be able to survive several days or maybe weeks out of contact with each other.

Q: Are there already lessons learned from mistakes and some solutions found?

Lockhart: What I’ve seen is more an evolution of increased protection rather than a grand disaster followed by a step change in the level of smart-grid security. There is still quite a bit of disunity among the smart-grid community as to how bad things are or are not. That suggests to me that nothing truly terrible has happened to galvanize the industry. In my research when I ask how bad things are, answers range from no problems at all to critical.

But most of the lessons learned that I’ve seen are straightforward: better ways to identify and prevent fraud, nearly everyone understands the importance of encryption, and there is a slowly dawning awareness that the security-by-obscurity approach that protects most SCADA deployments is not going to be effective. But I do see more targeted point solutions than overarching grid-security programs.

Q: Is Stuxnet the warning shot of more cyber attacks and just how bad could thins get as it relate to our power grid?

Lockhart: Slammer and Blaster, each 7-8 years ago, should have been warning enough -- even if they were not directly aimed at grids. I recently blogged Stuxnet and I think the security community has its head in the sand. If my analysis is correct then Stuxnet was developed late in 2007 or early in 2008. We security experts call Stuxnet state-of-the-art because we arrogantly think we know everything that’s happening, but we don’t. The Stuxnet code and attack could be three years old -- that’s two iterations of Moore’s Law. If true, then things probably have already gotten much worse than we understand. We’re just blissfully ignorant of how bad.

Q: In summary, where we are today as it relates to the smart grid? Where do we need to be in a fast track short-term solution and what do you think the future of smart-grid security will look like?

Lockhart: If Stuxnet is any indication, then the serious attackers are way ahead of us and can pretty much operate with impunity. Less sophisticated attackers may be able to hold a grid to ransom if it is not well protected. Some security vendors seem focused on finding problems that suit their existing offerings rather than seeking how to protect our grids, although there are some exceptions. One utility complained to me, “If one more security vendor walks into my office and asks me what keeps me awake at night…”

Here in the USA our patchwork grid may protect us for some time to come. I’ve asked several utilities and smart-grid experts if an attack could wipe the entire U.S. electrical grid. The common answer has been something like, “If only we were actually that well integrated. But no.” Still, any one grid could be successfully attacked so no one can really rest.

It’s hard to prioritize remedies outside the context of a risk assessment, and that’s going to be unique for each utility. But if I had to prioritize anything in general I’d look at better resiliency throughout networks -- both IT and ICS. And I would like to see IT and operations staffs at utilities work together more effectively. I can’t see any other way to get a whole-picture view of the grids and what really needs to be done.

Unfortunately we may see continued selling of point solutions for quite some time to come. There are people taking a holistic view of smart-grid security, including some utilities’ chief security officers, systems integrators, and even some of the smart-meter manufacturers with their bundled solutions. However there is quite a bit of point selling going on out there. Utilities expect a meter -- smart or otherwise -- to have a service life of 20 years. What is going to happen in smart metering when that expectation collides with Moore’s Law? Certainly that could drive another round of point-solution selling.

2011-02-05T13:09:00.003-05:00

Will Security Start or Stop the Smart Grid?

November 18, 2010 By Larry Karisny

With billions of dollars of public and private smart-grid investment in place and billions of dollars in network hardware and software in forecast shipments, will the smart grid be stalled by security concerns? Current smart-meter deployment trends and reported security breaches seem to point toward the possibility. In fact a recent Pike Research report “Smart Grid: 10 Trends to Watch 2011 and Beyond,” states that “security will become the top smart-grid concern” rating it number one the 2011 grid trends.

Making the Dumb Grid Smart
With all due fairness, the power and utility companies had a difficult start when it came to securing the smart grid. Their basic network grid topology was built on stand-alone facilities offering limited if any interactive networked intelligence from the substation, distribution and transmission side with even fewer capabilities on the user-demand side. With limited network capabilities in place, power companies pushed to offer end-user network intelligence for every user on the demand side of the grid.

This approach may seem backwards for most network and security people, but was necessary to quickly show smart-grid utility ROI and power generation savings. The basic demand-side theory was that if you could gather intelligence from the power grid demand side first, you could immediately reduce peak load consumption offering tremendous capital and raw material recurring savings. The problem was that these end network communication devices were rushed out without sufficient security and breaches became evident.

Consider this power-grid communication infrastructure, and then try to securely deploy an interactive network to a real-time database connected to every electricity user. Quite a daunting task.

Security Breaches Confirmed and the Criminal Element Defined
Security breaches in power plants have now been documented and the recent Stuxnet attacks have been called “without precedent” and “a game changer” by Sean McGurk, head of the Department of Homeland Security's Cybersecurity Center. Pike Research reported, “The technical analysis on Stuxnet continues, and it appears to be a very sophisticated attack not aimed at the electrical infrastructure. But if nothing else, the threats security experts have been warning of for years have now moved from theory to reality. Since the industry is taking greater notice, especially regulators and government (including the U.S. Congress), utilities will need to determine what cyber security measures are required -- even as standards and regulations are still evolving.

(graphic) Source: Symantec

Network intrusion detection experts like Josh Wright from InGuardian early on confirmed smart-meter security vulnerabilities and now have detected vulnerabilities in wireless Zigbee systems that are targeted to be the premier network technology in smart-grid Home-Area Networks (HAN). In his recent presentation the Killer Bee, Practical ZigBee Exploitation Framework, Wright clearly demonstrated current Zigbee security concerns in a variety of smart-grid end user devices.

These vulnerabilities and need corrections were further documented in another Pike Research report, Smart Meter Security. The report assesses the security risks to Smart Metering, using ISO 27002:2005 as a baseline to identify topics for consideration. The study reviews Smart Metering against all 11 security clauses of ISO 27002:2005 to identify six key security opportunities including event correlation improvements, security software on meters, identity management and authorization, network resiliency, meter worm prevention, and end-to-end data encryption.

With known vulnerability, who wants to hack the grid anyway? Mike Ahmadi -- organizer of the Smart Grid Security East Conference and vice president of operations for the security firm GraniteKey -- targets the accessibility of data then adds volume to dollars in a formula that will attract organized crime. “I think about this a lot when I consider smart grid technologies, as well as health-care information technologies. As these technologies grow we are going to see new sources of information emerge, and in our inherent somewhat lackadaisical manner of dealing with security at the decision-making helm of our corporate culture, we will create plenty of early opportunities for aggregation and inference. The quicker an attack leads to cash for the attacker, the greater the likelihood that the attack moves from theory to reality."

He goes on, “This is, however, only part of the theory. The other part has to do with volume. For organized crime to get involved, the volume needs to be big enough to take the risk. Remember, organized crime is just as concerned with risk as corporations are. Therefore a quick path to cash that does not include a large enough volume is not necessarily a win for organized crime.” The smart grid certainly qualifies the volume requirements.

Big-Time Security and Big-Time Bucks

For every problem there lies opportunity which is clearly documented in Pike's smart-grid security revenue projections. With opportunities come different approaches and major companies and even smaller companies are offering their opinions on what the appropriate methodologies are when addressing smart grid security.

Grid Net just released a white paper “Assuring a Secure Smart Grid,” which opens with: “To build a secure, resilient, mission-critical smart-grid network, utilities require technology that is secure, reliable, and self healing. The growth of the Smart Grid and the advanced security technology will necessarily go hand in hand. The electricity grid is the foundation infrastructure on which rests not only economic performance, but also public and personal health, safety and welfare. Without robust security in place, the Smart Grid will not -- and should -- be built and deployed.”

By applying over 40 standards, Grid Net's approach to smart-grid security is “multi-layer.” The core architecture delivers an end-to-end secure solution, which begins with PolicyNet SmartNOS and Smart Grid devices (smart meters, routers, inverters and customer devices), proceeds to data encryption for both data storage and data transport on the network, and concludes with PolicyNet SmartGrid NMS at the Utility NOC. The PolicyNet software suite is based on three foundations -- Architecture, Process, and Response -- that take a “defense-in-depth” approach to security to provide robust end-to-end security.

SmartSynch came out with a hardware solution called the GridRouter which is a smart-grid solution that serves as an IP-addressable, external interface offering WAN, LAN and HAN connectivity to a variety of smart grid devices. The GridRouter acts as a wireless pipe capable of transmitting and receiving data over public wireless networks using Internet-based or other open standards. Through the GridRouter and its use of public wireless networks, utilities can quickly and affordably spot-deploy smart-grid applications, including load profile and control, power quality monitoring, distribution automation, and standby generator control. The GridRouter also enables utilities to support homeowner-focused smart-metering programs such as demand response, demand-side management and real-time pricing. It uses an IPsec Security Platform using Public Key Infrastructure (PKI) VPN Subtunnels to Connected IP end-devices with Digital Certificates and AES 256-bit Encryption connecting VPN Tunnels to Each GridRouter Port.

WirelessWall offers a standards-based, FIPS 140-2 solution to securing at Layer 2 with a unique approach -- implementing an IEEE Robust Secure Network for everything. According to CTO Phil Smith, “WirelessWall is elegance through simplicity. It can best be described as WPA2-Enterprise in software (AES 128-bit CCMP, 802.1x and EAP-TTLS mutual authentication).” Billed as a high-throughput and lightweight encrypting firewall, a central part of the WirelessWall advantage is providing uniform security across multiple domains which in the case of Smart Meters, would be HAN (Zigbee) and backhaul (Wi-Fi, WiMax, broadband, Mesh, etc.). Smith goes on to say, “without WirelessWall, it is like the Tower of Babel. Management complexity makes it operationally infeasible and cost prohibitive to use different security methods for each type of network. Inconsistency and complexity lead to vulnerabilities. Our strength is securing end-to-end at Layer 2 to provide cohesion, uniformity and interoperability."

FYRM Associates offer a completely different approach in addressing smart-grid security needs. Tony Flick has worked for over eight years in the security industry and is currently a Principal with Tampa-based FYRM Associates. In his book Securing the Smart Grid, Flick says a different approach needs to be taken in addressing smart grid security.

“A secure smart grid can be implemented through effective security controls," said Flick. "By focusing on security controls, rather than individual vulnerabilities and threats, utility companies and smart-grid technology vendors can remediate the root cause issues that lead to vulnerabilities. As history has shown, these security controls are much more difficult and sometimes impossible to be added on; they need to be integrated from the beginning to minimize implementation issues. Additionally, new threats and attacks will arise and thus, the operating effectiveness of the implemented security controls must be assessed on a regular basis to ensure smart grids are protected against the ever-evolving threat landscape."

Conclusion
Every security approach has advantages and disadvantages. Some have complexities that will add cost to development and product while others may put loads on the network that can affect recurring cost in bandwidth and potentially unacceptable network latency. Some may be simple but are only part of the required solution while others will require continued upgrades.

Security solutions may differ, but the clear message in the smart grid is to get effective security deployed and get it deployed now. With billions of dollars in deployments on hold there must be a concerted effort to fund immediate, short- and long-term security solutions for the smart grid or the smart grid "ain't gonna get smart any time soon."

2011-02-05T12:51:00.008-05:00

GridNet: A look under the Smart Grid Hood
September 10, 2010

By
Larry Karisny

"Our goal is to become the leading provider of universal smart-grid operating systems for any device and any broadband technology." -- GridNet Founder and CEO Ray Bell (pictured).

Google the words "Smart Grid" and you will get more organizations and explanations than you may want. From government policies to standards groups to organizations to new publications, everyone seems to have an opinion of what the smart grid is suppose to be. The Wikipedia definition is: "A smart grid delivers electricity from suppliers to consumers using two-way digital technology to control appliances at consumers' homes to save energy, reduce cost and increase reliability and transparency. It overlays the electricity distribution grid with an information and net metering system."

An organization called GridNet has envisioned the smart grid as smart devices everywhere, to manage energy resources. It says that soon, there will be a connected broadband real-time, all-IP network of “smart” devices from substation infrastructure to distribution infrastructure, to meters exchanging information and price signals with buildings and homes equipped with distributed generation (e.g. solar PVs), energy storage, smart devices/appliances, and electric vehicles to enable utilities and their customers to optimize energy resources and consumption. So what does this all mean and is GridNet the answer to the constantly evolving architecture of the smart grid.
To get a better answer I had the opportunity to interview Ray Bell, Founder and CEO of GridNet.

Q: The Smart Grid seems to mean a lot of different things to a lot of people. Can you define what it means to you?

RB: It is the seamless integration of a power grid, a communications network, and the necessary software and hardware to monitor, control and manage effectively and efficiently how we create, distribute and consume energy in homes, offices and the transportation industry.

Q: How do you define GridNet as an organization as it relates to supporting the needs of the smart gird?

RB: GridNet delivers the first and only Universal Smart Grid Operating System for any device and any broadband technology.

Q: The initial focus of the smart grid is on the demand side. Some people think this may be the cart before the horse. Why demand side first?

RB: We are focused on both the supply and the demand. In fact, today there are many more benefits to achieve on the supply side. The demand side is about the customer, which is why many people are focused on it. It is a journey. The adoption of innovation will take time. The key elements for the solutions to choose are real-time communications (e.g. broadband), full Internet protocol support, and government-compliant cyber-security standards. Anything less than those three means a poor choice.

Q: There are two thoughts on how the demand-side smart grid will be run; by the power company or by the customer. Which do you think will ultimately control energy consumption and savings?

RB: We believe in an open market with multiple choices for customers -- by the serving utilities and independent energy services providers. Customers will need the best value and services possible while maintaining data privacy and security.

Q: GridNet partners seem to be a who’s who of smart grid industry players. How have these companies been selected and how do these companies collaborate in building the GridNet model?

RB: Our strategic investors and key partners are Intel, GE, and Cisco. In addition to them, we have partnerships with Telecom Carriers (Clear, Sprint, Seven, Austar), Software Companies (Oracle, eMeter, EMC), Original Device Manufacturers (Motorola, Samsung, Huawei, Mitsubishi, Freescale, Beceem, PowerSense), and Systems Integrators (IBM and Logica). We are very focused on top-tier partners. There are more to come.

Q: You have recently announced the entry of Oracle as a GridNet partner. What does this mean to your organization?

RB: Together, Grid Net and Oracle Utilities have complete solutions for utility customers. The combined solution will operate on a common data model and integrate easily with Oracle Utilities products providing utilities with a wealth of information that will help them improve network performance and customer satisfaction. This partnership accelerates our go-to-market significantly.

Q: GridNet is being called the salvation of WiMax. What is the fit between WiMax and the Smart Grid and will this save WiMax?

RB: We believe that 4G wireless technologies deliver the capabilities and services for customers and utilities to realize the dream scenario of real-time, all-Internet protocol, scalable, reliable, clean and affordable energy for all. WiMax and LTE (Long Term Evolution) share very similar attributes. We support both 100 percent. And we also support 3G.

Q: There is a lot of concern about security when it comes to wo-way interactive smart-grid communications. Issues with smart meters have already confirmed security problems on the smart grid. How is GridNet planning on addressing these security concerns?

RB: Our security technology is second to none in the world. It is the only end-to-end NIST, NERC CIP, and FIPS compliant solution for the smart grid available today. Grid Net’s approach to Smart Grid security is “multi-level/multi-layer,” which is why our smart-meter and smart-router technology contains secure data encryption, and secure data transport via secure broadband communications networks. Moreover, we are committed to continuous standards-based innovation, to ensure that succeeding generations of our solutions will contain the latest security enhancements and improvements.

Q: With over 20 major partners, is there still a piece to the GridNet puzzle that you are looking for?

RB: Our goal is to become the leading provider of universal smart grid operating systems for any device and any broadband technology. Hence, we have barely begun. Stay tuned.

Q: Can you give us some predictions on where the smart grid is going and when we some of its benefits will be recognized?

RB: Broadband smart grids will dominate. We believe in open markets and multiple offerings for customers powered by open standards-based solutions that enable efficient and effective secure, scalable, reliable, clean and affordable smart grids.

With a lot of people going a lot of different directions and regulations and standards surrounding the smart grid, GridNet just may be the organization that will rise to the occasion by just doing it. They have the corporate clout and top industry professionals to get the job done, but can the rabbit beat the tortoise? It will be interesting to watch GridNet and see if just plain corporate ingenuity can win over slow-moving government and power-company bureaucracy and regulation

Securing the "Internet of Things"

2010-09-09T18:14:00.004-04:00

Aug 26, 2010, By Larry Karisny

Reprinted courtesy of MuniWireless.

If we are going to live in a wireless Internet-connected world, we need to secure it first. Intel’s recent $7.68 billion acquisition of McAfee highlights just how important this will be to the future of Internet-connected mobile devices.

Current research estimates 5 billion Internet-connected devices later this month growing to 22 billion devices by 2020.
By adding an Intel/McAfee chip/software security combo, an additional layer of security could be offered in a more robust and manageable solution, that can react quickly to new security threats while maintaining interoperability. As an example, a multitude of network wireless access points have followed 802.x standards for several decades. These standards have not only offered vendor-agnostic backwards capability but leveraged these standards when upgrading security platforms. Just like wireless network access points, security needs to be interoperable and standards-based.

With billions of devices out there, the typical computer OS stack doesn't exist in the same way, and security will be a big problem. In fact these Internet-connected devices are not computers but small processors doing low-power functions. Your security overhead may be too big to fit in the processor. This was a terrible security lesson that was learned when deploying smart meters for the power grid.

The list of players pursing the smart-grid market is like a “Who’s Who” of the biggest companies in the world and Intel is no exception. In fact they are a major contributor to GridNet an industry consortium focusing on the smart grid. This smart grid target market not only offers billions of dollars in chip and security solutions but also is a good opportunity to learn from smart meters. Frankly if security issues with smart meters are not fixed first, it may stop Intel from securely connecting billions of Internet-connected home area network devices to the smart grid.

A recent report from Pike Research offered some sobering comments on just how important this is. “It would be naïve to think that smart meters will not be successfully attacked. They will be,” the report states. “In fact, smart meters represent a worst-case scenario in terms of security: the devices lack sufficient power to execute strong security software; they are placed in physically non-secure locations; and they are installed in volumes large enough that one or two may not be missed.”

“Smart meters are one of the weakest links in the smart-grid security chain,” says industry analyst Bob Lockhart. “Home area networks, commercial building networks, and utility networks all perform well in terms of keeping data encrypted within their domains. However, these domains terminate at the smart meter, and the only way for data to pass from one network to the other is for the smart meter to decrypt the data from one side and re-encrypt it on the other. Consequently, the data are, for a short while, unencrypted on the meter and could be successfully eavesdropped.”

Without adding needed security, Internet–connected devices could offer entry into the smart grid potentially turning remote power on or off through the network connection or by way of a worm that could affect the millions of smart meters and billions of wireless Internet-connected devices. This may seem like a showstopper but there are actually ways to offer high-end security with low overhead through layer 2 security technique.

A good understanding of layer 2 security is offered by Australian-based Senetas in its white paper describing the attributes and differences as it relates to today’s security models. Swiss-based InfoGuard explains layer 2 advantages as secure data transfer without any restrictions, no overhead, minimal latency and easy network integration and configuration. U.S.-based WirelessWall actually deployed this layer 2 security solution almost 10 years ago addressing similar eavesdropping issues between military field soldiers in Iraq when connecting end devices to short-range communication radio access points.

Just like today’s smart meters and Internet-enabled devices, the military application was faced with the need for high-end security with low device overhead. In addition they needed to be vendor-agnostic and be able to cloak existing network security. WirelessWall now offers this same capability to the commercial marketplace. Clearly, attributes of layer 2 security will have their place in the wireless Internet-connected device market and may be an immediate solution to a big problem in today’s smart meters and tomorrow’s wireless Internet-enabled devices.

It is great to see Intel is taking security seriously with the potential acquisition of McAfee. This is a start of being upfront about security and security not being second to product release. This is the type of responsibility we need in a world that will be connected by billions of Internet-enabled devices that will affect everything we do on a daily basis. Add a few missing links to the security model and Intel is in the security business.

Larry Karisny is the director of Project Safety.org and a consultant supporting local wireless broadband, smart grid, transportation and security platforms.

Who Will Build the Smart Grid?

2010-07-28T16:40:00.001-04:00

Story reprinted with permission of MuniWireless.

There should be some interesting conversation at the Smart Grid 2010 Summer V-Summit this month, following announcements of $200 million in funds to improve the way we create, connect and use power; plus the federal government's entry into critical infrastructure security dubbed the “Perfect Citizen Program.” It is clear that smart-grid momentum has started and will continue to move forward. Finding ways to securely and efficiently improve global power production and distribution is an ongoing process.

We do need a little creative imagination while recognizing the realities of current smart-grid infrastructure and security. For example, power company engineers have sometimes said that a smart meter design under regulatory cost guidelines needs to last at least 15 to 20 years while software engineers warn that home area network application software will change every six months. R&D engineers have said that it will be 10 to 15 years before we have the technologies and infrastructure to deploy smart grids and yet a few small cities have already deployed smart power and utility systems and are already using the same infrastructure for other city services. I have never seen such a swing in views. However, there is a common point of agreement: Smart-grid efficiencies will be achieved with or without stimulus funding.
To understand why there is such a disparity in thinking when it comes to the smart grid, I would suggest looking at the diagram on the Office of Electricity Delivery and Energy Reliability site. When participating in professional smart grid discussions I found, in the same group conversation, one person talking about technology and another talking about policy and regulation. Power companies look at things one way, consumers and environmental groups another, with policymakers sometimes bringing everything to a halt. There are specific solutions that support the progress of smart grid, and to employ them, it may be time for a fresh look.
The smart grid and the solutions to its successes are not simple. So it's essential to find someone who has already done what you are looking for and also to find a consulting and real-world integration group that has practical experience in the subject.

You Can’t Just Switch on the Smart Grid

I have done a lot of upgrading from legacy communication networks to digital IP networks and it’s a lot easier to build a brand new IP network than to interface dissimilar legacy technologies into one homogeneous network.
In a recent Smart Grid Alliance webinar Doug Preece, utilities industry specialist from Capgemini, summed up just how big and complex the opportunity is. He referenced the SmartGrid.gov site as a way to track the billions of grant awards already released by the Smart Grid Investment Grant (SGIG) program. In fact there is so much work to be done Preece stated that there would be “a tremendous draw on resources across the industry, vendors and service providers,” and that “there in no lack of opportunity.”
Dave Malkin the policy manager for GE Energy has been following a variety of issues as they relate to the smart grid. One of the top policy issues he is tracking is cyber security policy. "Cyber security has been a hot button in Congress for months now” said Malkin. He addressed his concern on how current cyber policy passed by Congress could affect the smart grid. He agrees that we need to, “effectively address real-world smart-grid cyber security threats but not in a way that might stifle smart-grid innovation investment.”
As smart grid policy and technology discussions continue, the small city of Rock Hill, S.C., already decided to start a municipal wireless network a few years back. With the network technology designed by Tropos Networks, the city of Rock Hill is an example of a municipally owned and operated utility that initially deployed the network for smart meters -- power and water. Today, the citywide wireless broadband mesh network is helping other city departments improve efficiencies, customer satisfaction, public safety and billing accuracy, while significantly reducing operational costs.
”The city of Rock Hill incorporated wireless broadband as part of the city’s strategy to build a multi-use communications foundation. This is a great example of a community that started out with a much smaller plan focused on modernizing and improving utility services and expanded their vision to one which has produced long-term benefits for the community, ” said Denise Barton, marketing director, Tropos Networks. Building the Smart Grid is a major undertaking but the answer may be "just do it." In previous articles I disclosed security concerns from industry professionals in today’s power grids with solutions in place developed in military and DoD applications that have direct and immediate application to the current smart-grid security problems. What we did in security is a good model of what we need to do now when transforming our global power grids.

With billions in stimulus grant released and GE Energy offering $200 million in venture capital to small businesses, there is a clear message. We are dong this and we are doing this now. We need to use what we have today in immediate deployable technologies while finding migration paths from the old power grid infrastructure to the new smart grid. Big government, big business and small business will be working together addressing critical global energy needs while creating jobs. Count me in.

Larry Karisny is the director of Project Safety.org and a consultant supporting local wireless broadband, smart grid, transportation and security platforms.

The Smart Grid Needs to Get Smart About Security

2010-07-28T16:32:00.002-04:00

"Hacking" a smart meter or an entire grid requires no physical access -- just access to the same Internet connections used to manage the network. Reprinted with permission of MuniWireless.

With all due respect to the power companies, why should they even know how to spell IP? Their history in communications was to build stand-alone power facilities and substations connected with point-to-point microwave communication links (many times upgraded to their own dark fiber point-to-points). With this kind of money and private network capabilities, why would you ever worry about security? You lived on you own island with your own power and communications grid and everything was just fine.

Then came the smart grid. By definition, the smart grid requires a two-way digital technology to control appliances at consumers' homes to save energy, reduce cost and increase reliability and transparency. A big change for power companies and admittedly a whole new learning curve with many power companies like PG&E setting up their own test labs to begin learning this. (See Inside PGE's Smart Grid Lab -- Chris Knudsen, director of the technology innovation center at PG&E, shows what they're tinkering with).

Utility Meter

It didn't take long for problems to occur. Again, you need to understand that even smart meters were just dusted off 20-year-old designs that were lying around waiting for someone to push the power companies into the 21st century. These designs were never meant to securely send and store data real time. It wasn't long before serious security issues were found and were reported by respected security firms like InGuardian and IOactive. And we are not talking about someone hacking your PC. When it comes to the power grid, the costs of remote hack attacks are potentially more dramatic. "The cost factor here is what's turned on its head. We lose control of our grid, that's far worse than a botnet taking over my home PC," said Matthew Carpenter, senior security analyst of InGuardian, speaking at a panel at the RSA Security Conference in San Francisco. So now with little knowledge of the Internet and security the power companies have billions of dollars of grants in hand with one big problem. The grants mandate an iron-clad security platform.

To add to the smart-grid security problems some people think the power grid is the main target in the new battle in cyber wars. Richard Clarke, the former federal anti-terrorism czar, has now turned his attention to a new national security threat, putting an attack of the power grid on the front lines. In a recent Newsweek article, Clarke was quoted as saying, "The U.S. government, [National Security Administration], and military have tried to access the power grid's control systems from the public Internet. They've been able to do it every time they have tried. They have even tried to issue commands to see if they could get generators to explode. That's the famous Aurora experiment in Idaho. Well, it worked. And we know there are other real cases, like the power grid taken out in Brazil as part of a blackmail scheme. So the government knows it can be done, the government admits it can be done, the government intends to do it to other countries. Even the Chinese military has talked publicly about how they would attack the U.S. power grid in a war and cause cascading failures."

So what can we do to secure the grid now while upgrading it to smart-grid capabilities?

Ed Smith, CEO of WirelessWall has one word, "Attack." Having a military background he understands that you begin an attack by crippling an enemy's communication and critical infrastructure. His civilian background has a long history of situational crisis management, using rapid response teams to facilitate the successful conclusion to crisis situations. Armed with security that exceeds the DoD 8100.2 (DoD Directive on wireless security) and FIPS 140-2 End-to-End Security that was developed for the U.S. Navy to provide secure, mobile shipboard networks, Smith knows he has an immediately implementable data security solution that is simply not being recognized.

"People in the civilian sector are not upgrading their security for business reasons, basically to save money, not for security reasons," said Smith. "That can be tolerated if you are protecting data that involves a loss of money, but it is inexcusable when the lack of protection of data involves the loss of life. Let there be no doubt that an attack on critical infrastructure is an act of war and it is absolutely appropriate to use an available military solution to protect civilian lives.

"We can't afford not to put good enough security in our power grids," continued Smith. "My company has offered our platform of higher security to VISA and others in the financial industry and made it clear that the retail industry POS terminals Data Security Standard (PCI DSS) has already been hacked, but nothing will be changed unless there are more attacks that cause greater losses. The PCI DSS standard will have to be raised, and ultimately will, but the smart power grid protection has to be implemented now."

Like the old David and Goliath story, the power companies need to start embracing smaller company expertise and leverage their learning curve. Like the security story of WirelessWall, the expertise of how to build these wireless network platforms resides in the companies that have had their products tested in real-world municipal, public safety and military environments. Companies like Tropos Networks, Trillium (SkyPilot), Mesh Dynamics, Strix Systems and Proxim, just to name a few, they were the trail blazers that learned along the way and can now bring tested wireless network expertise to the smart grid.

With secure wireless solutions out there, power companies need to leverage the expertise of these wireless pioneers that have been there, done that and are ready to support a secure a wireless smart grid network with their tested solutions.

Larry Karisny is the director of Project Safety.org and a consultant supporting local wireless broadband, smart grid, transportation and security platforms.

Smart Grid Security, Ground Zero for Cyber Security

2010-07-28T16:22:00.002-04:00

"One of things incumbent on all of us is to introduce strong authentication into the fabric of the smart grid. We did not do that with the Internet." Vint Cerf (pictured) Photo by Terence Brown. Story reprinted with permission of MuniWireless.

It was pretty amazing to see the amount of people involved in Conductivity Week in Santa Clara California last week. They were all there positioning their expertise on how to build and secure the smart grid. With NIST, WiFi Alliance, Zigbee Alliance, and the IEEE and hundreds of vendors and speakers attending, it was like a wireless IP Mecca of intellectuals all contributing to this global energy network requirement.
The Godfather of the Internet, Vint Cerf, opened the meeting and ended his keynote speech with a daunting announcement, "One of things incumbent on all of us is to introduce strong authentication into the fabric of the smart grid," Cerf said. "We did not do that with the Internet.
"My excuse is public key cryptography [was] not even publically written about until 1977 which is just about when TCP/IP was getting standardized, Cerf said.”But today we don't want devices to respond to control from something that’s not authenticated."
So what is the smart grid anyway? Wikipedia defines it rather well: "A smart grid delivers electricity from suppliers to consumers using two-way digital technology to control appliances at consumers' homes to save energy, reduce cost and increase reliability and transparency. It overlays the electricity distribution grid with an information and net metering system." With this definition, why is the smart grid such a security issue?
We need to first look at how our power grid operates today. Power distribution and monitoring today is in its initial stages of becoming a smart grid with some substation network intelligence often connected by microwave, power line and/or fiber-optic point-to-points. Although these core network infrastructures are very basic, they may prove useful in operating the needed private IP backbone of the smart grid. These network backbones were not meant to securely connect two-way digital connections from every home, every building every factory and every energy-using appliance throughout the power companies service area. In fact, adding millions of these connections to the power grid distribution system is no easy task in network or network security.
Power companies are in the precarious position of having to do something now while preparing for the future. In my earlier article, grid security firms and even past cyber-security czars clearly explained today’s power grid vulnerabilities. With $3.375 billion kicked in by the federal government and even more funds added by power and utility companies, they need to produce now but only if a smart grid security plan can be demonstrated. This leaves the power companies in a tough position of needing to do something today while being prepared to migrate smart grid security platforms to newer standards. The bottom line is there is no hurry up and wait when it comes to deploying and securing smart grid networks. There is only hurry up and be prepared to hurry up again.
So what were are the security problems and how can they be immediately addressed? The smart grid network, smart grid operating center and back office are pretty much secure. The problem is when you start connecting smart-grid devices to homes, business building and factories. You now have opened up the potential of accessing the smart-grid distribution network though millions of smart-grid end user access points. This network edge connection is called layer 2 which in the past had limited concern for security. It now has to lock out smart-grid end users while also having the capability of running independently and interperably throughout the smart grid.

Lessons From Foxholes

In trying to explain the layer 2 security and its importance, this Memorial Day I remembered some old WW II stories from my father. His Army job was to make field communications work in sometimes impossible situations. These WWII networks were very basic, running wires from foxhole to foxhole (layer 3) then connecting to the wireless field radios (layer 2). Even if the wireline connections were cut or if the radio battery died, the battle continued. If the wires were cut (layer 3) the pre-intelligence was already given from the commanders in the foxhole (layer 2) with the special code commands being conveyed man-to-man (today’s machine to machine, M2M). When I asked my dad what the most important network connection was, surprisingly, the answer was the radios in the foxholes and the man-to-man communications. They were able to continue the battle operating in layer 2 and M2M without command layer 3 connectivity. This is how we need to build and secure smart grids networks today.

Micro-Grids

In a response in my earlier article, The Smart Grid Needs to Get Smart About Security, Niall McShane, a smart-grid consultant commented: "We need to start the process of re-architecting the grid into smaller, localized micro-grids that are loosely coupled in a federation to help balance supply and demand across wider geographic areas which can also island from the macro-grid to prevent the propagation of faults. In this way we move from a single large target that can be attacked and that will then propagate the fault throughout the network to a large number of much smaller targets."
While micro-grids offer physical network security, a new awareness of the importance of layer 2 security is becoming recognized. Strong security encryption must reside at the layer 2 network level when you are collecting two-way digital information from the smart-grid network edge. Whether you are protecting personal information from the home or stopping potential grid-network access from the network home gateway, layer 2 is where this security must reside. There are also additional advantages of security mobility and scalability that can only be offered at the layer 2 level.
These important layer 2 features have also been documented in a recent white paper Portland: A Scalable Fault-Tolerant Layer 2. Just like the WWII soldiers were sometimes connected and sometimes not connected to the communication command center, smart-grid edge applications will need to securely and independently migrate applications, computation and storage into local data centers spread across the smart-grid edge. With all this intelligence being gathered, encryption latency also becomes an issue. In a recent white paper from the Rochester Institute of Technology addressing latency testing, layer 2 encryption out-performed the layer 3 latency adding more advantages to targeting security at the layer 2 level.
The 802.1AE standard was designed to protect data in transit on a hop-by-hop basis (see Information Week article, New Protocols Secure Layer 2), ensuring that the frames are not altered between Layer 2 devices such as switches, routers and hosts. 802.1AE isn't a replacement for Layer 3 security but does ensure that frames are protected from eavesdropping and manipulation at Layer 2 between peers. All traffic passing between two switches is protected using the same security parameters.

There are companies recognizing the importance of layer 2 security with impressive orders starting to come in. Marvell shipped more than 1 million ports of 1GE and 10GE link processors powered by first-generation Marvell LinkCrypt technology. Designed to merge Media Access Control (MAC) layer security functions into the Ethernet physical layer, LinkCrypt plays a key role in the integration of standards-compliant security solutions to expand the security perimeter in enterprise, data center, metropolitan networks and 3G/4G cellular infrastructures.
Cities, counties and even atomic plants are working with companies like TLC-Chamonix adding end-to-end security to their networks. Their premier FIPS 140-2 validated software-based solution is being used to protect wireless networks at the Layer 2 level while also offering the only Mesh-certified software solution. With DOD installations in place, TLC-Chamonix is finding that DOE and Government FIPS 140-2 mandates are requiring higher security levels over many enterprise, local, county and critical network infrastructures. Rather than embedded chip sets, TLC-Chamonix offers a vendor-agnostic software solution across a variety of network equipment and platforms.
From today’s smart-grid breaches to tomorrow’s smart-grid needs, security requirements all seem to be pointing to layer 2 and micro-grids network topologies. Maybe today’s smart-grid security problems can open the door to a complete new set of cyber-security platforms. With billions released to build the smart grid, we should immediately focus the funds and expertise to securing the critical infrastructure of our nation's power grid. Let’s make Smart Grid security the ground zero of cyber security.

Larry Karisny is the director of Project Safety.org and a consultant supporting local wireless broadband, smart grid, transportation and security platforms.

Been there done that

2009-08-13T11:56:00.022-04:00

It looks like what SmarTown was doing year ago is just beginning to catch on. A recent CCN Money article was praising the efforts of a not for profit called the Mountain Area Information Network for creating a community portal supporting local entrepreneurs. Four year ago a test model called St. Pete SmarTown in St. Petersburg Florida built a local portal promoting local downtown areas businesses when accessing free WiFi at BayWalk (the local shopping, dining and entertainment center). This portal was packed with local news and community information with partners like the St. Pete Times and Bay News 10.

The unique thing about this portal is that it allowed real time content uploading from the local businesses, even using short videos. Whether it was a summer sale or just a few pizzas for half off in the next 15 minutes, the content could be changed on the fly offering updated on demand information. This model got 5,000 hit per month just in the local WiFi zone. The middle of the portal feature local articles written by business and community leaders giving great community information. This information was enjoyed by locals and tourists alike while they decided where to go and saved money on coupons. It is nice to see this model now expanded in rural communities. Good luck Mountain Area Networks. It worked in St. Pete, we hope it works for you.

2009-05-12T10:13:00.010-04:00

Low powered wireless networks and sensors running on batteries and solar power will be the main focus of the Hurricane Preparedness Expo at John's Pass Village this June in Madeira Beach Florida. SmarTown will be demonstrating wireless based technologies that have been designed to not only survive hurricanes but be able to send critical data before, during and after a direct hit.

SmarTown will be joined by a group of technology partners which will be demonstrating everything from live video streaming to detecting potential toxins released in the Tampa Bay aftera hurricane. This event will be combined with the fun of John Leviques Pirate Days at John's Pass Village. With the theme of don't be scared be prepared the Hurricane Preparedness Expo will be demonstrating low and high tech technologies that will save lives in catastrophic events.

2007-11-15T16:43:00.000-05:00

Thirty years ago Vint Cerf and a colleague developed the TCP/IP communication protocols that form the foundation for the Internet. Today, Cerf is vice president and chief Internet evangelist for Google, where part of his job is to identify new Internet applications and technologies.

Cerf recently spoke with Government Technology at Google's Washington DC offices. During the course of an hour-long conversation, Cerf spoke about Internet opportunities and challenges. He also gave his views on net neutrality, municipal wireless projects, mobile connectivity and other critical issues.

What does the man widely considered to be the father of the Internet predict for future? Cerf sees a handful of clear trends over the next five years.

Mobile Wireless and Location Based Services

2007-04-09T18:17:00.000-04:00

Location Based Services Are Now

2007-02-25T18:52:00.000-05:00

2007-01-30T02:32:00.000-05:00




WIRELESS INTERNET COVERAGE EXPANDS DOWNTOWN
[EAST Edition]



St. Petersburg Times - St. Petersburg, Fla.
Date:	Jan 28, 2007

Citi WiFi is expanding its wireless Internet coverage in St. Petersburg's downtown by providing the bandwidth for free access at BayWalk through the SmarTown portal.

SmarTown is a location-based content provider that lets users of the free BayWalk wifi service tap into information, video and special offers from and about BayWalk businesses. Citi said the partnership with SmarTown will continue as the wifi provider expands operations in Treasure Island and Dunedin and elsewhere in Florida.

"This will bring tourists to the beaches from downtown and downtown from the beaches," said Citi Wifi president Frank McCarthy. SmarTown has been operating at BayWalk for almost three years and was the first in the country to offer real-time ads and video blogging as a local advertising medium.

St. Pete SmarTown just got smarter

2006-04-17T20:59:00.000-04:00

What if you could get free WiFi access, free remote access your office computer, make a 5 minute call for free all while you eating your lunch at BayWalk. Well you can with the new additions we have put in at BayWalk Blogger. These new free applications added to a variety of existing services such as free flash games, online newspaper, online radio, online TV and much more are making BayWalk the hot spot to be in St. Petersburg. The best just got better so get smart and get hooked up to St. Pete SmarTown at BayWalk.

More than just free WiFi at BayWalk

2006-04-10T21:40:00.000-04:00

See what you get when you register for free WiFi access at BayWalk in St. Petersburg Florida

What is SmarTown?

2006-03-21T14:35:00.000-05:00

What is so smart about SmarTown.

Real time advertising starts at BayWalk

2006-01-26T12:38:00.000-05:00

Don't miss the real time specials from BayWalk businesses. St Pete SmaTown now has the ability of offering real time business information through its free WiFi location based portal. Whether it’s a video blog talking about what's hot at BayWalk or a blog roll giving you the first shot at daily specials, bring your laptop or PDA to BayWalk and save some money while enjoying free WiFi access.

15,000 hits and 400 WiFi registered users

2005-08-29T12:53:00.000-04:00

Without an official opening, St. Pete SmarTown's BayWalk WiFi Blogger is sure getting noticed. Blogs are talking about the unique use of vblogging (video blogging) by BayWalk businesses with major media networks calling vblogging the hottest application on the Internet. New Internet video technologies will soon be tested to improve the quality of the vblogs while still offering theses services to small businesses easily and economically. More to come....

St. Pete SmarTown get's the Picture

2005-04-18T14:56:00.000-04:00

St. Pete SmarTown has tested and will soon release its text, audio and video offering at BayWalk. This service allows small business the ability of sending real time information to their customers in multimedia formats. Special location based portals have been designed to promote area specific information with can be easily update by simply calling a telephone number or uploading a video file from a standard digital camera. Never before could business promote their services so quickly and economically, including full motion video.

The Walled Garden is growing at BayWalk

2005-02-21T21:09:00.000-05:00

BayWalk will soon be offering free WiFi services which is just the start of the fun. They will also be offering services from St. Pete SmarTown including streaming webcasts from Tampa Bay's 10, BayWalk only text, voice and video instant message service, animation vobots offering on the spot specials and flash multi-player games. An announcement on the start of these exciting services will be made soon.

Can you see me now?

2005-02-21T20:37:00.000-05:00

BayWalk's SmarTown hot zone just got hotter. You can now come to BayWalk with any wireless 802.11 devise and find out who is in the BayWalk zone. A special BayWalk only chat, text and video instant message service can be accessed when you enter the WiFi zone. Let them know you are there and join the fun.

Did you bring your TV to work today?

2005-02-08T10:14:00.000-05:00

What! TV is coming back. It never left it is now just available on a wireless devises. St Pete SmarTown will be offering live streaming from Tampa Bay's 10 starting with a daily sunrise and special live newscasts. Access to real time doppler radar weather, traffic reports and special interest stories right from you laptop or pda. Come join the fun at BayWalk. Tampa Bay's first SmarTown.