
May 12, 2011 By Larry Karisny
In watching smart-grid deployments early on I always wondered  when the smart-grid security flashing red light bulb was going to go  on. Andy Bochman is an IBM security lead who hates security fear  mongering but even he couldn't deny the facts  about a series of power-grid security breaches this spring in a recent  blog post. And when U.S. senators like Richard Burr start calling to slow down the implementation  of smart-grid technology you know there's a problem. I appreciate the  recognition and concerns of power-grid security issues but just stopping  the smart grid isn't an answer or even an option. We need to understand  that even current legacy power-grid networks have serious security  flaws. In fact the only way to protect these current legacy-grid designs  from security breaches is to give these power-grid components  visibility through secure interactive network intelligence (the smart  grid). So like it or not we need to use these new smart-grid  technologies to add security even on our current power grids.
The Threat Recognized
When I fear monger I like quoting the greatest fear monger of them all, Richard Clarke. In his book, Cyber War: The Next Threat to National Security and What to Do About It,  he warns of both present day legacy power-grid vulnerabilities and  future cyber attacks on the grid. From gas pipelines exploding to  blinding the greatest military power in the world, Clarke defines just  how catastrophic it would be to have a national power outage. A Wired article  earlier quoted Matthew Carpenter, senior security analyst of InGuardian  as saying: “The cost factor here is what’s turned on its head. We lose  control of our grid, that’s far worse than a botnet taking over my home  PC.” It's not like we are losing a few family pictures. In fact there  are reports that if we have a national power outage, by day eight we  could lose as much as 30 percent of our GNP.
Hurry Up, Wait, and Hurry Up Again
So what happened and why are we just now recognizing power-grid security  problems? Well, it's the old story: hurry up and wait and hurry up  again. We were in a hurry to gain the saving benefits of the smart grid  so we start building it and putting security on the back burner. We then  validated some security vulnerabilities and recognized that these  potential security breaches in the power grid could be catastrophic. So  we put a road map together for what we need to do to fix these security  problems -- even for legacy and existing smart-grid networks already  staged or deployed. So why will they do something now? Because, if we  don't get security in the smart grid -- and fast -- we will lose a lot  of money.
A Trillion Here a Trillion There 
In my article "Will Security Start or Stop the Smart Grid?"  I warned that if we did not address security first it could bring  smart-grid deployment and investment to a halt. So how important is this  and how much money are we talking about? First let's put the smart grid  into perspective in both investment and return on investment. The  Electric Power Research Institute (EPRI) estimated  the costs for a fully developed smart grid  could reach $476 billion with benefits up to $2 trillion. These dollar  amounts are no small potatoes and could affect global competitiveness. CleanTechGrid  lists hundreds of companies with thousands of employees that are  currently working in the smart-grid industry. With job creation and  energy savings like this we can't just stop building the smart grid. IBM  gets it and predicts one trillion devices connected by 2015.
The smart grid is just one part of this massive marketplace. From  smartphones, ATMs, retail kiosks, traffic systems, meters, buildings to  sensors -- all these devices will be connected to local wireless IP  infrastructure and all will need security. With network infrastructure  like Florida Power and Light FiberNet  already in place, power companies could be the anchor tenant and  supplier that municipal wireless networks have been looking for. The  smart grid is the beginning of more intelligent wireless applications  and we can't afford to stop it now.
The Road Map is Done
NIST has recently refined some guidelines as they pertain to smart-grid security. A recent NIST Tech Beat release, "Smart Grid Panel Agrees on Standards for Wireless Communication, Meter Upgrades"  lists a series of “Priority Action Plans,” or PAPs. PAP 2’s goal is to  specify wireless technology performance that is "grid-worthy." These  seem to be realistic goals and requirements and at last puts smart-grid  vendors on notice that they need to fill important gaps to assure the  interoperability, reliability and security of smart-grid components.  Security is no longer just an afterthought. It needs to be an integral  part of smart-grid solutions and must be deployed in every step along  the way.
The Solution
To get us back on track we need solutions that offer grid-worthy  security that can be economically and rapidly deployed. This solution  has to be vendor-agnostic and capable of working with both legacy and  new grid networks. This security must also be able to work with  multi-protocol hybrid network combinations. Last but not least, these  security technologies need to be fast, have low overhead and be  scalable. Seems like a tough request but again and again, I see the  smart grid and many edge device security requirements point toward layer  2 security. A recent paper by the Grid-Interop Forum called "Interoperability and Security for Converged Smart Grid Networks"  highlights these unique layer 2 security capabilities that were  approved by NIST for federal systems and explains how useful these same  capabilities could be in securing the smart grid. With a lot of money on  the line and a lot of pressure to rapidly get the smart grid secured  and up and running, we are left with few other alternatives. We need to  start testing and investing in these layer 2 security solutions and get  them deployed on the power grid. We can't afford not to.
Reprint courtesy of MuniWireless. Larry Karisny is the director of  Project Safety.org,  consultant, writer and industry speaker focusing on security solutions  for public and private wireless broadband networks. Next speaking  engagement,  Smart Gird Virtual Summit June 29th-30th,  "Securing the Emerging Smart Grid: A Panel Discussion."
 
