Tuesday, March 31, 2009

Smart Grid and the Smart Hackers

I’ve been seeing a lot of buzz around how insecure utilities are in the past few weeks and I just wanted to take a moderate opposition to some of the dramatics.
While it’s true that the power of smart grid comes from bringing the internet to the electric infrastructure, putting things on the internet does not mean the hackers rule world, not yet at least. Most analysts site potential risks such as holding a utility ransom, by either threatening to take a city’s power down, or doing it, and then unrelenting until someone pays up.
This type of extortion has been seen with denial of service attacks for years, but not so much on US soil. In the US the penalty for such illegal acts is pretty costly, and as much as you can still get some anonymity online, once you start receiving money you become much easier to track. Imagine if you took a city of the power grid for a few hours, someone would be investing lots of money into finding you quickly.
The part about this that makes me most skeptical is that this type of an attack is possible on any institution, shutting down business for a day is expensive, and you could bring up this risk for any industry from banking to telecom (and these two industries have led the way to “getting online”). Although with banking, they might be doing us a favor by shutting things down for a few days.
None the less, I haven’t heard of Bank of America or AT&T having their networks held for ransom. They’ll say that the IT industry has had more then 10 years to learn how to avoid hackers and that utilities and all too new to this game. I don’t see these companies going it alone though, there is a lot of IT involved in Smart Grid and any utility that is serious about moving into the intelligent grid future is going to have lots of help.
Plus utilities are not as clueless as everyone makes them out to be, the backbone system that people are afraid of compromising is called SCADA, and there are already standards in place such as NERC CIP to ensure that these systems are on separate networks that are offline.
Now with that said, if you don’t follow the security protocols that are in place, there will of course be issues, just as if you were to ignore all of the media’s warning, something bad is bound to happen, but I would say take what you hear with a grain of salt.
Advanced Metering Infrastructure (AMI) is going to be popping up all around you, and you probably won’t even notice until they ask you if you want to be on a variable pricing rate, so I wouldn’t worry too much, unless you are using remote desktop to view your SCADA system as you read this…