(This article was originally published on the Findings From the Field blog.) I just returned from Smart Grid Security East. The event featured an impressive set of high-powered government and regulatory speakers and a fair number of vendors as well. Surprisingly, I found the "NERC-CIP Compliance" workshop very useful -- in addition to the usual introductory information, there was insightful discussion between a number of security consultants and former NERC auditors as to how this word or that phrase are being interpreted during audits. The event also crystallized for me an understanding of why I have found the AMI/smart meter security space so confusing for the last little while: IT folks see smart meters as billing appliances. ICS folks, like me, see them as control devices. Security requirements for the two classes of devices are very different. Thus far, the IT interpretation is winning... Security Priorities Industrial control system (ICS) security priorities are generally:
Traditional IT priorities are the classic "CIA" - confidentiality, integrity and availability. In the smart grid space, this translates into concerns about customer-private data and tamper-resistance to prevent electricity theft. A clear majority of participants at Smart Grid Security East held to the IT perspective of smart meters. When you ask representatives of meter vendors at these shows about security, they answer in terms of encryption, because their IT-centric customers tell them that customer data privacy is their biggest concern. The good news is that meter security is improving. All the vendors I spoke to swore they had unique keys in every meter -- no more nonsense where every meter's key was the same, or every meter had a copy of a common shared-secret control center key. Even better, Industrial Defender's consulting personnel report that the technical people they work with from meter vendors very much understand safety. They regard Zigbee interfaces as hostile networks, they keep control decisions as close to the physical hardware as they can, and as much as possible they separate control communications from more routine communications. Grid Reliability Concerns So what are the concerns about safety and smart meters? NERC issued a report very recently: Reliability Considerations from the Integration of Smart Grid. The report documents NERC's position on the impact emerging smart grid technologies are expected to have on the reliability of the BES. The high-level conclusion of the report is that smart grid technologies are generally expected to improve the reliability of the electric system. If you look closer at the report, this makes sense because the report uses a definition of "smart grid" that seems at odds with the one used by most participants at the conference. At the conference, the vast majority of participants were attending AMI-focused tracks and sessions. The ICS-focused sessions were nearly empty. The majority opinion seems pretty clear: the smart grid is AMI, AMI is a big billing system, and so traditional CIA/IT-centric priorities apply. The NERC report, however, echoes the conference chair Mike Ahmadi's comments on the second day. By count, some 49 of the NERC report's technologies are distribution automation technologies, only 15 are consumer-visible technologies, and only four of those are related to smart meters. Mike tried to remind people that the smart grid was about distribution automation as much as it was about smart meters. His comments fell on deaf ears. NERC's comments on consumer-visible technologies, including those mediated by smart meters, display concern for the availability of the bulk electric system, and by implication for public health concerns that arise from an unreliable power grid. Among those concerns:
Looking Forward... Even power grid people are in denial. I have had more than one power grid expert tell me that when smart meters are widely deployed, no attack on them can affect the stability of the grid. "Do the math" they tell me:
|
NEWS, TECHNOLOGIES, PRACTICES, AND EXPERIENCE
Note: Comments in this blog are blocked for any posting 14 days old, or older
2011-03-04
Smart Grid Safety vs Confidentiality |
Subscribe to:
Post Comments (Atom)
No comments:
Post a Comment