This story appeared on Network World at

This story appeared on Network World at
http://www.networkworld.com/columnists/2009/033009bradner.html

Smart grid, other environmental control systems not smart about security

'Net Insider By Scott Bradner , Network World , 03/30/2009

If lengthy requirements were a measure of success, then smart grid technology is well on its way to being an anomaly in the environmental controls space. But I'm not going to try to hold my breath for that to happen.

In mid-March the Advanced Metering Infrastructure Security (AMI-SEC) Task Force released a 64-page set of security requirements for remotely accessible electric meters. The AMI-SEC Task Force includes a bunch of utilities, the Electric Power Research Institute, the U.S. Department of Energy, some people from Carnegie Mellon University, among others -- a group that one would hope would have a clue when talking about controlling electric systems and security. At first blush this is good timing because the Obama stimulus package contains more than $4 billion for smart grid technology, which depends on remotely accessible electric meters that won't be easy for a bad guy to control.

There are a lot, perhaps hundreds, of individual security requirements in this document. But many are, to say the least, high level and non-specific. For example, requirement FIN.37: "The security function shall protect the integrity of transmitted information"; and requirement AAC.3: "The security function shall enforce the [assignment: access control security function policy] on [assignment: list of subjects, objects, and operations among subjects and objects covered by the security function policy]."

It is fine to have such requirements but it is merely wishful thinking until specific technology is developed and agreed upon.

It is good to see that someone in this industry is paying at least some attention to security. I've looked at many IP-based building control systems, including lighting and environmental control systems, and I have yet to find one that even pretends the system has any network security. All of the ones I've seen do not even mention network security or they assume that the products are deployed on isolated private networks. Somehow these manufacturers expect that you will build multiple networks in each building. Some of the systems do not even understand virtual LANs and may mean multiple physical Ethernet switches in each network closet. Some, but not all, building access control systems are a bit better, but network security does not seem to be a major concern.

Real security is not easy -- just ask the Wi-Fi folks -- but it would be nice if the companies in this area did not operate in the "ignorance is bliss" mode. The AMI-SEC requirements are a start -- a too big, too complicated, too lacking in details and too fix all problems for all users -- but at least a start. The next step for the smart grid will be much harder. Manufacturers will have to decide what parts of this requirements document it will make sense to come up with specific standards for and they will have to find some good security people to help define the standards. (Note that the latter is not a given: All too often folks like this decide that they know enough about security to not involve people who actually understand security.)

I wish them well. You should too if you don't want your power or heat to be suddenly under the control of some kid half way around the world.

Disclaimer: Harvard is more used to controlling (see the number of Harvard folk who have moved to Washington over the last few months) than being controlled, but the above wish is my own.