US Preps Cyber Outfit To Protect Electric Grid 58
coondoggie writes to mention that the US Department of Energy is planning to set up a new "National Energy Sector Cyber Organization" in order to protect the national bulk power electric grid. For the low, low cost of $8.5 million they will help integrate smart grid technology with the electric grid, speed research, and establish new policy and protocols. "It is paramount that smart grid devices and interoperability standards include protections against cyber intrusions and have systems that are designed from the start (not patches added on) that prevent unauthorized persons from gaining entry through the millions of new access points created by the deployment of smart grid technologies, Hoffman stated."
Make the process open (Score:2, Insightful)
Recently I saw that a bunch of stimulus funds were handed out [arst.ch] for bringing the nation's electrical grid into the 21st century. A big part of this is using computers to control various parts of the grid, from utility scale substations down into the home with smart meters and smart appliances.
Anytime you take infrastructure and connct it to computers you are opening it up to a whole new set of threats as well as bringing privacy implications.
Here's a couple great [wired.com] articles [arst.ch] that go into the details better than I can.
I believe that there is are a couple things that really need to be address for grid security:
- Open protocols and specifications
With all the new technology coming down the pike, all sorts of companies will be sprining up with their gadget or software that will solve some problem. They need to work towards making standards of interoperability so that all these entities could work together.
- Network security
Putting millions of new, network connected, devices out there could lead to a field day for hackers. I believe that they sould quickly develop security technologies that manufactures could then cheaply incorporate into their devices.
A lot of this could be easily (and cheaply) addressed with various communities already out there. For instance, SSL technology has already been built into products like OpenVPN that could easily and cheaply secure huge numbers of smart endpoints.
- Privacy
We need to provide software that is built from the ground up to give uses the privacy that they deserve, while still pushing forward great new technologies.
Re:Make the process open (Score:5, Insightful)
Systems that control key infrastructure for your nations production and commerce should be on an completely separate network. End of story really.
For the information that needs to be distributed over the internet, make it eyes only transferred from the control network to the internet connected systems (double workstation setup). Then your only concern is direct espionage.
Wouldn't a Smart Grid be Less Secure? (Score:3, Insightful)
From the summary:
they will help integrate smart grid technology with the electric grid
It's pretty obvious to anyone familiar with computer networking that making the the electric power grid "smart" would make it more vulnerable to attack. After all, if the grid's control apparatus isn't online, there's no way to hack into it in the first place. I realize there are other advantages to a smart grid but to claim that making the current "dumb" grid smart would also make it more secure seems disingenuous at best.
terrorist don't use computers (Score:1, Insightful)
20 guys, 20 uhauls, 20 tons of explosive, 20 throw way cell phones all parked under the 20 biggest transmission lines and there's not a thing that technology can do to stop it.
Re:Make the process open (Score:3, Insightful)
They ARE. I serviced DR systems for serveral power companies. by LAW there is not even an internet connection allowed in the BUILDING (let alont the room) housing the grid switch control systems, not even a modem.
I was frisked each time entering, and had to go through 2-3 layers of security to get in the room. Even then, i could only touch the DR equipment once an employee physically disconnected it (for hardware repairs), or they had to enter all the keystoks personally, all i could do was watch and instruct.
This is NOT for the grid itself, it's for the "smartgrid" essentially, coming up with secure protocols to collect billing and use information from read-only devices at houses.
I'm not worried about *cyber* attacks. (Score:2, Insightful)
A nation's electrical infrastructure is everywhere and largely unguarded - there's really nothing stopping a single, determined individual from doing an extreme amount of *physical* damage to a power company via sabotage.
Theoretically, there's no reason I can't:
- Sneak into the woods with a gas angle grinder and start cutting guy wires on hydro towers. Cut down a few >300KV lines feeding a city and they'll have no power for days.
- Break into unmanned substations and open oil drains on transformers. Or shoot a hole in a transformer with a high caliber rifle for the same effect - oil spill, destroyed transformer, easily a week of no electrical service.
- You probably can't do much to a power station directly (lots of staff, security, etc) but there's plenty of other things. Sabotage a rail line feeding a coal power station, a pipeline feeding a natural gas station, an oil tank at a oil station, etc. Or the power lines exiting them.
Get a large, determined group of people doing this, and you've got a big problem. Especially since we depend on electricity so much nowadays for day-to-day things - phones (who owns a corded phone anymore?), light, refrigeration, heating, etc. You can secure a power company system against "cyber-attacks" by keeping the damn thing off the internet - but good luck securing the physical power grid, since it's so big.
The solution to all of this?
- Intelligence, and
- Not pissing the fucking world off such that they *want* to do this shit. (Yeah, cliche, whatever.)