Fed's Smart Grid Race Leaves Cybersecurity in the Dust
Amid the government-funded rush to upgrade America’s aging electric system to a smart grid comes a strange confluence of press releases this week by the White House and the University of Illinois.
Tuesday morning, President Obama, speaking at Florida Power and Light (FPL) facilities, announced $3.4 billion in grants to utility companies, municipal districts and manufacturers to spur a nationwide transition to smart-grid technologies and fund other energy-saving initiatives as part of the economic stimulus package.
FPL will receive $200 million to install 2.6 million smart meters and other technologies that promise to reduce energy costs for customers. CenterPoint Energy in Houston, Texas, gets $200 million to install 2.2 million smart meters (.pdf) and more than 550 sensors and automated switches. Baltimore Gas and Electric in Maryland is another $200-million recipient.
Strange, then, that another press release distributed Monday by the Information Trust Institute at the University of Illinois announces a grant of $18.8 million to four academic institutions to fund a five-year research project into securing the power grid. The project is supposed to make certain that the smart meters and other devices implemented by power companies can resist hackers and other attackers.
The latter grant, from the U.S. Departments of Energy and Homeland Security, provides funding to the Institute, along with Dartmouth College, the University of California at Davis in California and Washington State University for a research program called Trustworthy Cyber Infrastructure for the Power Grid.
“It reflects a strong consensus that cybersecurity and resilience will be critical to the realization of a modernized, reliable, and efficient power grid, so that it will be able to guarantee delivery of electricity to consumers and maintain critical operations, even when malicious cyber attacks occur,” reads the press release.
The only problem is, by the time the research project is completed, most of the nation will have already adopted untested and unsecured technologies.
How do we know they’re insecure?
Earlier this year IOActive, a computer security firm in Washington state, was contracted to examine the security of smart meters deployed by an unnamed utility company in the northwest. Mike Davis, an IOActive security consultant, and his fellow researchers developed a malicious worm that, in a simulated attack, was able to spread from meter to meter to take out power in more than 15,000 homes in 24 hours. Davis says IOActive submitted his findings to the Department of Homeland Security. DHS, in response to a Threat Level FOIA request, said it can’t find the report in its files.
“Given the degree of seriousness that the Obama administration is applying to cybersecurity and the smart grid, we can look forward to the kind of things happening here that happened to Brazil, where hackers successfully brought down the power,” says Richard Clarke (at right), chairman of the Good Harbor security consulting firm and former special adviser to President George W. Bush on cybersecurity.
Clarke is referring to veiled reports made last year by the CIA’s chief cybersecurity officer, Tom Donahue, that extortionists had taken down the power grid in multiple regions outside the United States. The location of those outages has never been publicly identified.
“Smart grid” refers to the transition from the current, outdated power-grid infrastructure to a more technologically advanced structure that allows expanded real-time monitoring and energy delivery that’s more efficient and cost effective for utilities and consumers. The technology promises to solve a number of problems, but it also (as the Illinois press release states) could “introduce new problems, such as increasing the vulnerability to cyber attack as power grid resources become increasingly linked to the internet.”
“The concern is that the existing technologies can’t offer [security] guarantees, and that we could even open the door to new risks if we carelessly put together new systems that don’t have resilience and security guarantees built in from the ground up,” explained Ilesanmi Adesida, dean of the College of Engineering at Illinois, in the Information Trust Institute’s press release.
So why would the federal government accelerate the adoption of insecure technologies at the same time it touts cybersecurity as one of the nation’s biggest national security concerns?
According to the Department of Energy, the government has the smart-grid security issues under control.
Spokeswoman Jen Stutsman said all the entities awarded smart-grid funds under Obama’s $3.4 billion stimulus grant were required to submit a cybersecurity plan with their proposal.
“Each application was examined by at least two interoperability and cybersecurity experts, and it was a central component to the selection criteria for each of the awards,” Stutsman said.
Stutsman wouldn’t identify the experts who reviewed the cybersecurity plans or provide details about the plans applicants submitted.
According to the grant-proposal requirements, each applicant was required to submit a summary of known cybersecurity risks (.pdf) and explain how the applicant would mitigate them. They also had to identify the cybersecurity criteria they used for selecting vendors and technologies and the cybersecurity standards or best practices they planned to follow. And they had to explain how they would adapt to new standards that might emerge — such as those being developed by the National Institute of Standards and Technology.
Stutsman, addressing why the government would urge the move to smart meters before researchers had fully examined them, said that DoE “has spent years researching cybersecurity issues” and is “constantly and on a continuing basis … putting in place policies and programs that will help us gather more information.”
While the department is modernizing the electrical grid and using knowledge it already has, she said it will continue to apply new information as it becomes known. The government, she said, will continue to monitor utilities and others “to ensure that we are taking every step we can to secure the country’s electric grid.”
Himanshu Khurana, principal scientist for the Information Trust Institute’s power-grid research project, noted that many of the grants to utility companies and municipalities are for a three-year period.
“So there is still time between something being announced and everything being deployed for making sure that the technologies” are evaluated, he said.
Separate to his Institute’s research grant, Khurana belongs to a team that has been contracted by one of the utility companies that received a federal grant. His team’s job will be to help evaluate the utility company’s network and the technologies it plans to deploy and perhaps develop needed software.
“So people have reached out to cybersecurity experts and formed appropriate teams,” he said. “Now, it’s hard to provide assurance right now that everything is going to go safe. But the plan is feasible and there has been a lot of weight given to cybersecurity in the administration’s grants.”
Clarke is not so confident.
“We have no way of having any confidence that there’s any cybersecurity plans since we don’t know anything about the qualifications of the experts who examined them or the criteria they’re using to judge them,” he said. “In the absence of someone like the NSA or the cybercenter at DHS [to certify every smart-grid proposal], there’s no reason to believe they’re taking security seriously.”
More important than asking companies to submit a cybersecurity plan for future technologies, he says, is to require that utility companies and energy distributors pass an audit for their current state of security.
He says he’s spoken with auditing firms that have examined utility companies and energy distributors and found that — in every case — they were able to infiltrate the company’s production SCADA system (Supervisory Control and Data Acquisition) from the public internet in less than an hour.
“No grant should be given to any company that doesn’t pass an audit today with its existing system,” he said. “Paper audits are worthless. Real-world audits are what count. So if the company today has flagrantly bad performance with regard to cybersecurity, then it shouldn’t win an award for new technology until it fixes that problem.”
By Kim Zetter, Wired magazine