Global Sources
EE Times-India
Stay in touch with EE Times India
 
EE Times-India > Power/Alternative Energy
 
 
Power/Alternative Energy  

How to secure the smart grid and SCADA

Posted: 02 Aug 2013     Print Version  Bookmark and Share

Keywords:Automatic meter reading  AMI  RF  Remote metering  smart grid 

Many of the device manufacturers have no real experience with security in the first place—it has never been an issue in the past. In addition, developers do not really think in terms of security. They might implement some basic security as a bare-bones solution, but it's usually nothing that will hold up for a long time.

The more the smart grid becomes a reality (the complete grid, not just smart meters), the more it will become a primary target for attacks. Security is an area where knowing a little on the topic is extremely dangerous: people implementing cryptography (or worse, rolling their own) think it works, without realising or even being able to identify the gaping holes they left behind, or just not being able to see that their implementation is wrong due to lack of knowledge on the subject at hand.

When we see the current security problems in other sectors, such as at banks, medical facilities, credit card numbers that get stolen, Social Security numbers in plain sight unencrypted, the ease with which password databases seem to be hacked, and so on, it's obvious to us that not even the basic concepts (like a password with a proper salt and proper password hash function) are known, understood, and properly implemented. And this is in a business sector that has years of experience with this matter. To believe that the smart grid will be different is wishful thinking.

Securing SCADA
We can already see some of the problems today in a different segment of the smart grid: SCADA systems. SCADA systems form the core control systems and monitor the power plants and other large infrastructure. At some point in the past, these systems became interconnected. First over private networks, and later over the public Internet. However, these systems were never designed with that capability in mind. They have never had strong security components integrated, since they were never planned to be connected to a public network where anyone could attempt to hack into the critical areas.

The issue is that these systems today are migrating to world of open IT standards such as TCP/IP, Ethernet, etc, to communicate and interact. While this also allows them to inherit the security mechanisms from that world, these mechanisms are in our view not the proper ways to secure critical infrastructure. Assuming your security implementation is good just because other people use it and have not run into problems, does not mean your security is truly good. When security on critical systems fails, it does not just break a single banking site or corporate network—breakage can mean that entire power-grid segments will fail, with much more serious results. Similar conclusions were drawn in "Security of power grids: a European perspective."5

Security is also not just about encryption. Even if the data itself is encrypted, there can still be tell tale signals that leak out that might be able to allow an attacker to identify, learn, and abuse. The communication infrastructure should ensure that information leaks of this kind do not occur, in order to guarantee that the communicating entities remain anonymous. For example, while a secure connection with a bank might not be easily broken in itself, other network traffic that is present and which might have nothing to do with the banking itself can leave clues and critical information behind. The same is true for computers running SCADA systems or other devices on the smart-grid network.

Finding solutions to these problems requires specific expertise and costs money to do properly. However, these solutions do not necessarily eliminate other types of attacks such as denial of service attacks. Especially when coordinated, these kinds of attacks can easily disrupt normal operation in a network. If there are time critical aspects (such as is the case with SCADA, IEC61850, and others), this can severely impact the operation of the distribution grid. Also, since smart meters and other embedded systems are generally very low-power devices with very little resources, setting up a proper defence at their end is nearly impossible. Attacks can include malformed packets being injected in the network and these can disrupt normal operations because the embedded devices do not know how to properly discard them, perhaps because they don't have enough input validation code.

The use of a generic operating system, such as Microsoft Windows, brings with it all the security issues that corporate network administrators experience today. A generic operating system is not a intelligent choice to use in critical infrastructure. Recent attacks against SCADA systems, such as Stuxnet, have been in part very successful due to the target systems running generic operating systems, for example it is possible to compromise a system just by inserting an infected USB stick.

 First Page Previous Page 1 • 2 • 3 Next Page Last Page



Comment on "How to secure the smart grid and SCA..."
Comments:  
*  You can enter [0] more charecters.
*Verify code:
 
 
Webinars

Seminars

Visit Asia Webinars to learn about the latest in technology and get practical design tips.

 

Go to top             Connect on Facebook      Follow us on Twitter      Follow us on Orkut

 
Back to Top