06:08 PM
Connect Directly

New NIST Report Sheds Some Light On Security Of The Smart Grid

First draft of Cyber Security Coordination Task Group report released

A draft report published today by the task group heading up the security strategy and architecture for the nation's smart power grid provided an initial peek at how the grid may be secured.

The Cyber Security Coordination Task Group led by the National Institute of Standards and Technology (NIST) and made up of members of the government, industry, academia, and regulatory bodies, plans to finalize the overall smart grid architecture and security requirements by March of 2010. The initial draft includes risk assessment, security priorities, as well as privacy issues. The task group will publish a second draft in December after addressing the round of comments from this first draft.

The smart grid, which basically makes the electrical power grid a two-way flow of data and electricity, allows consumers to emotely monitor their power usage in real-time in order to help conserve energy and save money. But researchers have raised red flags about the security of the smart grid. Some have already poked holes in the grid, including IOActive researcher Mike Davis, who was able to execute buffer overflow attacks and unleash rootkits on smart meters.

Davis found multiple vulnerabilities in smart meters, and pointed out that most of the devices don't use encryption nor do they authenticate users when updating customer software and other operations.

Tony Flick, a smart grid expert with FYRM Associates, at Black Hat USA talked about his worries over utilities "self-policing" their implementations of the security framework. "This is history repeating itself," Flick said in an interview with Dark Reading in July.

The new "Smart Grid Cyber Security Strategy and Requirements" draft (PDF), which is open for comment, covers various potential security issues with the grid, as well as privacy risks of the smart grid.

State utility commissions don't have formal privacy policies or standards for the smart grid, the report says. "Comprehensive and consistent definitions of personally identifiable information (PII) do not typically exist at state utility commissions, at FERC, or within the utility industry," the report says. "The lack of consistent and comprehensive privacy policies, standards, and supporting procedures throughout the states, government agencies, utility companies, and supporting entities that will be involved with Smart Grid management and information collection and use creates a privacy risk that needs to be addressed."

And while most states have general privacy laws, those laws are not applied specifically to the electric utility industry, the report says.

The document calls for power companies to adopt several best-practices in order to protect their customers' personally identifiable information, including audiding data access and changes; specifying the purpose for collecting, using, retaining, and sharing PII; collecting only data that's needed; anonymize data where possible and keep it only as long as necessary.

It also spells out how devices in the Advanced Metering Infrastructure (AMI) must set up protections against denial-of-service (DoS) attacks. "For example, network perimeter devices can filter certain types of packets to protect devices on an organization's internal network from being directly affected by denial-ofservice attacks," the document says. And the AMI system should use redundancy or excess capacity in order to minimize the impact of a DoS.

AMI components accessible to the public, such as public Web servers, must be located in separate subnetworks with separate physical network interfaces. "The AMI system shall deny network traffic by default and allows network traffic by exception (i.e., deny all, permit by exception)," the report says.

The document also recommends that consumers' access to smart grid meters be limited. "Where meters act as home area network gateways for providing energy information to consumers and/or control for demand response programs, will consumers be authenticated to meters? If so, authorization would likely be highly limited. What would the roles be? Authorization and access levels need to be carefully considered, i.e., a consumer capable of supplying energy to the power grid may have different access requirements than one who does not," the document says.

Have a comment on this story? Please click "Discuss" below. If you'd like to contact Dark Reading's editors directly, send us a message. Kelly Jackson Higgins is Executive Editor at She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise ... View Full Bio

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
New Bluetooth Hack Affects Millions of Vehicles
Dark Reading Staff 11/16/2018
Understanding Evil Twin AP Attacks and How to Prevent Them
Ryan Orsi, Director of Product Management for Wi-Fi at WatchGuard Technologies,  11/14/2018
Register for Dark Reading Newsletters
White Papers
Cartoon Contest
Current Issue
Flash Poll
How Enterprises Are Attacking the Cybersecurity Problem
How Enterprises Are Attacking the Cybersecurity Problem
Data breach fears and the need to comply with regulations such as GDPR are two major drivers increased spending on security products and technologies. But other factors are contributing to the trend as well. Find out more about how enterprises are attacking the cybersecurity problem by reading our report today.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2018-11-21
kvm_pv_send_ipi in arch/x86/kvm/lapic.c in the Linux kernel through 4.19.2 allows local users to cause a denial of service (NULL pointer dereference and BUG) via crafted system calls that reach a situation where the apic map is uninitialized.
PUBLISHED: 2018-11-21
The vcpu_scan_ioapic function in arch/x86/kvm/x86.c in the Linux kernel through 4.19.2 allows local users to cause a denial of service (NULL pointer dereference and BUG) via crafted system calls that reach a situation where ioapic is uninitialized.
PUBLISHED: 2018-11-21
In YXcms 1.4.7, protected/apps/appmanage/controller/indexController.php allow remote authenticated Administrators to execute any PHP code by creating a ZIP archive containing a config.php file, hosting the .zip file at an external URL, and visiting index.php?r=appmanage/index/onlineinstall&url= ...
PUBLISHED: 2018-11-20
format_cb_pane_tabs in format.c in tmux 2.7 through 2.8 might allow attackers to cause a denial of service (NULL Pointer Dereference and application crash) by arranging for a malloc failure.
PUBLISHED: 2018-11-20
FoxitReader.exe in Foxit Reader allows remote attackers to cause a denial of service (out-of-bounds read, access violation, and application crash) via TIFF data because of a ConvertToPDF_x86!ReleaseFXURLToHtml issue.