Risk
12/6/2011
12:32 PM
Connect Directly
Twitter
RSS
E-Mail
50%
50%

Smart Grid Security Threatened By Fragmented Control

MIT study finds smart grid cybersecurity led by fiefdoms, says central leadership would better protect the nation's power lines from hackers.

Federal Data Center Consolidation Makes Progres
Federal Data Center Consolidation Makes Progress
(click image for larger view and for slideshow)
The United States government should consolidate the currently splintered operational control of cybersecurity in the emerging smart power grid under the authority of one federal agency, according to a two-year study by a group of researchers at the Massachusetts Institute of Technology.

The study, which set out to analyze whether the U.S. power grid is prepared for technologies and power sources over the next 20 years, recommended a host of policy changes to gird the grid against coming challenges, including new powers and authorities regarding the emerging smart grid, particularly around cybersecurity.

Currently, the Federal Energy Regulatory Commission and the North American Electric Reliability Corporation are empowered to create and police cybersecurity standards for power plants, but no organization has oversight over the grid itself, and states are headed in their own directions. In addition, the agencies with cybersecurity responsibilities aren't working together enough, the study found.

[ Cybersecurity is one part of the feds' four-pillar smart grid plan. Learn about the other three: White House Unveils National Smart Grid Strategy Framework. ]

"To cope more effectively with increasing cybersecurity threats, a single federal agency should be given responsibility for cybersecurity preparedness, response, and recovery across the entire electric power sector, including both bulk power and distribution systems," the report says. "Ongoing jurisdictional confusion raises security concerns, underscoring the need for action."

That's a point of major concern for a power system that the MIT report points out will soon see massive growth in the amount of data flowing over its lines as smart meters and synchophasors (devices that measure and help optimize power transmission) come online and power companies begin to push more and more data-enabled services over power lines.

"With the collection, transmission, processing, and storage of increasing amounts of information also comes heightened concern for protecting the privacy of that information," the report said. Information on personal electricity use habits, for example, will become more widely available to electric companies than ever before.

Hackers, not just the corporations themselves, will likely be interested in this data and opportunities to disrupt the grid. The Wall Street Journal reported in 2009 that Chinese and Russian government hackers were likely already looking for points of cyber weakness in the smart grid.

Various observers and policymakers also have argued for a centralized point of authority for smart grid cybersecurity, with various parties arguing for the Department of Homeland Security, the Department of Energy, or the current electricity and energy regulatory bodies. MIT didn't recommend any particular agency over any other, but said designating one should be a high priority.

In addition to better management of cybersecurity, the MIT researchers recommended that the government spend more on research and development into procedures for response to and recovery from cyberattacks on the grid.

Cybersecurity wasn't the only IT fix the MIT study recommended to bolster the power grid in the future. The researchers also suggested that the energy industry do more R&D into using IT for bulk power system operations and planning for power transmission over wide geographic areas.

In this new Tech Center report, we profile five database breaches--and extract the lessons to be learned from each. Plus: A rundown of six technologies to reduce your risk. Download it here (registration required).

Comment  | 
Print  | 
More Insights
Comments
Threaded  |  Newest First  |  Oldest First
Bprince
50%
50%
Bprince,
User Rank: Ninja
12/7/2011 | 2:44:02 AM
re: Smart Grid Security Threatened By Fragmented Control
Interesting. Ponemon Institute put out a study earlier this year that found that there were a number of security gaps at many utility companies:
http://www.darkreading.com/sec...
Brian Prince, InformationWeek/Dark Reading Comment Moderator
renttester
50%
50%
renttester,
User Rank: Apprentice
2/25/2012 | 11:12:44 AM
re: Smart Grid Security Threatened By Fragmented Control
thanks for sharing
Register for Dark Reading Newsletters
Partner Perspectives
What's This?
In a digital world inundated with advanced security threats, Intel Security seeks to transform how we live and work to keep our information secure. Through hardware and software development, Intel Security delivers robust solutions that integrate security into every layer of every digital device. In combining the security expertise of McAfee with the innovation, performance, and trust of Intel, this vision becomes a reality.

As we rely on technology to enhance our everyday and business life, we must too consider the security of the intellectual property and confidential data that is housed on these devices. As we increase the number of devices we use, we increase the number of gateways and opportunity for security threats. Intel Security takes the “security connected” approach to ensure that every device is secure, and that all security solutions are seamlessly integrated.
Featured Writers
White Papers
Cartoon
Current Issue
Dark Reading's October Tech Digest
Fast data analysis can stymie attacks and strengthen enterprise security. Does your team have the data smarts?
Flash Poll
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2013-4594
Published: 2014-10-25
The Payment for Webform module 7.x-1.x before 7.x-1.5 for Drupal does not restrict access by anonymous users, which allows remote anonymous users to use the payment of other anonymous users when submitting a form that requires payment.

CVE-2014-0476
Published: 2014-10-25
The slapper function in chkrootkit before 0.50 does not properly quote file paths, which allows local users to execute arbitrary code via a Trojan horse executable. NOTE: this is only a vulnerability when /tmp is not mounted with the noexec option.

CVE-2014-1927
Published: 2014-10-25
The shell_quote function in python-gnupg 0.3.5 does not properly quote strings, which allows context-dependent attackers to execute arbitrary code via shell metacharacters in unspecified vectors, as demonstrated using "$(" command-substitution sequences, a different vulnerability than CVE-2014-1928....

CVE-2014-1928
Published: 2014-10-25
The shell_quote function in python-gnupg 0.3.5 does not properly escape characters, which allows context-dependent attackers to execute arbitrary code via shell metacharacters in unspecified vectors, as demonstrated using "\" (backslash) characters to form multi-command sequences, a different vulner...

CVE-2014-1929
Published: 2014-10-25
python-gnupg 0.3.5 and 0.3.6 allows context-dependent attackers to have an unspecified impact via vectors related to "option injection through positional arguments." NOTE: this vulnerability exists because of an incomplete fix for CVE-2013-7323.

Best of the Web
Dark Reading Radio
Archived Dark Reading Radio
Follow Dark Reading editors into the field as they talk with noted experts from the security world.