Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.


06:08 PM
Connect Directly

New NIST Report Sheds Some Light On Security Of The Smart Grid

First draft of Cyber Security Coordination Task Group report released

A draft report published today by the task group heading up the security strategy and architecture for the nation's smart power grid provided an initial peek at how the grid may be secured.

The Cyber Security Coordination Task Group led by the National Institute of Standards and Technology (NIST) and made up of members of the government, industry, academia, and regulatory bodies, plans to finalize the overall smart grid architecture and security requirements by March of 2010. The initial draft includes risk assessment, security priorities, as well as privacy issues. The task group will publish a second draft in December after addressing the round of comments from this first draft.

The smart grid, which basically makes the electrical power grid a two-way flow of data and electricity, allows consumers to emotely monitor their power usage in real-time in order to help conserve energy and save money. But researchers have raised red flags about the security of the smart grid. Some have already poked holes in the grid, including IOActive researcher Mike Davis, who was able to execute buffer overflow attacks and unleash rootkits on smart meters.

Davis found multiple vulnerabilities in smart meters, and pointed out that most of the devices don't use encryption nor do they authenticate users when updating customer software and other operations.

Tony Flick, a smart grid expert with FYRM Associates, at Black Hat USA talked about his worries over utilities "self-policing" their implementations of the security framework. "This is history repeating itself," Flick said in an interview with Dark Reading in July.

The new "Smart Grid Cyber Security Strategy and Requirements" draft (PDF), which is open for comment, covers various potential security issues with the grid, as well as privacy risks of the smart grid.

State utility commissions don't have formal privacy policies or standards for the smart grid, the report says. "Comprehensive and consistent definitions of personally identifiable information (PII) do not typically exist at state utility commissions, at FERC, or within the utility industry," the report says. "The lack of consistent and comprehensive privacy policies, standards, and supporting procedures throughout the states, government agencies, utility companies, and supporting entities that will be involved with Smart Grid management and information collection and use creates a privacy risk that needs to be addressed."

And while most states have general privacy laws, those laws are not applied specifically to the electric utility industry, the report says.

The document calls for power companies to adopt several best-practices in order to protect their customers' personally identifiable information, including audiding data access and changes; specifying the purpose for collecting, using, retaining, and sharing PII; collecting only data that's needed; anonymize data where possible and keep it only as long as necessary.

It also spells out how devices in the Advanced Metering Infrastructure (AMI) must set up protections against denial-of-service (DoS) attacks. "For example, network perimeter devices can filter certain types of packets to protect devices on an organization's internal network from being directly affected by denial-ofservice attacks," the document says. And the AMI system should use redundancy or excess capacity in order to minimize the impact of a DoS.

AMI components accessible to the public, such as public Web servers, must be located in separate subnetworks with separate physical network interfaces. "The AMI system shall deny network traffic by default and allows network traffic by exception (i.e., deny all, permit by exception)," the report says.

The document also recommends that consumers' access to smart grid meters be limited. "Where meters act as home area network gateways for providing energy information to consumers and/or control for demand response programs, will consumers be authenticated to meters? If so, authorization would likely be highly limited. What would the roles be? Authorization and access levels need to be carefully considered, i.e., a consumer capable of supplying energy to the power grid may have different access requirements than one who does not," the document says.

Have a comment on this story? Please click "Discuss" below. If you'd like to contact Dark Reading's editors directly, send us a message. Kelly Jackson Higgins is Executive Editor at DarkReading.com. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise ... View Full Bio

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
10 Ways to Keep a Rogue RasPi From Wrecking Your Network
Curtis Franklin Jr., Senior Editor at Dark Reading,  7/10/2019
The Security of Cloud Applications
Hillel Solow, CTO and Co-founder, Protego,  7/11/2019
Where Businesses Waste Endpoint Security Budgets
Kelly Sheridan, Staff Editor, Dark Reading,  7/15/2019
Register for Dark Reading Newsletters
White Papers
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: "Jim, stop pretending you're drowning in tickets."
Current Issue
Building and Managing an IT Security Operations Program
As cyber threats grow, many organizations are building security operations centers (SOCs) to improve their defenses. In this Tech Digest you will learn tips on how to get the most out of a SOC in your organization - and what to do if you can't afford to build one.
Flash Poll
The State of IT Operations and Cybersecurity Operations
The State of IT Operations and Cybersecurity Operations
Your enterprise's cyber risk may depend upon the relationship between the IT team and the security team. Heres some insight on what's working and what isn't in the data center.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2019-07-16
Information disclosure in PAN-OS 7.1.23 and earlier, PAN-OS 8.0.18 and earlier, PAN-OS 8.1.8-h4 and earlier, and PAN-OS 9.0.2 and earlier may allow for an authenticated user with read-only privileges to extract the API key of the device and/or the username/password from the XML API (in PAN-OS) and p...
PUBLISHED: 2019-07-16
Command injection in PAN-0S 9.0.2 and earlier may allow an authenticated attacker to gain access to a remote shell in PAN-OS, and potentially run with the escalated user?s permissions.
PUBLISHED: 2019-07-16
A Denial of Service vulnerability in the ImageNow Server service in Hyland Perceptive Content Server before 7.1.5 allows an attacker to crash the service via a TCP connection.
PUBLISHED: 2019-07-16
Quake3e < 5ed740d is affected by: Buffer Overflow. The impact is: Possible code execution and denial of service. The component is: Argument string creation.
PUBLISHED: 2019-07-16
UPX 3.95 is affected by: Integer Overflow. The impact is: attacker can cause a denial of service. The component is: src/p_lx_elf.cpp PackLinuxElf32::PackLinuxElf32help1() Line 262. The attack vector is: the victim must open a specially crafted ELF file.