Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.


06:08 PM
Connect Directly

New NIST Report Sheds Some Light On Security Of The Smart Grid

First draft of Cyber Security Coordination Task Group report released

A draft report published today by the task group heading up the security strategy and architecture for the nation's smart power grid provided an initial peek at how the grid may be secured.

The Cyber Security Coordination Task Group led by the National Institute of Standards and Technology (NIST) and made up of members of the government, industry, academia, and regulatory bodies, plans to finalize the overall smart grid architecture and security requirements by March of 2010. The initial draft includes risk assessment, security priorities, as well as privacy issues. The task group will publish a second draft in December after addressing the round of comments from this first draft.

The smart grid, which basically makes the electrical power grid a two-way flow of data and electricity, allows consumers to emotely monitor their power usage in real-time in order to help conserve energy and save money. But researchers have raised red flags about the security of the smart grid. Some have already poked holes in the grid, including IOActive researcher Mike Davis, who was able to execute buffer overflow attacks and unleash rootkits on smart meters.

Davis found multiple vulnerabilities in smart meters, and pointed out that most of the devices don't use encryption nor do they authenticate users when updating customer software and other operations.

Tony Flick, a smart grid expert with FYRM Associates, at Black Hat USA talked about his worries over utilities "self-policing" their implementations of the security framework. "This is history repeating itself," Flick said in an interview with Dark Reading in July.

The new "Smart Grid Cyber Security Strategy and Requirements" draft (PDF), which is open for comment, covers various potential security issues with the grid, as well as privacy risks of the smart grid.

State utility commissions don't have formal privacy policies or standards for the smart grid, the report says. "Comprehensive and consistent definitions of personally identifiable information (PII) do not typically exist at state utility commissions, at FERC, or within the utility industry," the report says. "The lack of consistent and comprehensive privacy policies, standards, and supporting procedures throughout the states, government agencies, utility companies, and supporting entities that will be involved with Smart Grid management and information collection and use creates a privacy risk that needs to be addressed."

And while most states have general privacy laws, those laws are not applied specifically to the electric utility industry, the report says.

The document calls for power companies to adopt several best-practices in order to protect their customers' personally identifiable information, including audiding data access and changes; specifying the purpose for collecting, using, retaining, and sharing PII; collecting only data that's needed; anonymize data where possible and keep it only as long as necessary.

It also spells out how devices in the Advanced Metering Infrastructure (AMI) must set up protections against denial-of-service (DoS) attacks. "For example, network perimeter devices can filter certain types of packets to protect devices on an organization's internal network from being directly affected by denial-ofservice attacks," the document says. And the AMI system should use redundancy or excess capacity in order to minimize the impact of a DoS.

AMI components accessible to the public, such as public Web servers, must be located in separate subnetworks with separate physical network interfaces. "The AMI system shall deny network traffic by default and allows network traffic by exception (i.e., deny all, permit by exception)," the report says.

The document also recommends that consumers' access to smart grid meters be limited. "Where meters act as home area network gateways for providing energy information to consumers and/or control for demand response programs, will consumers be authenticated to meters? If so, authorization would likely be highly limited. What would the roles be? Authorization and access levels need to be carefully considered, i.e., a consumer capable of supplying energy to the power grid may have different access requirements than one who does not," the document says.

Have a comment on this story? Please click "Discuss" below. If you'd like to contact Dark Reading's editors directly, send us a message. Kelly Jackson Higgins is the Executive Editor of Dark Reading. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise ... View Full Bio

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
Data Privacy Protections for the Most Vulnerable -- Children
Dimitri Sirota, Founder & CEO of BigID,  10/17/2019
Sodinokibi Ransomware: Where Attackers' Money Goes
Kelly Sheridan, Staff Editor, Dark Reading,  10/15/2019
7 SMB Security Tips That Will Keep Your Company Safe
Steve Zurier, Contributing Writer,  10/11/2019
Register for Dark Reading Newsletters
White Papers
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: The old using of sock puppets for Shoulder Surfing technique. 
Current Issue
7 Threats & Disruptive Forces Changing the Face of Cybersecurity
This Dark Reading Tech Digest gives an in-depth look at the biggest emerging threats and disruptive forces that are changing the face of cybersecurity today.
Flash Poll
2019 Online Malware and Threats
2019 Online Malware and Threats
As cyberattacks become more frequent and more sophisticated, enterprise security teams are under unprecedented pressure to respond. Is your organization ready?
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2019-10-17
Adobe Download Manager versions have an insecure file permissions vulnerability. Successful exploitation could lead to privilege escalation.
PUBLISHED: 2019-10-17
Sequelize, all versions prior to version 4.44.3 and 5.15.1, is vulnerable to SQL Injection due to sequelize.json() helper function not escaping values properly when formatting sub paths for JSON queries for MySQL, MariaDB and SQLite.
PUBLISHED: 2019-10-17
An issue was discovered in Bitdefender BOX firmware versions before that affects the general reliability of the product. Specially crafted packets sent to the miniupnpd implementation in result in the device allocating memory without freeing it later. This behavior can cause the miniupn...
PUBLISHED: 2019-10-17
CA Performance Management 3.5.x, 3.6.x before 3.6.9, and 3.7.x before 3.7.4 have a default credential vulnerability that can allow a remote attacker to execute arbitrary commands and compromise system security.
PUBLISHED: 2019-10-17
The Deep Security Manager application (Versions 10.0, 11.0 and 12.0), when configured in a certain way, may transmit initial LDAP communication in clear text. This may result in confidentiality impact but does not impact integrity or availability.