New NIST Report Sheds Some Light On Security Of The Smart Grid

First draft of Cyber Security Coordination Task Group report released
A draft report published today by the task group heading up the security strategy and architecture for the nation's smart power grid provided an initial peek at how the grid may be secured.

The Cyber Security Coordination Task Group led by the National Institute of Standards and Technology (NIST) and made up of members of the government, industry, academia, and regulatory bodies, plans to finalize the overall smart grid architecture and security requirements by March of 2010. The initial draft includes risk assessment, security priorities, as well as privacy issues. The task group will publish a second draft in December after addressing the round of comments from this first draft.

The smart grid, which basically makes the electrical power grid a two-way flow of data and electricity, allows consumers to emotely monitor their power usage in real-time in order to help conserve energy and save money. But researchers have raised red flags about the security of the smart grid. Some have already poked holes in the grid, including IOActive researcher Mike Davis, who was able to execute buffer overflow attacks and unleash rootkits on smart meters.

Davis found multiple vulnerabilities in smart meters, and pointed out that most of the devices don't use encryption nor do they authenticate users when updating customer software and other operations.

Tony Flick, a smart grid expert with FYRM Associates, at Black Hat USA talked about his worries over utilities "self-policing" their implementations of the security framework. "This is history repeating itself," Flick said in an interview with Dark Reading in July.

The new "Smart Grid Cyber Security Strategy and Requirements" draft (PDF), which is open for comment, covers various potential security issues with the grid, as well as privacy risks of the smart grid.

State utility commissions don't have formal privacy policies or standards for the smart grid, the report says. "Comprehensive and consistent definitions of personally identifiable information (PII) do not typically exist at state utility commissions, at FERC, or within the utility industry," the report says. "The lack of consistent and comprehensive privacy policies, standards, and supporting procedures throughout the states, government agencies, utility companies, and supporting entities that will be involved with Smart Grid management and information collection and use creates a privacy risk that needs to be addressed."

And while most states have general privacy laws, those laws are not applied specifically to the electric utility industry, the report says.

The document calls for power companies to adopt several best-practices in order to protect their customers' personally identifiable information, including audiding data access and changes; specifying the purpose for collecting, using, retaining, and sharing PII; collecting only data that's needed; anonymize data where possible and keep it only as long as necessary.

It also spells out how devices in the Advanced Metering Infrastructure (AMI) must set up protections against denial-of-service (DoS) attacks. "For example, network perimeter devices can filter certain types of packets to protect devices on an organization's internal network from being directly affected by denial-ofservice attacks," the document says. And the AMI system should use redundancy or excess capacity in order to minimize the impact of a DoS.

AMI components accessible to the public, such as public Web servers, must be located in separate subnetworks with separate physical network interfaces. "The AMI system shall deny network traffic by default and allows network traffic by exception (i.e., deny all, permit by exception)," the report says.

The document also recommends that consumers' access to smart grid meters be limited. "Where meters act as home area network gateways for providing energy information to consumers and/or control for demand response programs, will consumers be authenticated to meters? If so, authorization would likely be highly limited. What would the roles be? Authorization and access levels need to be carefully considered, i.e., a consumer capable of supplying energy to the power grid may have different access requirements than one who does not," the document says.

Have a comment on this story? Please click "Discuss" below. If you'd like to contact Dark Reading's editors directly, send us a message.

Recommended Reading:
Editors' Choice
Kirsten Powell, Senior Manager for Security & Risk Management at Adobe
Joshua Goldfarb, Director of Product Management at F5