Will the Smart Grid exacerbate control system cyber problems?

June 15, 2009
Much has been written about what makes control systems different than business IT systems. However, the Smart Grid tends to blur these distinctions as control systems are networked using Ethernet and TCP/IP. With all of the money and focus on Smart Grid, particularly cyber security, there is obviously more attention being paid by many new players. One of my pet slides shows the need for more people from the control system community with domain expertise to get involved because the primary influx of “SCADA security” people were from the IT security community.
Much has been written about what makes control systems different than business IT systems. However, the Smart Grid tends to blur these distinctions as control systems are networked using Ethernet and TCP/IP. With all of the money and focus on Smart Grid, particularly cyber security, there is obviously more attention being paid by many new players. One of my pet slides shows the need for more people from the control system community with domain expertise to get involved because the primary influx of “SCADA security” people were from the IT security community. Unfortunately, that has changed for the worse. It was very obvious at the IEEE P2030 meetings in Santa Clara two weeks ago. There were approximately 150 attendees. When we broke into three task groups, I attended the break out on power systems engineering. There were approximately 50 people in the room – 2 utilities, a number of control system vendors and consultants, and another quarter to third of the room who knew nothing about the electric system. That is not to say the IT community is solely to blame. Jake Brodsky blogged yesterday on the recent announcement by Mike Davis from IO Active concerning cyber vulnerabilities of automated meters they will demonstrate next month at Black Hat 2009. According to Jake, “…the exploits Davis is reported to be using include exploits against memcpy() and strcpy() calls in the embedded code of these devices. I'm no expert at secure programming. However, I have known of the buffer overflow issues with these types of calls for *years*. I think I'm being a realist here. I know there are going to be mistakes; but why can't they be ORIGINAL and UNIQUE? This is brand new territory. We're working with a clean sheet of paper. THERE IS NO EXCUSE FOR THIS KIND OF IGNORANCE AND STUPIDITY!” This is far from the only case where control system suppliers incorporate known vulnerable technology in field control systems. What will it take to get both sides to work together combining the domain expertise of each? Joe Weiss