Will the Smart Grid exacerbate control system cyber problems?

Much has been written about what makes control systems different than business IT systems. However, the Smart Grid tends to blur these distinctions as control systems are networked using Ethernet and TCP/IP. With all of the money and focus on Smart Grid, particularly cyber security, there is obviously more attention being paid by many new players. One of my pet slides shows the need for more people from the control system community with domain expertise to get involved because the primary influx of “SCADA security” people were from the IT security community. Unfortunately, that has changed for the worse. It was very obvious at the IEEE P2030 meetings in Santa Clara two weeks ago. There were approximately 150 attendees. When we broke into three task groups, I attended the break out on power systems engineering. There were approximately 50 people in the room – 2 utilities, a number of control system vendors and consultants, and another quarter to third of the room who knew nothing about the electric system.

That is not to say the IT community is solely to blame. Jake Brodsky blogged yesterday on the recent announcement by Mike Davis from IO Active concerning cyber vulnerabilities of automated meters they will demonstrate next month at Black Hat 2009. According to Jake, “…the exploits Davis is reported to be using include exploits against memcpy() and strcpy() calls in the embedded code of these devices. I'm no expert at secure programming. However, I have known of the buffer overflow issues with these types of calls for *years*. I think I'm being a realist here. I know there are going to be mistakes; but why can't they be ORIGINAL and UNIQUE? This is brand new territory. We're working with a clean sheet of paper. THERE IS NO EXCUSE FOR THIS KIND OF IGNORANCE AND STUPIDITY!”

This is far from the only case where control system suppliers incorporate known vulnerable technology in field control systems. What will it take to get both sides to work together combining the domain expertise of each?

Joe Weiss
Show Comments
Hide Comments

Join the discussion

We welcome your thoughtful comments.
All comments will display your user name.

Want to participate in the discussion?

Register for free

Log in for complete access.

Comments

  • <p> There is enough historical evidence to prove that the IT vs. IACS discussion does not yield any fruitful results. Every time I hear a presenter bringing up the topic how IACS is different from IT, I know positively that I am wasting my time. We have been hearing the same arguments for years, and nothing has changed. It is the wrong discussion. It doesn't take us anywhere, it's like jumping on the spot. </p> <p> We have to face the fact that control system engineers have to carry the burden alone. Let's focus on helping the Jake Brodskys of this world as much as we can, and try to ignore those self-proclaimed IT security experts who present at hacker conferences as some means of low-budget PR as much as possible. </p> <p> Other than that, I must say (from my European perspective) that I am puzzled to see the discussion centering on the electric grid, while the average food plant, automotive supplier, or steel company three miles away might be even more vulnerable than some easy-to-protect electric utility. </p>

    Reply

  • <p> Thanks Ralph for presenting a balanced view without an adgenda! </p> <p>   </p> <p>    </p> <p>   </p>

    Reply

RSS feed for comments on this page | RSS feed for all comments