SCADA (supervisory control and data acquisition) security and the privacy implications of smart grids were among the wealth of scary discussions to be heard at the Sixth Annual IT Security Entrepreneurs Forum held at Californias Stanford University March 21. The event was hosted by the San Francisco-based Security Innovation Network, an industry advisory group.
SCADA generally refers to industrial security systems that monitor and control industrial, infrastructure, or facility-based processes -- especially in the regulated and super-sensitive data sectors.
When you start thinking about smart grid and what that means to data, it kind of makes your head want to explode, said Mark Weatherford, the Department of Homeland Securitys deputy undersecretary for cyber-security in the national protection and programs directorate, during a panel discussion at the event. It has all kinds of security and privacy implications. If its not done properly and its not done securely, these are things were going to have to live with for a long, long time.
Weatherford spoke during the succinctly titled panel session "Has the Rapid Evolution of the Smart Grid Infrastructure Outpaced Policy, Security Applications and Interoperability Security Standards." The short answer? Yes.
Fellow panel speaker Ernie Hayden, managing principal, energy security, with Verizons global energy and utilities division, shared this nightmare-inducing factoid: 97% of all [electrical] circuit miles wired in the U.S. are not covered by any cyber-security standards.
Add to the mix smart meters in every household, and every endpoint is a new potential threat vector, according to panel speaker Doug Powell, manager, SMI Security, Privacy & Safety, for Canadian utility BC Hydro, who spoke with eWEEK in an exclusive interview following the session.
What makes the discussion compelling for all enterprises is that the issues being faced by utilities in deploying the smart grid are similar to those being faced in enterprises of all stripes as they stare down an influx of mobile devices, multiplying endpoints, increasing security threats and mounting volumes of data. Chiefly:
- How do you manage all those endpoint devices?
- How do you fight sophisticated cyber-criminals?
- How do you protect and process terabytes and petabytes of data to make proactive security and business decisions.
In fact, much like the profligate mobile devices that are found in a typical enterprise, smart meters are just one small piece of a complex system of systems that makes up the smart grid. In fact, the meters themselveswhile a cause for concern when it comes to personal privacyarent the weakest link in the smart grid when it comes to cyber-threats. You cant create real economic harm, you cant shut the grid down through smart meters, said Powell. Meter tampering tends to be small-scale, he noted. Youll see people hack the meters to divert power for things such as growing operations and drug labs.
The critical infrastructure of the smart grid lies in the transmission system, and to get to that, youve got to do a lot of tunneling, Powell told eWEEK. This is where SCADA, or supervisory control and data acquisition, security concerns come into play and, said Powell, where the future view becomes more scary. The Stuxnet attacks are a good harbinger of whats to come, he said.
According to Powell, every utility that forms the overall smart grid is a door into its most vulnerable part.