SCADA Security: Smart Grid Growing Pains Reflect Broad Enterprise Trends

NEWS ANALYSIS: Utility companies are on the front lines of the "Internet of Things" as they pursue rapid smart grid growth. The resulting exponential increase in data volume--coupled with concerns about end-to-end security for that data--offers a glimpse into the enterprise infrastructure of the future.

SCADA (supervisory control and data acquisition) security and the privacy implications of smart grids were among the wealth of scary discussions to be heard at the Sixth Annual IT Security Entrepreneur€™s Forum held at California€™s Stanford University March 21. The event was hosted by the San Francisco-based Security Innovation Network, an industry advisory group.
SCADA generally refers to industrial security systems that monitor and control industrial, infrastructure, or facility-based processes -- especially in the regulated and super-sensitive data sectors.

€œWhen you start thinking about smart grid and what that means to data, it kind of makes your head want to explode,€ said Mark Weatherford, the Department of Homeland Security€™s deputy undersecretary for cyber-security in the national protection and programs directorate, during a panel discussion at the event. €œIt has all kinds of security and privacy implications. If it€™s not done properly and it€™s not done securely, these are things we€™re going to have to live with for a long, long time.€


Weatherford spoke during the succinctly titled panel session "Has the Rapid Evolution of the Smart Grid Infrastructure Outpaced Policy, Security Applications and Interoperability Security Standards." The short answer? Yes.

Fellow panel speaker Ernie Hayden, managing principal, energy security, with Verizon€™s global energy and utilities division, shared this nightmare-inducing factoid: €œ97% of all [electrical] circuit miles wired in the U.S. are not covered by any cyber-security standards.€

Add to the mix smart meters in every household, and €œevery endpoint is a new potential threat vector,€ according to panel speaker Doug Powell, manager, SMI Security, Privacy & Safety, for Canadian utility BC Hydro, who spoke with eWEEK in an exclusive interview following the session.

What makes the discussion compelling for all enterprises is that the issues being faced by utilities in deploying the smart grid are similar to those being faced in enterprises of all stripes as they stare down an influx of mobile devices, multiplying endpoints, increasing security threats and mounting volumes of data. Chiefly:

  • How do you manage all those endpoint devices?
  • How do you fight sophisticated cyber-criminals?
  • How do you protect and process terabytes and petabytes of data to make proactive security and business decisions.

In fact, much like the profligate mobile devices that are found in a typical enterprise, smart meters are just one small piece of a complex €œsystem of systems€ that makes up the smart grid. In fact, the meters themselves€”while a cause for concern when it comes to personal privacy€”aren€™t the weakest link in the smart grid when it comes to cyber-threats. €œYou can€™t create real economic harm, you can€™t shut the grid down€ through smart meters, said Powell. Meter tampering tends to be small-scale, he noted. €œYou€™ll see people hack the meters to divert power for things such as growing operations and drug labs.€

The critical infrastructure of the smart grid lies in the transmission system, and €œto get to that, you€™ve got to do a lot of tunneling,€ Powell told eWEEK. This is where SCADA, or supervisory control and data acquisition, security concerns come into play and, said Powell, €œwhere the future view becomes more scary.€ The Stuxnet attacks are €œa good harbinger of what€™s to come,€ he said.

According to Powell, every utility that forms the overall smart grid is a door into its most vulnerable part.