Sunday, July 12, 2009

The Easiest Smart Grid Security Question to Answer

In a recent CSO magazine blog post titled "Hacking Power: Feds Promise Smart Grid Security" the author ponders:
... it remains to be seen if the new [NIST and FERC] specifications will be secure enough to stop the bad guys.
I don't want to be rude and mean no offense to the writer of an otherwise reasonable article. Yet though I hold no security patents, nor have ever written more than a few lines of Pascal in college, I nevertheless have plenty of experience to say with certainty:
Nothing remains to be seen. Specifications do not stop determined bad actors, on the Smart Grid or elsewhere.
Yet even more to the point: the question posed is not a useful line of inquiry. A more immediately practical exercise would be built around this idea: Despite the best efforts of standards bodies and technology providers, some, if not many, adversaries will successfully breach different lines of defense built into and around Smart Grid systems. Two questions worth asking, then, are:
  1. How will the Smart Grid react? and,
  2. What kind of experience do we want these attackers to have?
I bet you know the answers already, but mine would likely include the following key words: for 1) "resiliency", "redundancy" ... and for 2) highly "constrained".

No comments: