Distributed energy generation is not a security panacea. All these distributed energy sources will still have to be interconnected so they can back each other up, just as power plants are today. As we know from previous large area blackouts, they can start with a single component failure, and cascade because power systems have to be interconnected.
A lot of smaller energy generation sites actually can create security issues. Because installations are smaller, they may not employ full-time security professionals or have access to the latest knowledge and technology. Consider, for example, that much of our computing power is distributed down to the level of home PCs, and home PCs are very vulnerable to getting taken over by a virus. Why? Because the average home PC owner understands little about security and has little time to do anything about it.
Finally, one of the biggest goals of smart grid technology is to limit the effect of component failures, whether natural or hacked. And yet the article is basically saying that these efforts are doomed to failure, and we must employ other strategies instead.
The Department of Homeland Security (DHS) issued a new cybersecurity alert last week highlighting a flaw in smart grid networking gear from RuggedCom. According to the DHS report [PDF], the vulnerability could be used to decrypt data traffic between a user and a RuggedCom router. The possible result could be a loss of system integrity. In layman’s terms, that means hackers could exploit the vulnerability to access power station communications, and even potentially take control of critical infrastructure systems.
From the DHS alert:
ICS-CERT is aware of a public report of hard-coded RSA SSL private key within RuggedCom’s Rugged Operating System (ROS). The vulnerability with proof-of-concept (PoC) exploit code was publicly presented by security researcher Justin W. Clarke of Cylance Inc… ICS-CERT is issuing this alert to provide early notice of the report and identify baseline mitigations for reducing risk to these and other cybersecurity attacks.
It was only a couple of weeks ago that I made light of consumer fears that the government will use smart meters to spy on our power usage. However, the truth is that the more our systems are interconnected, the more risk there is that an outside party could hack in with widespread and catastrophic consequences. As anyone in the utility industry will tell you, our power infrastructure has traditionally run on the idea of security through obscurity. As long as no one knows where the weaknesses are, no one can exploit them. However, while that approach may have worked in the past, its level of risk becomes increasingly unacceptable the more our power systems are networked together.
Back in March, former CIA director R. James Woolsey made the point that we should approach the smart grid security challenge from two angles. We should continue to ramp up protective measures, but we should also start to move toward distributed energy generation. The less we have to rely on energy transmission, the less opportunity there is for a systems attack.
In the meantime, consider that the cybersecurity threats we do face are creating a whole new investment market. GTM Research predicts spending on utility cybersecurity solutions will nearly double from $120 million in 2011 to $237.6 million in 2015.
Via Greentech Media
Image credit: RuggedCom
