Security in the Smart Grid ecosystem is getting more attention by the day. Although many of the traditional security measures are applicable to the Smart Grid environment, there’s a need for the specific tools to handle emerging security vulnerabilities. This Market Overview will focus on the security vendors in the Smart Grid space. The role of security is evolving gradually in the Smart Grid ecosystem, and therefore our utility as well as non-utility customers are asking about vendors that can provide secure solutions.
The Smart Grid IT market is still emerging and security seems to be a promising component of it. We see four vendor categories when it comes to security market:
I had the pleasure of attending Open Group Conference Boston just two weeks ago. Historically, this conference aims at bringing enterprise architects together from various industries to talk about important architectural issues. This time around, they dedicated track sessions to the security topic. Among other things, I had an opportunity to record a podcast with Dana Gardner, Gen. Harry Raduege, and Jim Hietala on the topic of cyber security.
Cyber security has gained quite a bit of attention in the past year or so. Although the concept has been discussed for almost a decade, the evolving nature of threats has created lots of buzz recently. There are numerous threat vectors and thus, diverse targets. Increasingly, data espionage, identity theft, cyber attacks on the critical infrastructure, denial of service (DDOS), and advanced persistent threats (APT) are coming to the surface. Public and private sectors alike are concerned about the targeted attacks that are aimed at stealing confidential data, which produces a domino effect and harms companies' brand names and operations.
In the past 18 months we have seen many examples and scenarios that highlight the cyber security discussion. For instance:
Cisco issued a warning that its Network Building Mediator products have multiple vulnerabilities. It’s expected that other products from Richards-Zeta may have security flaws as well. According to the Dark Reading article:
“Cisco warned users of its Network Building Mediator products to patch the vulnerabilities, which could allow access to obtain administrative passwords and read system configuration files, making it possible for hackers to take control of a building's most critical control systems.”
I was just reading the recent Elinor Mills interview with Joe Weiss, and I wanted to share a few of my thoughts on the subject of securing industrial control system (ICS). Security for industrial control systems is an important topic in the modernization of critical infrastructure components. Sometimes we get too hung up on concepts like Smart Grid, but we forget that we've been dealing with similar systems for some time now. Currently, supervisory control and data acquisition (SCADA) and programmable logic controllers (PLC) systems are commonly found in electric, oil, gas, and water environments. Over the years these components have gone through varying degrees of modernization, but they are no less susceptible to security threats than smart meters or grids.
Just this Tuesday, February 16th 2010, the Bipartisan Policy Center hosted a mock cyber attack called Cyber Shockwave. The aim of this simulation was to understand the impacts of a cyber attack and assess infrastructure capability during such an incident. There are many articles explaining the motive and results of this simulation, and post mortem is still coming as we speak.
So, what did the simulation entail? It depicted a war game taking place in 2011 – basically an application installed on smart phones during ‘March Madness’ thatturned out to be a malware. This hypothetical malware affected telecom and IT infrastructure throughout the country, with the result actually bringing down the nation’s cellular network...but there is more. According to an article from ‘The Atlantic Wire’:
“Later, two bombs disabled the country's electricity network and destroyed gas pipelines... Soon 60 million cellphones were dead. The Internet crashed, finance and commerce collapsed, and most of the nation's electric grid went dark. White House aides discussed putting the Army in American cities.”
Just this week on Tuesday, NIST published release 1.0 of the smart grid interoperability standards. Most notably, this is the first attempt to address cyber security in smart grid deployments. This release points to various standards that can be used for implementing interoperability and security controls, and it’s fair to say that it plants the seeds for what should become comprehensive, control-driven guidelines for implementing various aspects of smart grid.
The timing of this report is perfect, as current smart grid rollouts are often criticized for lack of proper security controls. Our utility customers have shown similar concern about the lack of planning for information security before the roll out phase. This lack of security and risk management perspective in the smart grid ecosystem can jeopardize the overall objective of these smart energy initiatives, and it’s about time that we devise a game plan going forward.
The NIST publication will be an important piece of work as it brings various standards, bodies, and regulators like IEEE, NERC, and FERC to the table. Note, this is not a control based standard like others published by NIST, but a guideline to other frameworks that should be referenced when working in a smart ecosystem. A more control based work on cyber security in smart grid is in development and the draft of these standards is available for public review.
A few important highlights to pay close attention to in the cyber security sections are:
I just wrapped up the NAC Market Overview and it’s now live. This is the first Forrester NAC market overview and builds on the work I did for the original NAC Wave last year. I must say that the market overview is far less strenuous and we know it delivers almost as much value. It’s fair to say that I enjoyed this research piece, but I still need to gear up for refreshing the Wave next year. Until then, we can share a lot of good stuff about this market overview and I welcome your thoughts on it.
Writing this market overview was a great learning experience. And it’s even better when you can have meaningful conversations around the research. For example, I saw that someone started a discussion about the NAC solutions on LinkedIn’s “Network Security - IPS and NAC” forum. And very timely that someone referenced this market overview in the discussion — good to see readers benefit from these reports.
I attended McAfee’s analyst day at its FOCUS 09 Security Conference last week in Las Vegas. It was interesting to see former army general and Secretary of State General, Colin Powell, addressing an information security audience. He attended the same university as I did — City College of New York — so I especially enjoyed cheering on a fellow alum. His speech was very relevant to the security arena, as he discussed the danger of vulnerabilities within any information system and the critical need to safeguard against them. Of course, it fit very well with McAfee’s story, as McAfee CEO, Dave DeWalt did a good job continuing the military theme. However, I still left with feeling of wanting more — perhaps expecting McAfee leaders to say something more concrete about what it all means for them. Do they want to help with cybercrime, cybersecurity, and critical information protection? Will they be working more closely with government in information security initiatives?
(On a positive note, Colin Powell became an unexpected customer reference, as he mentioned recently licensing McAfee antivirus for his personal laptop.)
Along with many executive briefings I had with product managers and marketing folks, there were several highlights for me:
Critics of Smart Grid argue that it is not secure enough to be rolled out yet.They may even paint a doomsday picture similar to ‘Die Hard 4’, with hackers breaking into the grid and controlling the nation’s power system. That kind of extreme scenario is shocking — in essence launching a denial of service (DOS) attack that can imperil critical infrastructure. This year’s Black Hat conferenceplans to showcase similar security threats that can impact smart meters and devices. NIST has put out a 270 page roadmap of Smart Grid standards and protocols that address various aspects of controls, including security. These guidelines can help utility companies, manufacturers, technology vendors, and service integrators to streamline controls when rolling out Smart Grid. However, the implementation of this approach is missing to date.
I attended a Cisco Systems briefing early this week about its Smart Connected Communities initiative. Once again Cisco demonstrated its forward thinking by bringing together various government initiatives under the umbrella of what they call Smart Connected Communities. A Smart Connected Community is built on IP-based infrastructure. This means that all of the critical components of a city infrastructure like utility, transportation, healthcare, commercial buildings, and emergency response systems connect via an IP-based network.
Overall, it was a good update briefing. But I was surprised to hear just how confident Cisco is that securing this networked infrastructure is a no brainier. When I asked the presenter: “Given that network infrastructure is not nearly as robust and secure in some emerging geographies, how are you planning to ramp up the backbone and make the network secure enough end-to-end to run smart services?”