Feds’ Smart Grid Race Leaves Cybersecurity in the Dust
Posted by Russ Ray on November 23, 2009
Hat tip to Threat Level:
President Obama, speaking at Florida Power and Light (FPL) facilities, announced $3.4 billion in grants to utility companies, municipal districts and manufacturers to spur a nationwide transition to smart-grid technologies and fund other energy-saving initiatives as part of the economic stimulus package.
FPL will receive $200 million to install 2.6 million smart meters and other technologies that promise to reduce energy costs for customers. CenterPoint Energy in Houston, Texas, gets $200 million to install 2.2 million smart meters (.pdf) and more than 550 sensors and automated switches. Baltimore Gas and Electric in Maryland is another $200-million recipient.
Strange, then, that another press release distributed Monday by the Information Trust Institute at the University of Illinois announces a grant of $18.8 million to four academic institutions to fund a five-year research project into securing the power grid. The project is supposed to make certain that the smart meters and other devices implemented by power companies can resist hackers and other attackers.
The only problem is, by the time the research project is completed, most of the nation will have already adopted untested and unsecured technologies.
Earlier this year IOActive, a computer security firm in Washington state, was contracted to examine the security of smart meters deployed by an unnamed utility company in the northwest. Mike Davis, an IOActive security consultant, and his fellow researchers developed a malicious worm that, in a simulated attack, was able to spread from meter to meter to take out power in more than 15,000 homes in 24 hours. Davis says IOActive submitted his findings to the Department of Homeland Security. DHS, in response to a Threat Level FOIA request, said it can’t find the report in its files.
So why would the federal government accelerate the adoption of insecure technologies at the same time it touts cybersecurity as one of the nation’s biggest national security concerns? According to the Department of Energy, the government has the smart-grid security issues under control. Spokeswoman Jen Stutsman said all the entities awarded smart-grid funds under Obama’s $3.4 billion stimulus grant were required to submit a cybersecurity plan with their proposal. “Each application was examined by at least two interoperability and cybersecurity experts, and it was a central component to the selection criteria for each of the awards,” Stutsman said.
According to the grant-proposal requirements, each applicant was required to submit a summary of known cybersecurity risks (.pdf) and explain how the applicant would mitigate them. They also had to identify the cybersecurity criteria they used for selecting vendors and technologies and the cybersecurity standards or best practices they planned to follow. And they had to explain how they would adapt to new standards that might emerge — such as those being developed by the National Institute of Standards and Technology.
The sky isn’t falling… yet.
