mercredi 6 octobre 2010

Why the Smart Grid Might Be A Security Disaster

What do a Revolution in Military Affairs and the smart grid have in common? The reason it took 600 years for gunpowder to really change war fighting strategy illustrates the risks inherent in a future smart grid.

Gunpowder, one of mankind's most disruptive innovations, made its European debut in the early part of the 14th century. Up until then, security specialists had a simple and effective strategy — build taller, thicker walls to keep out enemies. An entire economic ecosystem had grown up around this strategy, which was what worked. Visibly. Everywhere. If you could afford it.

Gunpowder changed all that. But it wasn't until the middle of the 20th century that the military strategies of nation states really evolved past the taller, thicker walls approach. That's in part because gunpowder wasn't initially very good and the munitions it made possible weren't very effective. Sure it had the potential to be a problem, but, hey, not in my lifetime — and, oh, by the way — I have this really neat idea for a stronger castle I want to build for you. It didn't help that a good alternative to taller, thicker walls wasn't available. Rule number one for strategic advisors: don't show up with a problem you can't solve.

The same is true today with digital security. We know that cyber warfare and its juvenile training ground cybercrime is going to be a major problem, but, hey, we can keep building taller, thicker digital walls — at least for now. But the smart grid will be nearly impossible to build "walls" around. It's too large and complex, full of some inherent problems. (For a deep but very accessible background on why this is the case, I highly recommend reading Melanie Mitchell's Complexity: A Guided Tour). Most critically, complex systems can exhibit chaotic behavior under a wide range of circumstances, because, in part, they can't be modeled statically. Critical aspects of the grid (smart or otherwise) are always changing — pattern of system load, generating capacity, transmission line performance all fluctuate continuously and somewhat unpredictably. While we can build and monitor pretty good statistical models for the "normal" behavior of the grid, it's the outliers that eventually get you. And these are, almost by definition, unpredictable. While our control systems can get smarter at dealing with many of these variables, the better they get, the worse they guarantee their eventual failures will be.

From a security perspective, that adds significantly to the challenges. How do we tell the difference between a rare system outlier event and a deliberate attempt to push the grid into instability? How do we design an "immune system" for the smart grid — one that will constantly try to find "pathogens" and create appropriate "antibodies" to deal with them, without taking the system down (with something akin to digital cancer or auto immune disease) or making the cure worse than the disease?

One of our better historic defenses for the grid was separation and dispersal. Lots of little generators and many transmission paths might not be efficient (or at least easy to optimize), but it's a hard design to take down all at once. And many different engineering approaches, implemented in both hardware and software help protect from a "monoculture" attack where a single vector can infect everything. The smart grid doesn't have to change that, but, in the name of standards and efficiency, it will probably try to.

And then there's the signal-to-noise ratio challenge. If everything signals its condition all the time (which is a prerequisite for the smart grid) you have to sift through a lot of normal data to find the things you need to pay attention to. It's a characteristic of complex interconnected systems that when something critical fails and sends out a warning, it impacts its neighbors pretty fast, so they send out warnings too and before you know it you have a tsunami of warning messages, making it hard to detect the root cause and take appropriate action. Attackers will know this, so triggering false positives can be almost as effective as a real attack — just another kind of denial of service.
Now don't get me wrong. I'm all in favor of asset optimization (I pay too much for utilities just like everyone else) and I see all the potential that the smart grid represents. I'm just a little concerned that the proponents are just another generation of castle builders and there's too much digital gunpowder out there.

John Parkinson is the head of the Global Program Management Office at AXIS Capital. He has been a technology executive, strategist consultant and author for over 25 years.

SOURCE : Harvard Business Review

Aucun commentaire:

Enregistrer un commentaire