Thursday, June 16, 2011

Security Testing and the SmartGrid (or why we need to pull the industry's head out of it's butt)

*DISCLAIMER*
I work as the Head of Security Research and Testing for one of the major SmartMeter/AMI vendors, so that will naturally slant my views. Deal with it.


I just love going over security assessments with vendors in the SmartGrid and SmartMeter space. I have been doing this for a few years now and it never fails to amuse me when I get the response, "But, you are not supposed to do that with that interface!" Golly Mr. (or Ms.) Developer Person, you are indeed correct, however security testing is about seeing what I CAN do with an interface, not what I SHOULD do with it. This seems to come as a shock to some folks.

Here is a news flash for hardware, firmware, and software developers in the SG/SM space. Security assessors are coming to mess your stuff up. We will take the fruits of your labors and we will rip them open, probe, prod, shock, dissect, analyze, under-volt, over-volt, glitch, x-ray, de-solder, re-solder, JTAG, ADA-Pro, and generally do rude things to them. We will then write smug reports about how easy it was to break into your stuff.
There are two things you can do here;

  • You can either whine about how hard it is to secure this or that feature and how no one would EVER try that! 
  • You can step up and find ways to plug the many, many holes (sieve like in some cases) so we can retest it prior to going to production installs.


Security, when approached properly, is a matter of balancing risk and mitigation. The power industry is a tricky place to play games with assessing risk however. When a utility make a risk decision, it can impact it's neighbors. When a manufacturer makes a risk decision, it can impact the entire industry. Think about it this way; Widget, Inc decides that incorporating security features in a meaningful fashion into its product has a significantly negative impact on the sales margin for that component (because in a competitive market like this, security never adds to the price, only the cost). Widget's component is installed in a small part of the distribution or transmission grid. M@D_sk11ls_Skr1p7_M@s73r decides, just for LULZ, to attack this component and publish results. Next day the headline reads,

"SMARTGRID HACKED!!! ARMAGEDDON AT HAND!!!"


Of course all vendors, manufacturers, utilities, regulatory bodies, and consultants are now considered Satan's lackeys. All because security features don't increase shareholder value.

There is good news in all this. Equipment manufacturers are stepping up and being responsible (my own employer being one that has been doing this for some time) and implementing Secure Development Lifecycle programs. This is bringing quite a bit of gear under the scrutiny of security researchers and assessors and that is a Very Good Thing (r) in my opinion.

The bottom line? Test your product. Hire an in-house team to do this, and then send it to one of the reputable labs for MORE testing. Find the flaws before you ship because you can be assured that if you don't, someone will. AFTER you ship.

No comments:

Post a Comment