Have things improved?

Following my rant last night about the suppression of security tools and vulnerability information, one of my readers brought up a good point. 

sbromberger @rformer nice article! but perhaps bad assumption that security is better than 3 years ago, esp. for utils who have deployed those meters. 1/30/12 11:06 PM

At first I thought, "Well, YEAH! It HAS improved!" 


But the more I think about it, the more I am aware that I am seeing a fairly narrow slice of the industry as a whole. Because I work for a meter manufacturer, I know what we, our customers, and our suppliers do very well but I have no insight into what our competitors are up to on security. (Because I am a good boy and don't engage in Industrial Espionage)


So I put it to you; how do YOU see the state of security in Smart Meters? I already know that security in Smart GRID is in sad shape, so don't lump them together. 


What do you KNOW as facts about it? 


What can you INFER about it? 


Please post comments or, if you want to make a longer statement, link to your own blog. I'd also be happy to put your post here with appropriate attribution. 

Security researchers: Spawn of Satan, Necessary Evil, or Security Salvation?

In the power industry, few topics will elicit more passionate opinions than security research. Even among security professionals opinions range from, "They help us make a better product" to, "They should all be thrown in Guantanamo as a threat to National Security". (People who think like that tend to capitalize National Security. Listen to them, you can hear the caps!)


Recently, a damn good team of researchers developed a toolset to test ANSI c12.18 implementations on smart meters. 18+ months of hard work wrapped up in a nice presentation and ready to go at a major security conference. Naturally, there was some buzz about this. Smart meters are still a hot topic among security people. Word found it's way around to an unnamed vendor, and after they had a chance to think about it, they politely asked our intrepid team of researchers to retract their talk and not release the tool kit. Being decent, professional folks, the research team did as they were asked and as a consequence, the free world has not yet collapsed.


So what was accomplished here? This team was actually assisted by some major players in the smart meter universe. Meter manufacturers even. Clearly having this virtual nuclear weapon handed out for free to all the script kiddies and malicious actors in the world doesn't trouble them at all. 


There is a reason why it doesn't trouble most of them.


When smart meters first began to hit the streets, security measures were virtually non-existent. Many meters didn't even require passwords to configure. This is because the manufacturers were focused on getting product out the door. Deliver meters, make money, please the stockholders, keep their jobs. The utilities didn't exactly push for reasonable security measures because they had never needed to look at meters as being remotely accessible. After a short time, the utilities actually started to consider the implications af unsecured meters. As the meters were installed, more and more technologically savvy consumers became aware of them. They started asking some pointed questions, like, "What's to keep someone from turning my meter off", and, "How could someone use this meter to steal power?"


Consumer questions inevitably led to some basic research into the safety and security of smart meters, and these became serious concerns. The security research (read as "hacker") community brought these concerns to the utility, who then started asking the meter vendors the same questions. The utilities began to make security a requirement and Voila'! Meters became more and more secure. The market solved the problem.


The point here is that without security researchers ASKING these pesky questions, and raising some very public concerns, no one would have thought to make security such a priority. The market wouldn't have demanded it.


Meter vendors have learned some valuable lessons from all of this, and now many of them actually incorporate security research teams as part of their development process. The value of these teams, both internal and 3rd party has become a part of the marketing story, and hence vital to sales. Supporting security research teams like the folks who TRIED to give us the c12.18 SMACK toolkit is in the best interests of everyone. It is shortsighted at best to try and surpress the results of this work and makes the industry appear backward and secretive.


If your product is incapable of standing up to tools like this, then you need to pull your product OFF the market and rework your design. The rest of us learned this lesson a long time back. Time to get with the program.


Security researchers and tools are not the problem, bad design IS! 


If you can't see the value in good design, "someone" is going to show you. Suppressing tools like this all but guarantees that the "someone" will be a truly malicious actor and not looking out for your, or our best interests.


Free the SMACK toolkit!