 | sbromberger @rformer nice article! but perhaps bad assumption that security is better than 3 years ago, esp. for utils who have deployed those meters. 1/30/12 11:06 PM |
At first I thought, "Well, YEAH! It HAS improved!"
But the more I think about it, the more I am aware that I am seeing a fairly narrow slice of the industry as a whole. Because I work for a meter manufacturer, I know what we, our customers, and our suppliers do very well but I have no insight into what our competitors are up to on security. (Because I am a good boy and don't engage in Industrial Espionage)
So I put it to you; how do YOU see the state of security in Smart Meters? I already know that security in Smart GRID is in sad shape, so don't lump them together.
What do you KNOW as facts about it?
What can you INFER about it?
Please post comments or, if you want to make a longer statement, link to your own blog. I'd also be happy to put your post here with appropriate attribution.
Posts
Thanks for highlighting my tweet :) There was too much to fit into 140 characters, though.
ReplyDeleteI think that, overall, the meters (NICs) coming off production lines have more security options than the ones that were produced three years ago. However, are the companies who have deployed meters better off? I'd argue that in at least a few cases, the answer is "no". Consider:
* Organizations with a rapid, massive deployment already have significant investment in older meters that do not have / cannot take advantage of the latest security improvements.
* Many security improvements require hardware, as opposed to firmware, updates.
* These organizations are faced with a dilemma: replace all their meters to take advantage of the security improvements, bifurcate their environment into "legacy" (think about the implications of that word on entities like PUCs and other regulatory agencies!) and "secure" parts, or default to common (lowest-security) capabilities. Option 1 is expensive and, if any replacement has already been done (at whose expense?) it becomes an unviable choice. Option 2 is a management (and possibly political) nightmare. Option 3 is easy but less secure.
Guess which option is most appealing to the beancounters who sold AMI based on cost recovery within the lifespan of the meter?