In the power industry, few topics will elicit more passionate opinions than security research. Even among security professionals opinions range from, "They help us make a better product" to, "They should all be thrown in Guantanamo as a threat to National Security". (People who think like that tend to capitalize National Security. Listen to them, you can hear the caps!)
Recently, a damn good team of researchers developed a toolset to test ANSI c12.18 implementations on smart meters. 18+ months of hard work wrapped up in a nice presentation and ready to go at a major security conference. Naturally, there was some buzz about this. Smart meters are still a hot topic among security people. Word found it's way around to an unnamed vendor, and after they had a chance to think about it, they politely asked our intrepid team of researchers to retract their talk and not release the tool kit. Being decent, professional folks, the research team did as they were asked and as a consequence, the free world has not yet collapsed.
So what was accomplished here? This team was actually assisted by some major players in the smart meter universe. Meter manufacturers even. Clearly having this virtual nuclear weapon handed out for free to all the script kiddies and malicious actors in the world doesn't trouble them at all.
There is a reason why it doesn't trouble most of them.
When smart meters first began to hit the streets, security measures were virtually non-existent. Many meters didn't even require passwords to configure. This is because the manufacturers were focused on getting product out the door. Deliver meters, make money, please the stockholders, keep their jobs. The utilities didn't exactly push for reasonable security measures because they had never needed to look at meters as being remotely accessible. After a short time, the utilities actually started to consider the implications af unsecured meters. As the meters were installed, more and more technologically savvy consumers became aware of them. They started asking some pointed questions, like, "What's to keep someone from turning my meter off", and, "How could someone use this meter to steal power?"
Consumer questions inevitably led to some basic research into the safety and security of smart meters, and these became serious concerns. The security research (read as "hacker") community brought these concerns to the utility, who then started asking the meter vendors the same questions. The utilities began to make security a requirement and Voila'! Meters became more and more secure. The market solved the problem.
The point here is that without security researchers ASKING these pesky questions, and raising some very public concerns, no one would have thought to make security such a priority. The market wouldn't have demanded it.
Meter vendors have learned some valuable lessons from all of this, and now many of them actually incorporate security research teams as part of their development process. The value of these teams, both internal and 3rd party has become a part of the marketing story, and hence vital to sales. Supporting security research teams like the folks who TRIED to give us the c12.18 SMACK toolkit is in the best interests of everyone. It is shortsighted at best to try and surpress the results of this work and makes the industry appear backward and secretive.
If your product is incapable of standing up to tools like this, then you need to pull your product OFF the market and rework your design. The rest of us learned this lesson a long time back. Time to get with the program.
Security researchers and tools are not the problem, bad design IS!
If you can't see the value in good design, "someone" is going to show you. Suppressing tools like this all but guarantees that the "someone" will be a truly malicious actor and not looking out for your, or our best interests.
Free the SMACK toolkit!
Subscribe to:
Post Comments (Atom)
It's all very exciting for me, as a customer who will have a "smart meter" installed on his home!
ReplyDeleteWhat may have been in that talk? What knowledge is now out there in the universe about how to spank my meter? Who else might have independently arrived at similar capabilities as those in the c12.18 SMACK toolkit?
It's reassuring to me, as a customer, to know that the utility is keeping me unawares of the flaws in their product.
I think you missed the point. One vendor in the smart meter space objected. The rest SUPPORT the work of researchers. The goal here is to have products that reach market with the fewest possible security flaws.
ReplyDeleteI got the point and agree with it. My fury and sarcasm are directed to the objector.
ReplyDeleteThe only point I wasn't clear on was that it was not a utility, but a meter vendor.
Ah, sorry, my apologies. Curiously, based on what I know, it was NOT a meter vendor that objected. Rather it was a company that makes some non-meter component, like a communications module or something like that, that objected. Beyond not being a meter company, I don't know details.
ReplyDeleteDark reading has an article on this mess.
http://www.darkreading.com/advanced-threats/167901091/security/vulnerabilities/232500808/researchers-postpone-release-of-free-smart-meter-security-testing-tool.html