Category Archives: Smart Grid

IoT World 2017

I have spent the last week in Santa Clara attending the IoT World conference hoping to see what was new and exciting in the world of IoT. After tracking this sector for a while now it has been interesting to see all the new platforms (512 and counting) and startups that have popped up.

While I found the keynotes a great window on possible new products by companies I did get a sense that security and privacy did not get the air time it deserves. I attended many of the security sessions and, while interesting, they were more focused on product plugs versus real discussions on how to design and build security into a product. It was more buy my product or platform and you will be secure. That is scary proposition especially when vendor generated standards are used as guideline for self assessment. Lets be clear folks, vendors have their best interest at heart not yours when it comes to security.

I was also troubled by vendors stating that if customers just pay more they can add  security. This is the wrong view from an executive and security perspective. The right view, in my humble opinion, should be here is what we identified as the threat profile for our products and solutions and here is how we designed security and privacy into our products and services from day one. Oh and it did not significantly increase the price of the product!

I really wanted to tell some of the top brass that lawyers are attending ISO security standards meetings globally and are planning to use standards such as those in ISO/IEC SC 27 and IEC 62443 as the base line for controls that will be expected in IoT solutions. In the event of a compromise or data breach and the ensuing lawsuit, these same corporations will be held to task on how they meet these requirements and controls. So by all means keep working on your vendor association standards but realize the actual yardstick are the ISO/IEC standards.

On the more positive side of conference, I really liked that NASA is going out its way to make software freely available to community. The breadth of expertise that has gone into some of this software is quite remarkable. I was also really impressed with the Samsung Artik HW and platform and how far it has developed in a short time. It really is making its mark as a contender in IIoT, smart cities and power generation sectors. I even signed up for the developer program and plan to buy some of the dev boards so we can start evaluating this platform for some of our projects. Other notable things were the use of embedded tags and sensors on products, and how to test just about every component being designed and built. If you are in Santa Clara next year, I recommend that you attend the vendor exhibit for next year’s show to see all the development and new products. It would of been good to see Apple and other product companies show where they going in these areas but I will keep my fingers crossed for next year.


Smart Grid == Cloud Computing

If you read my last post on ICT you will see how I can make the bold statement that Smart Grid equals Cloud Computing at least from a cyber security perspective.

Why?  Remember industrial control systems are responsible for facility type functions both in power creation and distribution and these same controllers are used in large data centers. With the advent of these so called SCADA controllers becoming IP centric they are now a valued target on a network – at least from a hacker or espionage perspective.

So you want to make your data center competitor look bad? Don’t spend millions on development and new systems to out gun them. Take down the data center and destroy data that will make customers switch and fast. Will they switch over to you?……Well  of course because you realized that these systems were at risk and you deployed the necessary policy, procedure and technology to minimize the risks to the devices. Just make your customers and potential customers aware of this okay. {BTW, I don’t condone nor recommend taking down your competition; it is just to make a point}

You might want to get familiar with WIB to understand the minimum requirements for these system and the questions you need to ask your vendors when you build a data center with industrial controllers. However, you can still use 27001 to help define the security controls that are necessary in these operations centers. It will get your IT staff and your facilities teams talking.  Is this not a better way to bring your organization together?

Your customers will surely appreciate it.


Don’t think ICT can impact your life?….Think again!

I have just spent the last few days learning just about everything you could possibly ever want to know about cyber security for smart grid. The one aspect that really hit home was the potential impact of an ICT attack on our daily lives!. Okay.. what is ICT anyway?

To keep it simple, many operational based organizations such as power plants, data centers, and even prisons use automated controls to perform a function or just monitor a system. For example, the air conditioner controls for a building system will use many controllers to monitor temperature and pressure. This will adjust settings and alert as necessary. This allows the facility to operate without user intervention and having to deploy Bill, the facility manager, every time the water level in the overflow tank gets too high.

Now the correlation to you and I? Let me provide some scenarios and you’ll  get the picture.

  1. The office tower you currently work in, the water system needs to ensure water in the system is moving or bacteria could build up.  The potable water lines have a system failure or the “sensor” to monitor them believes water is actually flowing when it has stopped since the previous night. Approximately 8 hours has lapsed and the system is now functioning correctly. No one in building maintenance was alerted as no alarms were triggered. You come to work in the morning and prepare a pot of water to make some coffee. Guess what?  You are drinking water with a very high content of bacteria – enough to make you sick.. maybe……but it could lead to more severe symptoms and even a hospital visit. Now imagine this happens to everyone on your floor or two or three floors. How effective is your company today? If you’re the trading floor of a major banking or investment institution you have a BIG problem on your hands.
  2. You use cloud9 data centers and they have a great security policy, ensure backup tapes are created, have biometrics for entry, CCTV, 8 ft fences, well you get the point. Again they are dependent on an ICT system to control the facilities aspect of the operation. If for example the temperature rises over a 3 day long weekend about 15C. do you think this is problem? Well your servers might. This will result in CPUs, disks, fans, and memory heating up. This could lead to an immediate failure but could lead to damage which will lead to failure down the road. Now, if this system is mission critical you have a failover right? And you have tested your ability to restore lately right? Remember it is a long weekend and most of your support staff is at the lake enjoying cool refreshments with friends and family.
  3. City lockup is always a friendly place to hang out. The best elements of society are there after all.  What happens at two AM when the automated door system believes it  should be unlocked? Not just the cell doors but all the facility doors? What would happen then? Typically at this time the staff levels are at a minimum so inmates could easily outnumber the officers on duty to escape. Yes, this is all caught on camera but there would be a PR nightmare to contend with and the citizens’ belief that the city police force can protect them has just gone out the door.

Think these short outtakes are sci-fi……sorry they are not. As ICT systems are adding more and more IP components and systems engineers believing they are air gapped as they are using a firewall…they are not. We are seeing more and more evidence of these types of attacks every day and the level of sophistication is only increasing. It is only a matter of time before one of these systems experiences a compromise and someone will have to reactively deal with it.

If you manage one of these systems you need to conduct a TRA now. Stop believing your firewall allow is going to protect you. However, more importantly don’t think that your controls are not accessible from the Internet. If they are IP based I guarantee there is a routable path to them.