Utilities caught flat-footed in smart-grid security
Just yesterday, I was chatting with one of my ongoing sources about technology trends for 2012. We weren't specifically focused on green technology concerns, but one of the items weighing heavily on his mind was the revelation that smart-grid deployments are pointing up a serious security gap in the industrial systems to control things like water pumps or dams and other utility services.
The supervisory control and data acquisition systems, fondly referred to as SCADA devices, at most of the nation's utility companies wasn't built, frankly, with the Internet in mind. These systems were supposed to live in their own little world, so security wasn't a big concern when many of these technologies were put into place.
The rise of the Stuxnet worm, which specifically focused on compromising SCADA technology, began waking up the world to the dangers of connecting these systems into the smart grid. Some of those vulnerabilities are mentioned on ZDNet's Zero Day security blog. The issue of specific dangers was raised in recent weeks when an apparent breach occurred at an Illinois water utility. Apparently, the incident was a false alarm. At least that is what we are now being told, but it doesn't make us any less vulnerable.
Now Pike Research is predicting a wave of security investments by utility companies specifically focused on industrial control systems. Between 2011 and 2018, more than $4.1 billion will be spent on related security projects, according to Pike Research's report, "Industrial Control Systems Security."
Notes Pike Research analyst Bob Lockhart:
"Many SCADA systems were deployed without security in the belief that SCADA would always be isolated from the Internet. But it's not, and even when it is, attacks such as Stuxnet can circumvent the isolation by using memory sticks to spread."
Lockhart warns that security means different things for the information technology and industrial controls world. Whereas the main foci of IT security solutions are concepts such as privacy or availability, SCADA security also needs to be concerned with reliability, safety and integrity, Lockhart said.