Securing emerging technologies

A reference in a Team Cymru news alert drew my attention to an interesting media article about the security of smart meters, a fast-moving development which justifies a lot more scrutiny, public debate and policy. 

Smart grids offer huge potential, not only for efficiency improvements, but also for a degree of remote manipulation and misuse. Utilities claim the meters have been extensively security tested, yet many respected security experts point to underlying vulnerabilities. And there are clearly some major governance issues concerning privacy, economics and consumer rights.

New technologies always present such challenges, especially from a security perspective. Firstly, there are insufficient, forward-looking, mandatory standards. It’s always been the case. Two decades ago, when mentioning my concerns about the security of networked SCADA systems to a colleague, he expressed surprise that any external connections were even permitted. I replied that new developments don’t come with rules. Standards emerge long after the problems have surfaced.

Secondly, risk assessments are backward-looking. We haven’t yet experienced a wave of highly publicised attacks on SCADA systems. Realistic assessments won’t reflect long-term developments in the threat landscape, no matter how concerning they might seem. But security risks are constantly rising, often in step changes as new vulnerabilities or offensive techniques emerge.

Thirdly, industrial control systems tend to be designed with reliability or safety in mind, rather than security. Instrumentation systems might address all manner of failure conditions, but they rarely take account of calculated sabotage. I was once asked by a safety authority to design a security box that could guarantee that a hacker wouldn’t get through more than once every one hundred years. That, of course, was to satisfy the demands of a safety calculation. Unfortunately, it’s not the way attackers think or operate.