Securing the Smart Grid

Acknowledgments (Tony Flick)

Acknowledgments (Justin Morehouse)

About the Authors

About the Technical Editor

Introduction

Chapter 1 Smart Grid: What Is It?

    A Brief History of Electrical Grids

         What Is an Electric Grid?

         Grid Topologies

         Modernizing the Electric Grids

    What Is Automatic Meter Reading (AMR)?

         AMR Technologies

         AMR Network Topologies

    Future Infrastructure

         Justifications for Smart Grids

    What Is a Smart Grid?

         Components

    What Is AMI?

    International Initiatives

         Australia

         Canada

         China

         Europe

    Why Do We Need to Secure the Smart Grid?

         Smart Grid versus Security

         Mapping Smart Grid Goals to Security

    Summary

    Endnotes

Chapter 2 Threats and Impacts: Consumers

    Consumer Threats

    Naturally Occurring Threats

         Weather and Other Natural Disasters

    Individual and Organizational Threats

         Smart Thieves and Stalkers

         Hackers

         Terrorism

         Government

         Utility Companies

    Impacts on Consumers

         Privacy

    Impacts on Availability

         Personal Availability

         Mobility

         Emergency Services

    Financial Impacts

    Likelihood of Attack

    Summary

    Endnotes

Chapter 3 Threats and Impacts: Utility Companies and Beyond

    Confidentiality

         Consumer Privacy

         Proprietary Information

    Integrity

         Service Fraud

         Sensor Data Manipulation

    Availability

         Consumer Targets

         Organizational Targets

         Vertical Targets

         Market Manipulation

         National Security Target

    Summary

    Endnotes

Chapter 4 Federal Effort to Secure Smart Grids

   U.S. Federal Government

         Energy and Independence Security Act of 2007

         American Recovery and Reinvestment Act of 2009

    DOE

         Legacy Electric Grid Technologies

         Current Smart Grid Technologies

         Lack of Deployment Equals Lack of Risk

    FERC

         Mandatory Reliability Standards

         Smart Grid Policy

    NIST

         NIST SP 1108

         Smart Grid Cyber Security Strategy and Requirements

    DHS NIPP

         Sector-Specific Plans

    Other Applicable Laws

         The Identity Theft Enforcement and Restitution Act of 2008

         Electronic Communications Privacy Act of 1986

         Breach Notification Laws

         Personal Information Protection and Electronic Documents Act

    Sponsoring Security

    Bureaucracy and Politics in Smart Grid Security

    Summary

    Endnotes

Chapter 5 State and Local Security Initiatives

    State Government

         State Laws

    State Regulatory Bodies

         National Association of Regulatory Utility Commissioners

         Colorado PUC

         PUC of Texas

         Planning for the Future

    State Courts

         Colorado Court of Appeals

         Implications

    Promoting Security Education

    Politics and the Smart Grid

    Summary

    Endnotes

Chapter 6 Public and Private Companies

    Industry Plans for Self-Policing

         NERC Critical Infrastructure Protection Standards

    Compliance Versus Security

    How Technology Vendors Can Fill the Gaps

    How Utility Companies Can Fill the Gaps

    Summary

    Endnotes

Chapter 7 Attacking the Utility Companies

    Motivation

         Vulnerability Assessment versus Penetration Test

         Other Aspects of a Security Assessment

    Network Attacks

         Methodologies

    System Attacks

         SCADA

         Legacy Systems

    Application Attacks

         Life-Imitating Art

         Attacking Utility Company Web Applications

         Attacking Compiled Code Applications

    Wireless Attacks

         Wireless Clients

         Wi-Fi

         Bluetooth

         Cellular

    Social Engineering Attacks

         Selecting Targets

    Physical Attacks

         Attacking with a Friend

    Putting It All Together

    Summary

    Endnotes

Chapter 8 Securing the Utility Companies

    Smart Grid Security Program

         ISO/IEC 27000

    Top 12 Technical Practices to Secure the Smart Grid

         Threat Modeling

         Segmentation

         Default Deny Firewall Rules

         Code and Command Signing

         Honeypots

         Encryption

         Vulnerability Management

         Penetration Testing

         Source Code Review

         Configuration Hardening

         Strong Authentication

         Logging and Monitoring

    Summary

    Endnotes

Chapter 9 Third-Party Services

    Service Providers

         Billing

         Consumer Interfaces

         Device Support

    Attacking Consumers

         Functionality Undermines Security

         Microsoft Hohm and Google PowerMeter

         Smart Devices Gone Wild

    Attacking Service Providers

    Securing Third-Party Access to the Smart Grid

         Trust

         Data Access

         Network Access

         Secure Transport

         Assessing the Third Party

         Securing the Third Party

    Summary

    Endnotes

Chapter 10 Mobile Applications and Devices

    Why Mobile Applications?

    Platforms

    Trust

         Trusting Strangers

    Attacks

         Why Attack the Handset?

         SMS

         E-mail

         Malicious Web Sites

         Physical

    Securing Mobile Devices

         Traditional Security Controls

         Secure Syncing

         Disk Encryption

         Screen Lock

         Wiping the Device

         Recovery

         Forensics

         Education

    Secure Mobile Applications

         Mobile Application Security Controls

         Encryption

    Summary

    Endnotes

Chapter 11 Social Networking and the Smart Grid

    The Smart Grid Gets Social

         Twitter

         Facebook

    Social Networking Threats

         Information Disclosure

    Smart Grid Social Networking Security Checklist

         Before You Begin

         Basic Controls

    Summary

    Endnotes

Chapter 12 Attacking Smart Meters

    Open Source Security Testing Methodology Manual (OSSTMM)

         Information Security

         Process Security Testing

         Internet Technology Security Testing

         Communication Security Testing

         Wireless Security Testing

         Physical Security Testing

    NIST Special Publication 800-42: Guideline on Network Security Testing

         Security Testing Techniques

    Summary

    Endnotes

Chapter 13 Attacking Smart Devices

    Selecting a Target Smart Device

    Attacking a Smart Device

         Network Surveying

         Port Scanning

         Services Identification and System Identification

         Vulnerability Research and Verification

         Internet Application Testing

         Password Cracking

         Denial-of-Service Testing

         Exploit Testing

    Summary

    Endnotes

Chapter 14 What’s Next?

    Timeline

    What Should Consumers Expect?

         Smart Devices

         Smart Meters

         Home Area Network

         Electric Vehicles

         Personal Power Plant

         Privacy

    What Should Smart Grid Technology Vendors Expect?

    What Should Utility Companies Expect?

         Reducing Energy Demand to Reduce Costs and Security

         Diagnosing Problems Faster

         Beyond Electricity

         Curiosity Attacks

    What Should Security Professionals Expect and What Do They Predict?

         Security versus Functionality

         Security Devices

         Visions of Gloom and Doom

    Smart Grid Community

         Conferences 2

         Agencies and Groups

         Blogs, News Web Sites, and RSS Feeds

    Summary

    Endnotes

Index