Early this week, Wes McGrew a PhD student at Mississippi State (I gave a lecture there last October) helped contribute to the arrest of a hacker who compromised the HVAC system at a Dallas area hospital. Wes has a great story to tell. You can find it at:
http://www.mcgrewsecurity.com/2009/07/02/ghostexodus-part2/
Joe Weiss

Caveat:  Because of the sensitivity of this subject, I had NERC provide comments to this blog.

In the June 22nd issue of InformationWeek, the cover story is cyber security – What’s Your Appetite for Risk?.  The focus was on intentional cyber attacks against the IT infrastructure. I wanted to focus on two charts. The first is What are the Primary Goals of Your Risk Management Initiative?. Just like the NERC CIPs, the top goal was “fulfilling regulatory compliance requirements”. The second chart is What would be the Potential Effects of Attacks?.  Neither safety nor reliability were mentioned.

In a report published June 12th, Register.com's Dan Goodin reports, "The newfangled meters needed to make the smart grid work are built on buggy software that's easily hacked, said Mike Davis, a senior security consultant for IOActive. The vast majority of them use no encryption and ask for no authentication before carrying out sensitive functions such as running software updates and severing customers from the power grid. The vulnerabilities, he said, are ripe for abuse."

Much has been written about what makes control systems different than business IT systems. However, the Smart Grid tends to blur these distinctions as control systems are networked using Ethernet and TCP/IP. With all of the money and focus on Smart Grid, particularly cyber security, there is obviously more attention being paid by many new players. One of my pet slides shows the need for more people from the control system community with domain expertise to get involved because the primary influx of “SCADA security” people were from the IT security community.

We received this press release this morning from GE Energy. While we applaud GE and its customer for being in the forefront of Smart Grid technology, we continue to wonder, reading the release, where the security provisions come in.

GE Helps the United Kingdom Meet its Goal of Placing Smart Grid Technology in Every Home by 2020

Trial Project Brings Together the Technology and Resources of GE Energy and Scottish and Southern Energy for Smart Meter Home Study

I attended the inaugural meetings of IEEE P2030 - Smart Grid, last week in Santa Clara. I had a discussion with a representative from a utility organization. He feels his constituency is too small to be governed by electric industry cyber security standards. He feels they will disconnect if they are mandated to meet these standards. On the other hand, the reason he was in Santa Clara is because his constituency is moving heavily into Smart Grid which requires you to be connected.

In preparing for two webinars I held this week, I ran across two items that just make you hold your breath.

The first was an advertisement for an on-line process controller for water treatment. It stated: “The result is the ability to remotely monitor and control your process from any computer, anywhere in the world, with just a standard web browser.”