November 19, 2009 01:30 PM Eastern Time
Denim Group Advises Utility Companies to Plan for Security Threats to Smart
Grid Technologies
Denim Group Lays out Recommendations for Utilities to Protect Ratepayers
from Privacy Invasion and Security Risks via Smart Grid Networks
SAN ANTONIO--(BUSINESS WIRE)--Denim Group, an IT consultancy that
develops secure software and helps organizations assess and mitigate risks with
their existing software, is advising utility companies of significant security and
privacy risks as they transition to smart grid technologies. With advanced meters
and smart grid technologies being deployed, Internet attacks, malware, and
privacy breaches have become a bigger risk if the appropriate defenses are not
engineered into the system from inception. Far-reaching scenarios involving power
to homes being shut down were once remote but have now become feasible.
“It will be difficult to put the genie back in the bottle when smart grid technologies
are deployed,” said John Dickson, Principal of Denim Group. “Advanced meters
are Internet-based network computing devices, with many of the inherent security
challenges of traditional network security. There are significant security and
privacy implications that we hope are being taken into consideration - protecting
these systems shouldn’t be an afterthought. While the cost of prevention is low,
the cost of remediation can be extraordinary. The principles we’ve learned from
designing and building secure systems and software apply to these smart grid
technologies as well and should be rigorously followed.”
“Public Utility Commissions have the unique opportunity to determine the security
and integrity of the security metering system,” added Ravi Sandhu, Executive
Director of The University of Texas at San Antonio’s Institute for Cyber Security.
“Historically, the stand-alone, proprietary nature of the mechanical metering
system provided a level of security but limited options for expanded utility and
flexibility. Networking these systems requires all parties to re-think the security
impact on closed networks and their ecosystems. The integrity of the system
network must be maintained and the privacy of the consumers’ data must remain
confidential.”
Dickson advises utility companies to consider the following key strategies when
deploying smart grid technologies. Dickson has also testified at the Texas Public
Utilities Commission on public grid policies.
1. Don’t take on blind faith what hardware vendors communicate about the
security of their devices. Ask smart grid technologies suppliers rigorous
questions about what 3rd party testing they’ve done.
2. Build an architecture that implements a defense in depth strategy. Avoid
classic single point of failure design flaws that create a “crunchy on the
outside, chewy on the inside” security model.
3. Trust, but verify. Conduct rigorous, recurring 3rd party audits. These audits
should follow an agreed-upon format, and focus on the smart grid system
from the perspective of an attacker. Testing should be driven for purely
compliance purposes, and should emphasize technical aspects throughout.
Finally, as technology evolves, ensure that auditing evolves with it.
4. Conduct detailed threat modeling when new functionality is added to the
system. Threat models should provide system designers feedback to build
more secure systems.
5. Understand the impact of who can access these systems, such as
administrators, auditors, producers, and customers and precisely what
access they have. Put technical controls in place to ensure that these
different players cannot access each other's private data.
Denim Group is currently working with several public and private initiatives to help
certain utility companies address, and mitigate vulnerability issues associated with
smart grid and other technologies and have performed assessments of numerous
public utilities. Service providers are encouraged to implement the
recommendations as earlier in the design process as possible to have a great
affect on the security of the smart grid.
About Denim Group
Denim Group develops secure software, helps organizations assess and mitigate
risk with existing software, and provides training on best practices in software
security. Denim Group has worked with a range of Fortune 500 companies and
public sector organizations, bringing a focused software development approach to
the world of software security. The Company provides clients with secure .NET
and Java development services and remediates serious software flaws in existing
application portfolios. Denim Group also identifies vulnerabilities and quantifies
risks that vulnerable applications represent through assessments, code reviews,
and application-focused penetration testing. Training complements Denim Group’s
development and testing services by helping organizations build an internal
competency in secure software development and testing through a combined
classroom instruction and e-Learning approach.
Denim Group is a strong contributor to the larger application security community,
and has been involved with the Open Web Application Security Project (OWASP)
since shortly after its inception. Additionally, Denim Group was ranked 1101 in Inc.
Magazine's 5000 Fastest-Growing Private Companies in America in 2008.
Reader Contact Information:
Denim Group, 3463 Magic Drive, Suite 315; San Antonio, TX 78229, Tel: 210-5724400, Fax: 210-572-4401, www.denimgroup.com, john@denimgroup.com.