back to article Existing security standards are fine for IoT gizmos in electrical grids

Putting Internet of Things sensors into electricity distribution grids works just fine - and security is catered for by existing broad standards, Luc Hossenlopp, CTO of Schneider Electric’s energy division, told the Internet of Things World Congress today. Addressing a packed auditorium at the Fira de Barcelona conference …

  1. big_D Silver badge

    The security, per se, isn't the problem. There are enough best practices out there.

    The problem is, is that small, cheap devices don't get enough funding to implement the security properly and, if problems are found, they don't get fixed, because there is no money in fixing the problems.

    If the devices cost enough, that the security was done properly, and security issues would be addressed and patches sent out in a timely manner, nobody would buy them, because they would be too expensive.

  2. Dan 55 Silver badge
    Mushroom

    I'll start writing the disaster movie script now...

    "We are doing IoT since years" (so we must be right because we've been doing it for ages)

    IEC 62351 but "we are introducing dedicated devices within the substation to enhance the cybersecurity that we find" anyway. Just in case. But the standard is great. But just in case...

    Technicians can use their phones to “communicate directly with with the [substation control] panel or through the cloud". [Mental image of The Scream/Raiders of the Lost Ark face meltdown goes here.]

    Get it off the Internet. Use your own network, if you must.

    1. Anonymous Coward
      Coat

      Re: I'll start writing the disaster movie script now...

      > Get it off the Internet. Use your own network, if you must.

      That's not enough. If they can't have airtight security (hint: they can't) the only correct answer is not to do this shit at all.

      If they insist on build a smart grid, I'm going off-grid.

      1. Anonymous Coward
        Anonymous Coward

        Re: I'll start writing the disaster movie script now...

        "If they can't have airtight security (hint: they can't) ..."

        I downvoted because of one word, can't. It isn't that they can't, they can, it is that they won't. There is always some tiny saving in time or money that warrants, to that individual or contractor or investor, disabling security, bypassing air gaps, or saying to heck with it all and using the internet or some cheap IoT when something needs attention or upgrading.

        "...in particular the ability to generate and remotely access document sets stretching from a transformer’s installation and commissioning tests right through to precise details of its last maintenance period before it fails,..."

        We've had that ability for more than a generation and it almost never works. Sure sometimes it get set up, sometimes contractors can be forced to provide proper documentation but more often they will walk away from that last 10% payment because in the words of one contractor, "We never intended to supply that information, it wasn't part of our bid and it would cost far more than 10% to do it now."

        Even when decent documentation is handed over Maintenance and Operations Departments are always the hardest hit when it comes to budgets. Most decide that RTF is the best course of action particularly when the equipment is newer. By the time they see the value in proper documentation it is too late. It cannot be recreated and capital expenses are always more exiting, easier to get and will have more support than operations and maintenance. For the majority wanting capital expense increases the more costs and failures Operation and Maintenance has the better.

        "This is how we get to that future where a run-of-the-mill DDoS causes the collapse of civilization."

        It does seem that way. The resistance to doing things properly is shocking. We have the potential, we have the capacity but we do not have the power to overcome money and lazy. Money and Lazy takes the path of least resistance and will breakdown impedance, cross gaps by induction, and it has the capacity to build up and jump over, by or through anything trying to be insulated from it's effects.

        We we feel the minor discharges, we can see the corona it creates as it presses on undermining, degrading our attempts to contain it. It wants to flow freely with no concern for the damages it causes along the way. It is relentless. Struggling against such a force of nature seems doomed to failure.

        Maybe it is best to let it win because if it doesn't win people forget why we bother.

  3. Pascal Monett Silver badge

    "existing security standards are adequate, for now"

    They always are. Right up until the moment they get hauled into a dark alley and beaten to a pulp. That's when we find out they were not sufficient.

    So this guy is basically saying we need to wait until something blows up before worrying. He may be right, he should be an expert, so good.

    Could we have a demonstration of how right he is ? Security through obscurity and all that.

  4. cantankerous swineherd

    if matey can access the panel via the cloud, so can anyone else. especially if they're pointing a gun at the operatives head.

  5. Nate Amsden

    where's the incentive

    I've been saying to folks I know for years the smart grid scares me do to security issues.

    If we struggle to secure things like banks and payment systems along with say hospitals, how can anyone have faith that the electric industry will fare any better? I don't blame them specifically it's a cultural issue going all the way back to architecture of the applications themselves. This applies across industries though the loss of the power grid due to a bug has significant larger impact on human lives than not being able to browse twitter because dyn is under attack.

    Here is another article from el reg that talks about this issue

    http://www.theregister.co.uk/2010/07/28/smart_meter_security_risks/

    (A dyn enterprise customer and someone who has worked closely with development on SaaS application stacks for 13 years)

  6. Brian Miller

    DDOS the power grid

    How much of that control traffic goes over the public lines? Even if nobody breaks in, what about the systems that rely on the availability of their connections for management tasks? It's not like a website, where one can keep standing up more servers. Hammering one IP that can't change is going to keep something important offline.

  7. Will Godfrey Silver badge
    Thumb Down

    Bad news

    The state of the infrastructure is worrying.

    The people's smug confidence is scary!

  8. Anonymous Coward
    Facepalm

    This!

    This is how we get to that future where a run-of-the-mill DDoS causes the collapse of civilization.

  9. Anonymous Coward
    Anonymous Coward

    Smart meters

    Until they do something about the security of the so called 'smart meters' they will end up without any security on their smart grid.

  10. Chris Miller

    If you think technology can solve your security problems, then you don't understand the problems and you don't understand the technology.

    Bruce Schneier

    1. You aint sin me, roit
      Alert

      Brucey Bonus!

      "Rubber-hose cryptanalysis. The cryptanalyst threatens, blackmails or tortures..."

      And when you raise the stakes to the level of a national grid (complete with nuclear reactors) you can bet your life there will be people ready and willing to threaten, blackmail and torture.

  11. paapicholoo

    The Nightmare for internet security

    I heard this was an attack from these IoT devices and checked my device was still on my home network via wireless router. So I have since turned it's access to the network off. I am hoping it is disabled. Moreover i subscribed to PureVPN for tunneling encryption

  12. M7S

    BBC R4

    On Monday 31/10/16, at 14:15 there's the start of a three part serial called "The Good Listener". This is apparently about GCHQ discovering a "cyber-attack" on the National Grid. This play might have been inspired by fears over funding of Hinkley Point C by other governments or a more general appreciation of security/IOT etc. We'll have to see, but it seems timely given this thread.

    http://www.bbc.co.uk/programmes/b080r364

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon