SAN JOSE -- The nation's smart grid is constantly underthreat of real attack and potentially no amount of investment in securing itwill help, according to a white hat security expert.
Speaking at DESIGN WEST panel on hacking the smart grid,senior research engineer Joe Loomis blasted through the buzz on smart grid andsmarter energy technology, exposing the risks of hacking and full scale cyberwarfare and the crippling effects it could have on national infrastructure.
"It's critical infrastructure and society depends on it,making it a prime target for attack," said Loomis.
Indeed, as smart grid technology develops year by year, sotoo do the opportunities for hackers with malicious intentions on nationalinfrastructure.
Loomis pointed to the recent Stuxnet computer wormdiscovered in June 2010, which took out a large portion of Iran's nuclearcentrifuge control and disrupted the delivery of nuclear fuel with its payload.
That worm, whose origins are still not officially known,exploited multiple zero-day vulnerabilities, said Loomis, spreading quicklyacross the world and even ending up in a few systems in the United States,despite Iran being the clear target.
"What made Stuxnet more scary than anything else is theorder of magnitude of sophistication over everything that came before it," saidLoomis adding that the success of the worm was proof of concept that cyberwarfare was real and dangerous.
"The collateral infections are the scariest part," saidLoomis, claiming that analysis of Stuxnet pointed to it having been developedby more than 40 engineers, though no country or group takes responsibility forit.
A similar worm, DuQu, was discovered more recently inSeptember 2011 and is thought to have been developed the same team that createdStuxnet, though its purpose is apparently different, with DuQu having beendesigned to capture system information and keystrokes which could enable afuture Stuxnet-like attack.
"People are actively pursuing cyber warfare as an attackmethod," said Loomis, pointing out that the smart grid was a prime target forsuch an attack.
"Before, if someone wanted to shut off power to my home, theelectricity company would have to send someone around, physically, to cut meoff. Now, it's all being networked and can be shut off remotely, which createsa dangerous risk," he said.
With $3.4 billion in stimulus funds having been funneledinto smart-grid technologies by the US government, more and more Americanhouseholds and businesses are getting connected up to smart meters, with morethan 60 million predicted to be deployed this year alone.
That's a scary prospect according to Loomis who claims thereare already "multiple credible threats" out there.
"They could turn off our power if they wanted to," he said.
The most difficult thing, said Loomis, was for individualsand firms to evaluate the risks and invest in protection accordingly. "Theseare systems that were never designed to be secured," he said, noting that anyinvestment may also ultimately prove worthless.
"No system is 100% secure," he said. "Given enough time andaccess, you can reverse engineer the whole thing."
Loomis added that even if the country, or individualbusinesses spent a great deal of money to secure the power infrastructure, itwould still be open to compromise, and that it was thus up to every individualto determine how much money they wanted to spend on trying to plug up thesecurity holes.
"I tell clients they should judge it on a case by casesituation," he said, recommending that people lobby for better standards andrepeatedly test their systems for cracks.
"There are plenty of open source tools available that areideal for protocol testing," he said.
This story was originally posted by EETimes.