By Sudha Iyer

As a 21st century civilization, we detected and alerted the presence of the Influenza A virus and its various strains such as H1N1, H1N2, H3N1, H3N2, and H2N3 to the planet at large in almost real time. In order to prepare for pandemics or epidemics such as these, I don’t believe we were asked to sacrifice our privacy …instead we were asked to reduce our connectivity i.e., limit exposure in public situations.

Why then in the world of technology, specifically in the world of “Utility and Energy” sector, would we put the technology cart before the security and privacy horse?

The United States Department of Energy has been working the Smart Grid concept, design and implementation for a while now. On 18 May 2009, we heard about the set of sixteen standards for the smart grid being a national priority to gain energy independence, job creation and lowering the consumer costs for electricity consumption. Clearly, it is a huge undertaking and involves consistent focus and application of our collective effort to succeed. However, looking through a security lens, it continues to amaze me that energy sector’s CIA pyramid continues to be inverted – i.e, Availability is the most important mission and Confidentiality is the least important. Shouldn’t confidentiality be at the top of the pyramid now that electric grid breach has been well covered in the media? Some of the issues are

- There are more layers from the location of power generator to the end consumer… how is the information protected across the different supply/chain points? Security is only as strong as the weakest link …

- At the end consumer location, how do I ensure that only “authorized” people are able to read my power consumption?

- The SmartMeter program provides access to the “consumer’s” power consumption habits with web based access to the accounts in the hopes that looking at the pattern of consumption will help consumers gain control of its use. I guess this is a page out of the online statement access provided by the financial services to allow us to gain control over our spending habits. However, what certifications and standards are the authentication, access control and audit services of these systems subject to?

The utility and energy sector companies are subject to compliance with the North American Electric Regulatory Committee (NERC) standards. The protection of the infrastructure is not limited to SCADA systems or the corporate environment or the substation. In reality, we would expect it to be a mix of systems across these boundaries.

But somehow I do not expect the SmartMeter in my home to be part of the CIP program.

The SmartMeter is likely out of scope for the PCI and SOX audits these companies may be subject to as they do not include credit card information or financial data. However, the surface area of the energy infrastructure could get bigger with the installation of these devices (http://www.privacydigest.com/2009/03/23/electric+power+grid+smart+grid+m...).

Is consumer education the only answer to ensuring that the SmartMeters are not infected with viruses, worms, unauthorized access and privacy violations? Making the consumer responsible for his choices is a great idea but, this technology is complex. Until the technology and protocols are developed by NIST and EPRI to ensure security is built-in, remember, Caveat emptor!