A smart grid pertains to all the facets of the power grid—generation at power plants, distribution and transmission along electrical lines, and delivery and consumption at the customer homes or businesses of a utility. It features intelligent monitoring of the status and amounts of the electricity flowing throughout the grid. A smart grid employs such devices as sensors, programmable logic controllers, field controllers, distributed control systems, emission controls, intelligent electronic devices, and remote terminal units.

For the consumer, a smart grid typically means, rather like with a person’s Internet provider, a two-way digital interaction between the utility and his home and home appliances. Usually this includes smart meters that allow quick and precise measuring and information sharing about the power and electrical supply. This digitized interaction is supposed to allow easy, real-time adjustment of power, heating, and cooling devices, and appliances. It also raises privacy concerns, as smart meters and other tools could provide a utility, or a malicious observer, with access to much more personal and financial data on a consumer.

A smart grid has various purposes: increase the reliability of power supplies, reduce waste of energy, cut costs, enhance consumer choice and flexibility, and permit the merging into the traditional power grid of alternative energy sources. Smart grids can continuously monitor crucial system components and keep track of energy use. They are supposed to diagnose, and to flexibly and precisely respond, to surges in power demand and other grid variables.

Regional and local utilities manage the U.S. electrical grid. The grid’s thousands of miles of transmission lines, substations, and power generation facilities make up three distinct operating networks in the Western and Eastern states, and in Texas.

Due to growing energy and environmental concerns, smart grids have become a subject of growing interest. The financial resources being invested in them are substantial. A year ago, the size of the U.S. smart grid market was about $21 billion. By 2014, it is estimated it will grow to $43 billion. World-wide, the smart grid market in 2009 was $69 billion. By 2014, fueled by large expenditures in East Asia, it should reach about $170 billion. In the U.S., a chunk of the federal stimulus spending in 2009-10, some $3.4 billion, was directed to investment in, and modernization, of smart grids.

The cyber security market for smart grids is also growing fast, about one-third a year. It is thought security-related expenditures on smart grids will reach $4 billion annually by 2013. Major corporate players in this field include General Electric, IBM, Lockheed, and Raytheon in the U.S., and Toshiba and Kyocera overseas.

Cyber security in infrastructure is also a growing concern, because smart grids have many vulnerabilities. Richard A. Clarke, the former federal National Coordinator for Security, Infrastructure Protection, and Counter-Terrorism, has stated that a cyber attack aimed at energy infrastructure “could disable trains all over the country and it could blow up pipelines. It could cause blackouts and damage electrical power grids…It could wipe out and confuse financial records… It could do things like disrupt traffic in urban areas by knocking out control computers. It could…wipe out medical records.”

An obvious vulnerability is the physical infrastructure of electricity grids. The long stretches of overhead transmission lines could make inviting targets for terrorists. In fact, in recent years, terrorists overseas have launched many attacks against the physical infrastructure of power systems. The placement of lines underground would better protect the lines. At the same time, high construction costs render this option impractical. Video surveillance of transmission lines is expected to play a growing role in protecting these valuable assets.

A growing concern is the threat of cyber attacks on smart electrical grids. This is because smart grids by their very nature are susceptible to hacks and malware. In the past, electrical installations were essentially stand-alone operations separated from the outside world. Today, they are increasingly being hooked up to, and operated by, IT devices connected to the World Wide Web.

The connection to the Internet makes them susceptible to many of the same malicious attacks that regularly occur against computer networks outside the electrical and energy sectors. One example of vulnerability is the intelligent electronic ddevices that control the circuit breakers in many electrical networks. A hacker could target the sensor and equipment data that such devices receive from computer networks.

A wide range of IT systems and applications in smart grids cries out for better security. Many energy facilities operate old-school mainframe computers running “tried and true” COBOL code that date from before the Internet. When such systems were built, cyber security was not an issue, and was not incorporated into their design architecture. Therefore security features developed with the Internet in mind have not been incorporated into many of these systems.

Modern IT applications in smart grids are often full of security defects. Web apps, such as online billings applications aimed at providing utility customers more convenience and flexibility, may provide hackers with the account and credit card information of the same clients. Remotely hosted services and applications provided by power and utility companies pose similar risks. The IT departments of such organizations may have insufficient knowledge sets and trained personnel, compared to the IT departments of organizations long accustomed to the Internet, for properly configuring and maintaining the security of server and client-side databases and software.

Modern applications, and smart grids, thrive on vastly greater amounts of data, which poses its own risks. Smart grids employ devices called “synchrophasors,” which measure and stream voltage and other data many times faster than previous devices.  And such data is now “visible” over the Internet. “We’re collecting more data at more parts of the grid, in real time. It becomes more complicated to secure,” noted a NIST security consultant. “If I’m able to see that stream and understand what’s going on,” remarked the consultant, “then I’m able to remotely monitor how my attack is performing… and see in real time how the attack is working, then optimize it.”

Another new device that poses potential risks is a recloser. A recloser is an electrical device, placed in substations or atop electrical poles, that permits the flow of electricity. Facilities are outfitting reclosers with Bluetooth to allow maintenance personnel to manipulate the reclosers from afar. But because security has not been designed into recloser architectures, attackers could use Bluetooth to access and illicitly manipulate the devices.

The two-way digital communications that technologically advanced grids provide between energy suppliers and consumers are other reasons for concern.  A hacker with a basic knowledge of electronics and a few hundred dollars in hardware could interfere with, and get control over, the smart meters that are essential to managing the two-way interaction. By gaining control over the devices of a large number of consumers, a malicious attack could alter the load balance of a power grid, or shut down power to a large number of users.

The sharp expansion in the installation and use of smart meters underlines this worry. In 2009-2010, the number of smart meters in the U.S. is projected to rise from 14 million to 23 million. In California alone, from 2009 to 2012, the number of smart meters is estimated to rise from about 3 million to close to 10 million.

Theoretical concerns have become practical realities, as a number of exploits involving smart grids and power complexes have taken place. Although gaining relatively little publicity, cyber attacks have already occurred across the world: on sewage treatment plants, natural gas and petroleum pipelines, nuclear power plants, hydroelectric power facilities, and electricity transmission infrastructure.

In 2009, the Wall Street Journal reported that cyber spies from China, Russia, and other nations had used the Internet to map electrical grids in the United States. Moreover, they had left behind software apps on the grids that could be activated later to disrupt parts of the electrical infrastructure. In 2008, the CIA reported, hackers disrupted the power systems of multiple cities in several, unidentified foreign countries.

A notorious attack occurred in Maroochy, Australia in 2000. Using pilfered radio gear, a disgruntled former employee of a water treatment plant wirelessly hacked into the plant’s supervisory control and data acquisition (SCADA) system. Issuing multiple radio commands, the hacker triggered the release of 800,000 liters of untreated sewage into local rivers and parks.

In 2009, in a simulated attack, technicians from the cyber security firm IOActive, Inc. designed a computer worm that could penetrate and infect interactive, wireless meters that make up part of an extensive smart grid. The worm “spread from one meter to another,” noted an IT consultant, “and then it changed the text in the LCD screen to say ‘pwned’.” Infrastructure security specialist Joe Weiss, formerly a manager with the Electric Power Research Institute, or EPRI, has compiled a database of more than 170 infrastructure cyber incidents.

A wealth of IT security organizations, such as the Computer Emergency Response Team, or CERT, exist. However, there are few organizations that deal with cyber security in electrical and other industrial infrastructure. At the same time, there is a great deal of information readily available on public infrastructure. Terrorists could gain most of the information required to mount an attack on a smart grid from public sources such as industry journals.

“The electric grid is highly dependent on computer-based control systems,” sums up House Committee on Homeland Security chairman Bennie Thompson. “These systems are increasingly connected to open networks such as the internet, exposing them to cyber risks. Any failure of our electric grid, whether intentional or unintentional, would have a significant and potentially devastating impact on our nation.”

The cyber risks that concern observers include many vulnerabilities that lead to inadvertent mishaps unrelated to malicious hackers or malware. A classic example of this was the 1999 explosion of a pipeline in Bellingham, Washington. There the computer monitoring systems failed to detect the buildup of pressure within the fuel line. The resulting explosion killed three, and the busted line spilled an ocean of gasoline into nearby creeks, resulting in $45 million of damage. A recent example was the highly publicized disruption of suspected nuclear weapons facilities in Iran via the Stuxnet worm, which was specifically designed to penetrate the Windows operating system that run the computer systems of the nuclear plants in question.

Many inadvertent problems stem from trying to graft traditional IT security solutions onto infrastructure systems for which such solutions weren’t designed. Penetration testing, a standard tool of white hat hackers, has been known to destroy the firmware or disrupt the control systems of infrastructure facilities. Maintenance of anti-virus software on such facilities has disrupted control devices and triggered denials of service. Installation of software patches has prevented shutting off the pumps of water utilities, while software for other infrastructure cannot be patched while the facilities are in operation. Inadvertent incidents have even forced nuclear power plants to fall back on auxiliary power.

These mishaps result in part from the lack of testing of, and experience with, cyber security tools applied to infrastructure systems. At the same time there is often a “culture gap” between the employees of IT shops and those of electrical and other infrastructure facilities. The two sets of personnel are simply not yet used to working together. Another gap exists among the infrastructure industry, the IT sector, and federal government regulators. While representatives of software and computer manufacturing firms are regularly invited to government conferences on cyber security, leaders from the infrastructure sector are usually an afterthought at best or forgotten at worst.

Fortunately, despite the exploits that have occurred, malicious or inadvertent, the cyber threat to the electrical grid and other infrastructure elements is still at its early stages. This fact hopefully will allow companies and government agencies the time to take countermeasures to minimize the threat. Most of the steps that have been proposed mirror those that have been taken to better secure the IT industry against malicious attack.

An important first step is standards. The North American Electric Reliability Corp., or NERC, is a non-profit organization of industry working groups and utilities that formulate some Critical Infrastructure Protection (CIP) standards.  The Federal Energy Regulatory Commission, an independent agency that regulates transmission and transport of electricity and energy commodities, provides oversight for NERC. NERC focuses on ensuring reliability of the power system in the U.S. and Canada. Although the standards are limited, and much else remains to be done, NERC and CIP have served to raise awareness of infrastructure security issues, and have provided the context for an increase in funding to bolster infrastructure cyber security.

The development of effective policy, procedures, and procedures for infrastructure security is vital. And, as with IT cyber security, risk management will play a key role. Risk management with smart grids has to do with threat assessment, vulnerability detection and identification, risk assessment itself, and drawing up of countermeasures. A realistic assessment of actual risks must be made, with resources apportioned rationally to deal with risks that are most likely and that could cause the most damage.

As a relatively new field, infrastructure cyber security must begin to embed security into it architecture, as part of the design process. Testing of security applications and of grid components must become more comprehensive and more rigorous. Security software and security threats are evolving continuously, and the test regime must change constantly to keep up.

Testing would be more effective and more credible if the infrastructure sector employed independent testing experts from outside the infrastructure realm. This would be particularly true of the testing of smart meters.

As a new field, infrastructure cyber security would benefit from organizational programs to raise security awareness among employees. A natural part of that would be training programs in security.

Further, the government must strive to bring representatives of the electrical and other infrastructure sectors into its conferences on IT security, along with representatives of the IT industry. And within an organization, management must ensure that the IT and infrastructure operations shops, which often work separately and at cross purposes, collaborate in aligning their functions to bring about better security.

In all of these concerns, the role of upper-level management is key. Management must make security for the electrical grid a priority, and ensure that the various divisions of an enterprise make it their priority as well.

Other Information:

Certified Information Systems Security Professional (CISSP)

Free CEH online course

When Garcia arrived at the agreed-on place, however, he was met by FBI agents and Corpus Christi police. One official had masqueraded online as the child. In Garcia’s car, investigators found 14 child sex videos, and hundreds of photographs of child pornography. The arrested man was later sentenced to 14 years without parole.

The Internet is a great boon for learning, including children. Yet children, due to their age and trusting nature, are at particular risk to the dangers of the Internet. The Web Wide Web poses a great many and growing risks to children.

Online predators trawl the Web seeking to involve youngsters inappropriate and illegal sexual relationships. The Internet allows sexual deviants to more easily gain access to information about youths they may be targeting. Such information can include a youth’s email address, web site, birth date and age, photos, family data, other friends, hobbies, and individual likes and dislikes. Based on such information, predators can begin to befriend impressionable youths, perhaps gaining their trust over a long period of time, perhaps through enticements such as the provision of free software games. At the same time, predators can maintain relative anonymity about themselves, or readily post false or misleading information. Once friendship is gained, predators may seek to physically meet their targets, sometimes by sending them money, tickets, or other means to travel to a rendezvous.

Common “hunting grounds” for predators include email, blogs, and social networking sites such as Facebook and MySpace. Another is online chat rooms, which by their nature promote anonymity on the one hand and encourage children eager to converse and make friends to let down their defenses. By their very nature, children are vulnerable to predators. Emotionally immature, they crave attention.  They have a natural curiosity, especially about topics that their parents may have declared off limits. They are accustomed to obeying the requests of adults, and are unlikely to doubt such requests are illegitimate.

The Internet is awash with pornography sites, including children’s porn sites. Predators may seek to photograph or film children and young adults for use by such sites. To gain material for such sites, or for their own illicit purposes, predators may “cyberstalk” children, constantly harassing them, or attempting to gain their trust in online “friendships” leading to destructive real-life encounters.

A great many free online resources are available for parents, children, and other concerned individualson how to safely and effectively use Internet tools and devices.

14-year-old Phil loved his parents’ new laptop, and the Internet, and spent hours on the Web playing games and conversing with friends on Facebook. One week, however, Phil began receiving disturbing messages. A “friend” from middle school posted messages on Phil’s Facebook “wall” using offensive language and made-up slurs. An adult stranger commented weirdly about Phil’s Facebook photos, while requesting Phil’s personal email. Phil was bothered by the messages, and told his mother about it.

Phil’s mom was herself, for her job as a marketing manager, a practiced user of social networking sites. She got on Facebook with her son, and showed him how to tighten up the security and privacy of his account. Together they changed his privacy settings to allow access to his photos and profile only to certain actual friends and relatives. They blocked messages from the adult stranger. And Phil’s mother stressed to him that he should in the future only accept messages and friend requests from persons and organizations he knew and trusted.

One site full of information about the risks the Internet can pose to children, and how to mitigate those risks, is Web Wise Kids, located at: http://www.webwisekids.org/

Web Wise Kids, sponsored in part by the Department of Justice, is a 501(c)3 non-profit organization that offers informative and easy-to-understand programs for both children and adults on matters such as online predators and stalking, safe blogging and cell phone use, and computer fraud and piracy.

Programs include interactive games where children and teens play detective to “turn the tables” on Internet predators, by investigating and collecting evidence about their illicit use of spyware and counterfeit software.  For parents, instructors, and law enforcement personnel, the Wired with Wisdom program is a user-accessible, online game that explores topics such as chat rooms, personal web sites, and email and social networking.

The federal government provides a number of such resources, in particular free publications from theFederal Trade Commission (FTC). The FTC publications include:

Net Cetera: Chatting with Kids about Being Online

Helps parents protect their kids and to talk to them about living their lives online. Topics covered include: parental controls, protecting the family computer, sexting, social networking sites, and increasing the safety of mobile phones. 56 pages.

Social Networking Sites: A Parent’s Guide

Urges parents and kids to talk about the risks involved in using social networking sites. Offers tips for using such sites safely. Helps parents with issues like: keeping information private, how their kids get online, avoiding sex sites, reviewing your children’s friends list, computer privacy settings.

Social Networking Sites: Safety Tips for Tweens and Teens
Deals with such issues as: limiting the posting of personal information such as photographs, street address, and credit card data, being wary of meeting online “friends,” how posted information stays online “forever”.4 pages.

For full article with 7 Practices for Safer Computing please visit Logical Security Resources

Other Information:

Certified Information Systems Security Professional (CISSP)

EMC, IBM, Novell, Cisco, CheckPoint, Symantec, CA, Attachmate, Q1Labs, eIQ Networks, SenSage and others all have SIEM products. Because of the technology’s relatively new emergence in the marketplace, there are few publications that address more than one vendor’s product.  SIEM Implementation shows how to implement multiple products, and also discusses the strengths, weaknesses, and advanced tuning of these various systems.  SIEM Implementation covers the gamut of topics a network administrator or security professional needs – from basic concepts and components to high-level configuration, analysis, interpretation and response.  It aids in the performance of risk analysis, threat detection, threat analysis and threat response for IT systems and businesses of every size.

Written by security and compliance experts and speakers, Security Information and Event Management Implementation shows IT professionals how to effectively implement SIEM in order to efficiently analyze and report data, respond effectively to inside and outside threats, and follow compliance regulations. This book also shows the separate pieces that make up a complete and cohesive SIEM.  These pieces are what most small and medium size businesses are forced to implement, due to the relatively high cost to acquire, implement, maintain and reap benefits from the full scale SIEM systems.  This teaches the IT professional how to implement a more integrated collection of discrete SIEM pieces, approaching similar utility of a full featured SIEM tool.  Further, SIEM Implementation shows readers how to use the SIEM tool to develop business intelligence, beyond the realm of being just a fancy security tool.

SIEM Implementation is a valuable addition to our security plan for 2010.

Key Selling Features

• Includes a Smartbook – a knowledge base of business use cases: real world examples of business needs that can be satisfied by using a finely tuned SIEM system.
• Covers the top SIEM products/vendors: ArcSight, Q1 QRadar, and Cisco MARS
• Authors are security, SIEM, and compliance experts who speak globally around the world, are famous published authors, and have close ties with the government and multiple corporate vendors.
• Foreword by Shon Harris
• Includes product feature summaries, and analysis and trending examples
• Covers regulatory compliance issues
• Provides Incident Response solutions

Market / Audience

• Targeted at IT/security professionals and compliance professionals
• Fueled originally by stealthy threats such as worms and more recently by compliance, the SIEM market is projected to grow from about $380 million last year to $873 million in 2010, according to research firm IDC.
• RSA Security, the security division of EMC, estimates that the SIEM market is expanding at a rate of between 25 percent and 35 percent annually.

Author Profiles

David R. Miller (SME, MCT, MCITPro Windows Server 2008 Enterprise Administrator, MCSE Windows NT 4.0, 2000, and Server 2003:Security, CISSP, LPT, ECSA, CEH, CWNA, CCNA, CNE, Security+, A+, N+). David is an IT security consultant specializing in information systems security, compliance and network engineering. He is a lecturer, an author and technical editor of books, curriculum, certification exams and computer based training videos. He regularly performs as a Microsoft Subject Matter Expert (SME) on product lines including Microsoft Server 2008, Microsoft Exchange Server 2007 and Microsoft Windows Vista.

Shon Harris, CISSP, is the CEO of Logical Security, a computer security consultant, a former engineer in the Air Force’s Information Warfare unit, an instructor and an author.  She has authored three best selling CISSP books, is a contributing author to the book Gray Hat Hacking, and developed a full digital information security product series for Pearson publishing.  Shon was recognized as one of the top 25 women in the Information Security field by Information Security Magazine.

Allen Harper, CISSP, is founder and president of N2NetSecurity, Inc., a consulting company specializing in advanced security and vulnerability analysis, penetration testing, SIEM implementation, and compliance. He served as a security engineer in the U.S. Department of Defense, and is a coauthor of Gray Hat Hacking.

Stephen VanDyke, CISSP, BCCPA, BCCPP, MCSA, Security+, Network+, was a founding member of the U.S. Army Reserve global network Computer Emergency Response Team and helped design and deploy its NetForensics SIEM. He implemented high end, multi-tiered security systems for the Multi-National Force – Iraq (MNFI) network.

Chris Blask, Vice President of Marketing at AlienVault, is on the faculty at the Institute for Applied Network Security, Co-founded Protego Networks (now Cisco MARS) and founded Critical Infrastructure Cybersecurity company Lofty Perch. Chris invented the BorderWare Firewall Server in the early days of the Internet Security market and built the Cisco Systems firewall business.

Other Information:

Certified Information Systems Security Professional (CISSP)