[tptacek]

It's going to be "custom-everything" for the foreseeable future, since the grid operators want (need) to deploy this stuff in a tower-and-mesh topology. Even if you managed to build a system out of "COTS" technology (say, GSM and IP multicast), you'd still be working with technology that gets virtually no ongoing scrutiny from software security teams.

Unfortunately, I think software security expertise is going to be relegated to nipping at the edges of this problem, which the vendors and grid operators appear to be delegating to the "national labs" like Sandia and Idaho.

[sophacles]

Meshing is the only reasonable way to network the meters and related communications (collectively AMI), but at the substation level (for distribution and transmission networks) you can realistically start using cots. People like Schweitzer who are already entrenched may try to keep the custom everything model, but there are serious efforts to at the very least use a single standard stack. Big pushes for 61850 in the substation and a common wide area solution for utility-utility and utility-reginal coordinator communications are happening right now.

They may be somewhat custom, but they are more cots/standardized than previously. Further there are several FOAs right now that require a built-in security component. These FOAs fund next-gen technology development, so I am not sure how you see this as only an "edge problem".

[tptacek]

The systems I've worked on are all COTS from the tower on back (but then, they're all custom apps back there too, so it's not like there's a lot of safety to be gained from being on an IP network).

But who cares what they're using at the tower? Breaking into the distribution layer is a vanity attack if you can wreak havoc with 100,000 meters.

People who see "security" as a "component" of a software/hardware solution typically don't actually "get it"; these are the people that just can't get their heads around the fact that attackers will rip meters off walls, crack them open, JTAG them up and use them as modems. It always sounds so self-aggrandizing to say this, but you have to do security pervasively, from design to implementation to testing, to make a dent in the problem.

[sophacles]

I think we are speaking past each other. You are talking about the problems that arise from crappy meters. I don't deny this. Further, the security needs in those meters is high. I say this from a consumer protection and a grid protection point of view (as in part of a larger defense in depth framework). And, the meters should be as secure as possible from general principle too.

However, my point is that the doom-and-gloom type scenarios, of "OMG the meters are insecure, now they own the power grid" is not realistic. There are other systems on other networks that can isolate and/or shut down places that have misbehaving meters. This is a result of grid operators being very paranoid about malfunction -- and at the level you are talking about, this looks to the grid like a malfunction. There are billions of dollars of infrastructure to protect, and from that point of view, they have already made some good moves from security standpoint -- a coordinated effort on many levels is required to get the grid to a failure state.

Again, I agree that security must be part of the entire process, however there is the other, equally valid point, which says "at some point, there will be always cheaters, and as a result this must be dealt with in a cost/benefit context". In many ways it could be cheaper to go with a fairly insecure smart-meter and just look for evidence of tampering with statistical comparisons and the occasional man in the field to look for physical evidence of tampering. I think this is particularly notable, as there is no good way to prevent people from getting physical access (security kiss of death) to the meters anyway.

[tptacek]

I don't think we're talking past each other. You and I appear to disagree about the value of a region-wide compromise of smart meters; you point out that at least the grid operator hasn't lost its distribution network when that happens, and I point out "so what? attackers are still randomly cutting off everyone's power!"

The big gap between where you are and where I'm at is that you're operating under the assumption that all the meters do is count stuff. No.