[tptacek]

The systems I've worked on are all COTS from the tower on back (but then, they're all custom apps back there too, so it's not like there's a lot of safety to be gained from being on an IP network).

But who cares what they're using at the tower? Breaking into the distribution layer is a vanity attack if you can wreak havoc with 100,000 meters.

People who see "security" as a "component" of a software/hardware solution typically don't actually "get it"; these are the people that just can't get their heads around the fact that attackers will rip meters off walls, crack them open, JTAG them up and use them as modems. It always sounds so self-aggrandizing to say this, but you have to do security pervasively, from design to implementation to testing, to make a dent in the problem.

[sophacles]

I think we are speaking past each other. You are talking about the problems that arise from crappy meters. I don't deny this. Further, the security needs in those meters is high. I say this from a consumer protection and a grid protection point of view (as in part of a larger defense in depth framework). And, the meters should be as secure as possible from general principle too.

However, my point is that the doom-and-gloom type scenarios, of "OMG the meters are insecure, now they own the power grid" is not realistic. There are other systems on other networks that can isolate and/or shut down places that have misbehaving meters. This is a result of grid operators being very paranoid about malfunction -- and at the level you are talking about, this looks to the grid like a malfunction. There are billions of dollars of infrastructure to protect, and from that point of view, they have already made some good moves from security standpoint -- a coordinated effort on many levels is required to get the grid to a failure state.

Again, I agree that security must be part of the entire process, however there is the other, equally valid point, which says "at some point, there will be always cheaters, and as a result this must be dealt with in a cost/benefit context". In many ways it could be cheaper to go with a fairly insecure smart-meter and just look for evidence of tampering with statistical comparisons and the occasional man in the field to look for physical evidence of tampering. I think this is particularly notable, as there is no good way to prevent people from getting physical access (security kiss of death) to the meters anyway.

[tptacek]

I don't think we're talking past each other. You and I appear to disagree about the value of a region-wide compromise of smart meters; you point out that at least the grid operator hasn't lost its distribution network when that happens, and I point out "so what? attackers are still randomly cutting off everyone's power!"

The big gap between where you are and where I'm at is that you're operating under the assumption that all the meters do is count stuff. No.