[Cryptography] Smart electricity meters can be dangerously insecure, warns expert

Wed Jan 4 19:51:10 EST 2017

> One skill essential to any good engineer is knowing when you are out of your depth and finding engineering resources with the necessary skills. So in this regard the power guys are likely in better shape than the vast majority of commercial, government and non-profit enterprises, who have few if any traditional engineers on the payroll, and probably none in management. (I’m not counting the IT department, which every enterprise has.) The problem I see is where does our power engineer go to to get reliable advice on a security design? There is so much snake-oil security out there. Vendors have their products to sell, right or wrong, government security agencies want to protect their offensive capabilities, standards bodies are not specialized in computer security and treat it as one more chapter in stove-piped specs. Who would you recommend?
This is a really, really important question.

The software engineering community has generally been very resistant to the kinds of certification programs - and standards and codes - that traditional engineering fields have long relied on to ensure that the errors of yesterday are much less likely to be repeated today.  I don't want to get into that - there are good arguments to be made that software engineering is too young and still growing and changing too rapidly for it to make sense to try to pin things down.

But in the field of security, what we need is a serious "security engineering" program, with certifications and codes and best practices and all that.  I'm *not* talking about pretty much any of the certifications that are out there today.  I've interviewed people with a bunch of security-related acronyms after their names - and their knowledge proved to be quite shallow - they knew the acronyms but not much of what was behind them.  I'm talking about a conjectural program that might include, as one of its core courses, a year-long course based on Ross Anderson's Security Engineering book; and another based on Schnier and Ferguson's Practical Cryptography; and others based on books of similar calibre and depth that probably haven't even been written yet.

Right now, it's not only hard to *find* people with the necessary broad background knowledge on these matters - it's hard to *recognize* them, because there are no degrees or other kinds of certifications that show someone has at least worked through this material.  If you don't already have a good security guy to interview candidates, you have no hope of distinguishing the experts from the expert bullshitters.

Security engineering is still a craft, not a profession.  It's small scale, and there are not enough people in the world to fill the demand.  I see little sign yet that this is changing - even though the demand is high, and people who can actually do this stuff well (justifiably) command high salaries.

                                                        -- Jerry