[Cryptography] Smart electricity meters can be dangerously insecure, warns expert

Ian G iang at iang.org
Sat Jan 14 16:05:27 EST 2017 


On 04/01/2017 16:41, Arnold Reinhold wrote:
> Late last century I had a gig at Foxboro Corporation, a well-respected manufacturer of industrial instrumentation and control systems. The stuff I was working on was electronic and computer based, but they had been in business since 1908 and had developed many intricate, mechanical and pneumatic sensors and control systems, which they still supported. After the Iran-Iraq war, Foxboro got a flood or orders for the older, non-electronic devices from refineries and chemical plants in the Middle East because they had proved more resilient in war time than the newer electronic systems. We need to heed that lesson in the context of cyberwar.

Were the failures due to electrical failures?  Or was there a specific 
cyber attack element that was taking out the gear?

> More to the point, however:
>
>> So ... I think the power guys are just out of their depths here.  It'll take a while for them to develop the necessary expertise to integrate modern processors properly.
>>                                                 
> One skill essential to any good engineer is knowing when you are out of your depth and finding engineering resources with the necessary skills. So in this regard the power guys are likely in better shape than the vast majority of commercial, government and non-profit enterprises, who have few if any traditional engineers on the payroll, and probably none in management. (I’m not counting the IT department, which every enterprise has.) The problem I see is where does our power engineer go to to get reliable advice on a security design? There is so much snake-oil security out there. Vendors have their products to sell, right or wrong, government security agencies want to protect their offensive capabilities, standards bodies are not specialized in computer security and treat it as one more chapter in stove-piped specs. Who would you recommend?

I recommend the good engineer acquire the necessary skills and do it 
herself.

Because of the issues you (and Peter and Jerry) list, the success rate 
of outsourcing to experts isn't high, so can a good engineer learn 
enough to leap a rather low bar?  Typically, yes.  Is it state of the 
art?  No.  Is state of the art available?  No.

Is the alternate a secure system, or a standards system that delivers 
too late and too little, or nothing?

What's the compromise?  Typically, it takes a couple of good engineers 
to put together a cheap & cheerful security protocol for a narrow use 
case.  Or it takes an industry to make a standard that's over 
generalised and introduces security impedance mismatches so it typically 
can't also ever meet state of the art.  Clear economics point to "do it 
yourself."



iang

More information about the cryptography mailing list