Navigant Research Blog

Stuxnet and Smart Grid Cyber Security – Time to get moving

— September 30, 2010

Classic novels range from 30,000 words (Animal Farm) to nearly 600,000 words (War and Peace). That suggests that reports written about Stuxnet in the past three months could make an impressive epic. Much of the writing analyzes the attack itself. But there are other concerns.

The attack has been reverse engineered to a chorus of adulation for its elegance and precision. Terms such as laser-like and weapons-grade are bandied. But lots of people can write stellar code that is complex and works. Wall Street technologies for stock valuation may dwarf Stuxnet in terms of complexity. Health insurance claim processing is arcane beyond description.

Equally impressive are the non-technical aspects of Stuxnet – understanding the operating culture of utilities, the relative isolation of many ICS consoles, even the self-imposed timing. This was an operation, a mission – not just malicious code set loose.

But here’s a problem. Stuxnet was almost certainly planned and executed by people deep inside the utility industry. Consider:

• The attackers understood well that their target(s) might be unreachable from the Internet, finding USB sticks an easy workaround

• The attackers understood the operations culture at utilities, where IT departments and their endless rules are often held in low regard – especially Cyber Security, which often gets in the way of actually getting anything done.

• Shortly after the SCADASEC listserv began discussing Stuxnet it endured a series of Denial of Service attacks. I speak frequently with Smart Grid Cyber Security experts and about 60% of the people I interview have never heard of SCADASEC. But apparently the attackers had.

While we talk about the “they” who executed Stuxnet, it is more likely one of us. Are the perpetrators of Stuxnet on the SCADASEC mailing list?

Those Denial of Service attacks are troubling. They were remarkably amateurish compared with the sleekness of the rest of the attack. Was that panic that the perfect crime had been uncovered? Was it misdirection to make the attackers look less skilled than they really are? Or perhaps it was an unrelated party simply making an opportunistic attack?

No matter what, it seems we’ve considered nearly every possible attacker except ourselves. As security experts we accept that the most effective attacks upon any system are often from the inside. There’s no reason to think that an attack as complex and focused as Stuxnet would be any different.

Let us consider also recent analysis which suggests that Stuxnet was designed to stop spreading in January, 2009 and may have delivered its payload as early as Spring, 2009. There are two obvious and troubling conclusions:

• Stuxnet was in the wild and executing for well over a year without anyone noticing

• If an attack this complex stopped spreading in January 2009 then it must have been conceived and developed early in 2008, possibly late in 2007.

While we admire the complexity of Stuxnet, let’s step back and realize that this attack is most likely three years old. That is two iterations ago of Moore’s Law. Stuxnet may be the most sophisticated attack we’ve seen so far. But it’s nearly impossible to conclude that an attack written when the BlackBerry Pearl was king is state-of-the-art. The attackers have had an additional three years to hone their craft.

We are quite likely facing attackers on the inside that have a three-year head start on our already helpless defenses. This of course is a worst-case scenario and argues for more urgency in erecting Cyber Security defenses, especially of ICS. As a start, I could suggest two things.

First, IT and Operations should bury the hatchet, accept that they will never be alike, agree to disagree when needed, and start collaborating on ICS defense before the whole discussion is made irrelevant by further attacks.

Second, a fair few Cyber Security vendors – following the money – have equated Smart Grid and Smart Metering. More focus is needed on the ICS side, by vendors and experts who understand the differences between IT networks and control networks. ICS is not as sexy as Smart Metering and does not offer multi-million endpoint deals. But better defenses on the ICS side can help ensure that Smart Meters continue to have something to meter.


E15 Waiver Likely to be Approved, But Not Soon

— September 30, 2010

In March 2009, Growth Energy, a consortium of ethanol producers, petitioned the EPA to allow the mix of ethanol to increase from the current 10% (E10) to 15% (E15). The EPA was to rule on this petition by December 1, 2009, but they delayed the decision until summer 2010. This summer, they again delayed their decision for further testing of more vehicles to ensure that E15 can be used in all engines without damaging them. As it stands at the time I write this, the EPA testing for model years 2001 and later vehicles will be wrapped up in November, and the EPA has stated that they are likely to issue or deny the waiver at that time those model year vehicles.

Back in 2007, the Renewable Fuel Standard set by the Energy Independence and Security Act required that 36 billion gallons of renewable fuels be used by 2022. To achieve this, ethanol has been pursued as a tool to supply some of these renewable fuels. According to the Renewable Fuels Association (RFA), Ethanol production capacity is 13.5 billion gallons and another 1.2 billion gallons in refining capacity under construction. However, current production is 12.8 billion gallons, so there will be significant over-capacity of almost 2 billion gallons, and producers would like to see the market open for this extra capacity. By shifting to E15 for all vehicles, RFA estimates that ethanol has the potential to replace over 20 billion gallons.

Auto manufacturers, Outdoor Power Equipment Institute, Boat Owners Association of the United States, the Motorcycle Industry Council, oil producers, and others have lined up against the change, or at minimum delaying the decision for more testing. This is not a big surprise since it is their durability reputation that will ultimately take it on the chin for engine faults if the E15 proves to be damaging to vehicles or set off Service Engine Soon lights. Many environmental groups have also sided against an immediate decision pending further air pollution tests, as well.

The RFA and Growth Energy are against issuing acceptance for specific model years and with good reason. I think they are likely right when they say that only permitting E15 for select model years (2001 and later) will reduce fuel stations that offer it. E15 will require its own distribution separate from gasoline and E10, making distribution more complicated. Additionally, consumer confusion between the pumps will be difficult to get past. The RFA recently had Ricardo conduct a study on older vehicles which “demonstrates for the first time that raising the blend ceiling to E15 is likely to have a negligible impact on vehicles manufactured between 1994 and 2000″, according to Kent Niederhofer, president of Ricardo, Inc.

Where does this leave the issue of E15? The Auto Alliance wants a delayed action until their tests are completed in 2011. There is a lot of unofficial discussion occurring as to how a shift to E15 will impact fuel economy (I have seen estimates of a decrease between 5% and 10%). Some ethanol groups are starting to push for immediate approval of E12 (12% ethanol) as the tests continue. As a result, I would not be surprised to hear, come November, the EPA will delay a decision again until 2011 without any action on E12. It seems likely that the ethanol producers will ultimately prevail, but whether the waiver will be for all vehicles or just 2001 and later is still very much up in the air.


Getting Real… Smart Meter Interoperability?

— September 28, 2010

There is no shortage of smart metering communications standards, though there is a distinct lack of actual smart meter interoperability. European smart meter standards development was a major topic at the Metering Europe event last week in Vienna, and it seems industry efforts to conform to the European Union’s M/441 mandate for open standards are unlikely to bring much order to the current chaos. Europe’s largest smart meter projects, including those in the UK, France (ERDF), and Spain (Iberdrola), are each effectively defining their own “open” standards. The OPENmeter project, formed and funded to respond to the M/441 mandate, appears to have capitulated by accepting all of these standards (plus some others, including the newly renamed “Meters & More” technology already deployed by Enel in Italy) into their framework. Each project is large enough to induce customized multi-vendor support, but this approach will not create the economies of scale that a small but robust set of standards might offer. Never has the old lament been more apropos: “the great thing about standards is there are so many to choose from”.

So it is notable that a small group of leading European meter makers is making progress toward actually choosing from the standards menu to deliver true multi-vendor interoperability. About a year ago, Iskraemeco, Itron, and Landis+Gyr banded together to form the Interoperable Device Interface Specifications (IDIS) Industry Association, leveraging their existing collaboration with ERDF (an EDF subsidiary) in France. The IDIS Association goal is not to specify yet another set of standards, but rather to “close the gaps” within existing standards implementations for certifiably interoperable smart meters. “IDIS Release 1, package 1”, to be fully published by year end, specifies a specific Power Line Communications (PLC) implementation, list of metering objects, and interface to a PLC data concentrator. A second “package” will define an IPv4 profile and additional interfaces. IDIS compliance requires conformance testing by an independent test lab, and membership requires actual delivery of compliant products.

Interestingly, the first release is focused on rather mature PLC standards, not the latest and greatest technologies being pushed smart meter vendors. Future releases that will add newer OFDM-based PLC protocols and IPv6 are planned for 2012. And no utilities have publicly announced support for, much less a requirement for, IDIS-compliant devices – not even ERDF who effectively inspired the collaboration. However, judging by the expressions of interest at last week’s event, I expect this effort will be a boon for small-to-medium sized utilities without the clout to attract multiple vendors to their own “standard”. By specifying IDIS-compliant systems, they can get multi-vendor competition and flexibility without having to do months-to-years of vendor cajoling and testing, reducing their overall risks.

What do IDIS vendors get from this? They hope to accelerate and grow the overall market, short- circuiting the “pilot-itis” at each utility that delays production deployment (and hence time-to-revenue) and endlessly consumes precious support resources. They see time as the most important result of “economies of scale”.

Sadly, this is the only true open, multi-vendor interoperability effort we can point to worldwide. The US-based NIST efforts have a considerable way to go to even have a decent communications standards menu to choose off of, and Asian countries are each specifying their own standards with an eye toward giving indigenous suppliers an advantage under the guise of supporting “special local requirements”.

Ultimately, the utilities that make the buying decisions are responsible for what vendors deliver. We’ll see whether European utilities will reward the IDIS vendors for their pioneering efforts.


When Will China Become a Major Player in Solar?

— September 28, 2010

China has long promised to reduce its carbon gas contributions to the atmosphere and greatly increase its use of renewable energy resources including solar. In March of 2009, China introduced a generous but complicated and vaguely defined subsidy for solar installations greater than 50 kW on buildings. Then, in July of last year, China boasted of their 500MW “Golden Sun” demonstration project that would pay 50% of the cost of building a solar farm and even the distribution infrastructure necessary to deliver the solar-generated power to consumers. Recently, according a report in March from China’s semi-official Xinhau news agency, the National Development and Reform Commission (NDRC) reported that it recommended increasing the portion of China’s energy consumption from renewable sources to 15% from 9.9% in 2009. Note that China includes nuclear, hydro, wind and other non-fossil fuel sources in RE.

If we time warp to today, however, clearly defined Chinese support of solar for domestic installations is limited to a few regions while vaguely defined “goals” and “plans” and suggestions of an impending nationwide FIT are common place. Why would China’s support of solar have declined so dramatically? Could the cost of solar power at $0.22-.28/kWh vs. coal-fired plant power at $0.04-0.05/kWh have anything to do with China’s reluctance to support solar through incentives? And, now that the capacity of leading low-cost Chinese cell and module manufacturers is sold out for the balance of 2010 and likely into 2011, why would China need to support its domestic solar industry?

Yet with China’s GDP growth outpacing the world, China is now much larger than Japan in GDP and has achieved 3rd place in the world (2nd place if one considers only sovereign countries) in this commonly employed metric of a nation’s economic strength. This is demonstrated in the chart below.

So when will China, reflecting its size and economic strength, become a major consumer of solar power instead of just a major manufacturer of solar power? As shown in our base case forecast of demand in China, we expect China to just breach the 1 GW demand level in approximately mid-2011 and to grow to become a major demand market in 2013.
What do you think? When will China drive beyond ethereal goals and plans and define a concrete, well-defined FIT or other subsidy to support domestic solar projects and to reduce its carbon gas emissions?


Blog Articles

Most Recent

By Date


Clean Transportation, Electric Vehicles, Finance & Investing, Policy & Regulation, Renewable Energy, Smart Energy Practice, Smart Energy Program, Smart Transportation Practice, Smart Transportation Program, Utility Innovations

By Author

{"userID":"","pageName":"2010 September","path":"\/2010\/09","date":"12\/1\/2015"}