I have consistently taken the contrarian position that cloud computing is more secure than in-house deployments. That’s only contrarian in terms of public opinion – to me it makes perfect sense that a cloud service provider will be more attentive to cyber security than a utility. For a cloud provider, cyber security is a core competency. For a utility, it is not.
This week I stumbled upon what I hope will be compelling evidence that cloud computing is secure enough for utilities. Namely: a complete do-it-yourself cybercrime service, which even includes 1 year’s hosting. That means: the criminal activities run in a cloud. And don’t worry, clicking on that link will only take you a story about the DIY service, not the service itself – so you won’t end up on an FBI watchlist.
Cybercrime marketplaces have been around for years. What strikes me about the current DIY offering is that it includes cloud-based hosting. Now, utilities may have worries about the security of cloud computing, but criminals have much bigger worries. While I would never say that utility control systems are completely defended, there is an awful lot of resiliency built into transmission and distribution networks. Those networks can withstand powerful attacks, as we all learned with the Metcalf Substation Attack in 2013. On the other hand, criminals have to worry about being caught. Not only by law enforcement agencies, but also by other criminals, who typically have a different set of operating principles than law enforcement agencies. So when a cloud is offered as bulletproof to this audience, we may assume that it really is strongly protected.
Good Enough for Crooks
And that’s the crux of the issue: if cloud computing can be made secure enough that criminals will use it, then it can be made strong enough for private industry – which at least has the law on its side. Meanwhile, some of the more recent developments in smart grids, especially data analytics, almost require cloud computing to work. In-house deployments of petabyte- and exabyte-sized databases are impractical, even before wondering where a utility would find qualified staff to maintain those databases.
So could we finally answer the question: Is cloud computing secure enough? If it’s secure enough for criminals to risk their lives and their families’ lives with it, then maybe it will work for utilities too. Just maybe.
I should point out that a number of the links in this blog are the work of Dancho Danchev, one of the best respected security researchers in the industry. He will go where angels (and the rest of us) fear to tread.
Tags: Cyber Security, Smart Grid Security, Smart Utilities Program, Utility Innovations
| No Comments »