New build smart cities are a phenomenon usually associated with Asia or the Middle East. Whether it is a showcase project like Songdo in South Korea or the massive new city development program being driven by the Chinese government, greenfield sites offer a chance to think afresh about how cities are designed, built, and operated. However, one of the most ambitious new city developments is about to begin in northern Portugal. PlanIT Valley is being built on a 1,700 hectare (4,000 acre) plot in the municipality of Paredes near Porto. The project is being driven by Living PlanIT, which is working closely with the Portuguese authorities and partners such as Cisco and Microsoft to develop an ambitious plan for a new type of urban development.

At the heart of the plans for PlanIT Valley is an innovative design approach that will embed smart technology into the fabric of the city, but PlanIT Valley is not just about technical innovation. The smart infrastructure will provide an open platform for the development and deployment of a wide range of new services (and existing services delivered in new ways). Indeed, the core business model for PlanIT Valley provides the partner companies the chance to cooperate on the development of such services in a uniquely collaborative environment.

A major focus for the project is to improve the inefficiencies of the traditional construction industry. Existing building design and development techniques and processes are inadequate for today’s technology rich and environmentally aware requirements. The Living PlanIT founders saw the opportunity to change the fundamental economics of the building process. Taking lessons from other manufacturing industries – including aerospace, automotive, and shipbuilding – they identified a number of core elements that defined the modern manufacturing capability. They are now applying those principles to the construction of PlanIT Valley. By doing so they expect to save 30-40% on traditional building costs, construct buildings 30-50% faster and to a much higher quality, and embed technology into the buildings through modular construction principles. This will also lead to significant savings in operation costs for the buildings based on the use of new materials and designs.

Given the importance of network and sensor technologies to the project, there was also a need for a simple and cost-effective infrastructure that enables easy integration of systems for monitoring and actuating building features and allowing communication between multiple devices and sensors. Living PlanIT acquired its innovative sensor technology from McLaren Electronic Systems, part of the McLaren Group. Based on the electronic control units used in Formula One racing cars, this sensor technology is designed to handle large volumes of critical data in real-time in extreme conditions. The sensor and control technology will be embedded in the Cisco router and IOS software infrastructure to create a high-density network of low-energy and environmentally-hardened sensors, some of which will be embedded in material structures. In total, Living PlanIT expects to have around 100 million sensors (or roughly one per SQ) deployed throughout the city.

The Living PlanIT team includes engineers who were responsible for the development of SOAP, the Microsoft developed standard for web service integration and Microsoft’s .NET architecture. They have utilized the same principles for easy integration to the PlanIT Valley infrastructure, which allow the development of new services and capabilities by partners. For example, PlaceApps allow location based M2M applications to be built using services that interact with building systems such as lighting or heating controls. Steve Lewis, CEO of Living PlanIT refers to this as the iPhone model – a common platform that enables new applications to be built and deployed quickly.

There is a huge amount of work to be done before the first residents are housed around the middle of 2012. The speed of development envisaged for the project will itself present an immense challenge in terms of project management, coordination, and integration. However, it is hard not to admire a project that will put a number of smart city promises to a rigorous test. First, it is challenging accepted assumptions on how cities should be designed and constructed. Secondly, it will show what can be done if connectivity and intelligence are built in to the design from the beginning. Thirdly, it will be a pilot zone for a whole range of new services and, equally important, new types of collaboration.

The attraction of PlanIT Valley as a model for new cities in Asia, the Middle East, and other regions is obvious. But the innovations it is fostering in construction, urban technology platforms, and service design are also of relevance to developers in Europe and North America involved in urban regeneration. It could well be that some of the most exciting insights from PlanIT Valley will not be about how we build new cities, but how we make old ones fit for the 21st century.

To protect systems from criminal attacks requires testers who think as criminals think. Last week at the European Smart Grid Cyber Security Forum I asked a panel session how they thought this could be accomplished for Smart Grid systems. The panelists offered several approaches to effect criminal mindset testing:

• Lockheed Martin advocated building cyber labs to allow hackers and super-hackers to come in and try to break things.
• ZigBee suggested that a criminal mindset is not necessarily required. Many good penetration testers succeed because of their tenacity and persistence to find faults before the products are released into the public.
• The European Network and Information Security Agency (ENISA) reminded us that because many grids are linked, security within a single company or country may not be enough, as has been seen in the telecommunications industry. The U.S. Information Sharing and Analysis Centers (ISACs) provide one example in which competitors share vulnerabilities and alert each other to current or potential attacks.
• There was a consensus that hacking or penetration testing is best done by third parties that are external to the environment, as they will be more likely to take unique approaches, not having been involved in product development. Also, third parties have less personally at stake if they should discover new product vulnerabilities.

One audience member suggested offering a bounty for any vulnerabilities found. A panelist replied that it would be just as easy (and likely less expensive) to simply state publicly, “We think this is unbreakable,” and let it be proved otherwise. This would be done while the product is in development, not after deployment. The panelists were generally opposed to paying bounties for finding problems, although ironically all appeared to agree with paying third parties to ethically hack the products.

Another audience member – who works for one of the major Smart Meter manufacturers – stated that they cycle their penetration testing through several types of testers, including internal lab environments, external penetration testing firms and, from time to time, using seedier types of people (their words) to attack their own products. This same manufacturer is also aware that most of their large customers also hire penetration testers on their own to test the same products after they have purchased them. The manufacturer encourages this practice.

Finally, Cisco pointed out that product security testing should be considered a life cycle. It is not something that is done once and then forgotten. Products change with each release and threat landscapes may change even when the products do not.

There are many approaches to improving security in a system, from security risk assessments to application code reviews. However, external testing may be the one technique that most accurately simulates the hostile environment in which Smart Grid products will live their daily lives.

Last week I moderated two panel sessions at the European Smart Grid Cyber Security Forum in London, including “Collaborating on International Standards and Framework.” Once again I was provided with an immensely talented panel:

• Curt Barker, Chief Cyber Security Advisor, NIST
• Ian Collard, Security Practice Manager, Siemens
• Robert Craigie, Chair of the ZigBee Security Working Group
• Saadat Malik, Smart Grid Solutions and Architecture Practice Lead, Cisco
• Dr. Vangelis Ouzounis, Senior Expert IT Security Policies, ENISA
• Johan Rambi, Privacy and Security Officer, Alliander
• Ken Van Meter, Principal, Energy and Cyber Solutions, Lockheed Martin

The session began with each panelist giving a brief description of what they are working on and what standards mattered to them. There was a general consensus that while certain cyber security standards are necessary, they do not by themselves define a security program. Security itself cannot simply be a set of standards because security must reflect business objectives and each business is unique.

Security standards must also be flexible and modular because we do not know what future awaits the standards. NIST felt that a massive catalog of security standards such as the NISTIR 7628 series has shown to be useful but must be treated as a catalog only. They are starting point for a security program.

Security requires the collaboration of all stakeholders but most stakeholders currently have no incentives to collaborate. At an extreme, one panelist expressed the opinion that if there are no security standards for Smart Grid then maybe we should not be deploying Smart Grids yet.

Security performance should be tracked with meaningful and practical metrics that are measurable – not quantitative. Simply tracking regulatory compliance, while often required legally, can also give a false sense of assurance of the security of a Smart Grid. Other industries have experienced this. For example, merchants having charge card data stolen despite being fully PCI DSS compliant.

Several panelists including Cisco and ZigBee stressed the importance of standards-based solutions as a way to ensure interoperability, especially critical in large-scale deployments where competing products may sit side-by-side. Well known standards tend to be more secure because they have been inspected, and possibly attacked, much more often than proprietary standards have been.

Sharing threat and vulnerability information among suppliers and customers can greatly improve the security of Smart Grid technologies. This is especially true for real-time systems such as ICS, where there is often less shared security knowledge of the environments. _blank>Lockheed Martin participates in threat sharing with the Edison Electric Institute, the American Public Power Association (APPA), and the (U.S.) National Rural Electrical Co-operative Association (NRECA). Nearly all utilities believe that they can do a better job of creating their security programs than the government could do, but they look to governments for synchronization and co-ordination.

In Europe it may be a mistake for each nation to develop its own cyber security standards. A number of utilities do business in several European countries so uncoordinated requirements could have a negative impact. Several European representatives in this and other sessions expressed that they look to NIST standards as guidance for their own activities.

Finally, sharing threat information can better ensure that diverse solutions can interact effectively and securely. One analyst likened the alternative to a Smart Grid Tower of Babel. However, threat and vulnerability information need not be shared with the general public, only with those who need the information as part of their daily work. One example cited was the U.S. Information Sharing and Analysis Centers (ISACs), in which competitors share their vulnerabilities and security observations with each other to better protect their entire industry – but through a restricted distribution.

The next blog in this series will deal with approaches to testing Smart Grid systems to validate their security.

Following last week’s blog from the session “How Utilities Are Managing Security,” here are some selected notes from other sessions at the Smart Grid Security East conference in Knoxville. I’m afraid it’s all good news.

Panel Session: “Vulnerability Testing and Security Research”

Panelists represented SAIC, Itron, and IOActive, plus well known security analysts Matthew Carpenter and Travis Goodspeed. Again there was a theme of collaboration among utilities and clients. Meter manufacturers hire penetration testers to validate the security of their devices, and not just their own work. Smart Meter manufacturers are customers of chipmakers, so they hire independent labs to test the security of the chips, down to burning off the top of the chip with fuming nitric acid to see what’s really inside.

Smart Meter manufacturers fully disclose their vulnerabilities within an NDA framework. They will tell all to their clients, but are not obligated to notify the general public. Several manufacturers work together to cooperatively test their products, acknowledging that in a large AMI deployment it is highly probably that several different Smart Meter brands must coexist.

The security analysts on this panel advised against RFPs for penetration testing. One analyst asked the audience, “Which would you rather have, a 50-page boilerplate RFP response or a good long dialogue on which vulnerabilities are most important for your situation and how we will test?” Finally, there are many gifted penetration testers who cannot commit their results to a document. In finding a tester it is critical to find a company or analyst with demonstrated reporting skills.

Panel Session: “Industrial Control Systems – Discussing Solutions”

This session revisited some familiar themes from the dichotomy of IT and Utility Operations, with some interesting observations. OSIsoft suggested that many control systems have capabilities outside of their core reason to exist, such as reporting, which are not strong but do present an expanded attack surface. Like applications on IT network servers, those extraneous services are best disabled and deleted if possible.

Industrial Defender said that many of their clients are still running Windows NT servers with no plans for refresh. Since their mission is to secure their clients’ control systems, they continue to support Windows NT in their software. Where IT networks are usually well documented, control networks often are not. Industrial Defender mentioned instances of physically walking the cable to determine the ICS network topology. This is yet another IT assumption that may be irrelevant in ICS security deployments.

Panel Session: “AMI Vendor Roundtable”

Panelists represented Industrial Defender, Landis+Gyr, Elster, and Itron – quite a panel! The panelists were unanimous in agreeing that there is a spirit of co-opetition within the industry. This is driven by utilities’ desire to mix-and-match technologies in their AMIs. Large IOUs often specify communications from one vendor, plus meters from that and several other vendors. The AMI vendors have realized that they can only compete for this business if they can interoperate in these environments and will modify their products to match the environments that exist. The panelists also agreed that interoperability means better value for the utilities. There is some concern among suppliers that because utilities place so much value upon standardization, that can stifle innovation. At the same time, commonality of solutions does reduce expense and complexity for the vendors.

Although the vendors on this panel compete vigorously with each other in the AMI marketplace, they also share vulnerabilities with each other when they are together in a single AMI and openly notify their clients. Again the vendors made the point that in security they are not competitors – they all want the same thing and in many AMIs their systems are linked.

AMIs will have to get used to dealing with old equipment. Even if smart meters can be upgraded, it is highly unlikely that consumers will replace ZigBee appliances simply because the IT is out of date.

And finally, a quote from a compliance session, attributed to W. Edwards Deming: “You make what you measure.”