The answer to the question in the headline, it turns out, is many. So many, in fact, that the consensus is to just give up. Your system is vulnerable. Someone, somewhere, can get into your system as you're reading this, turn on your printer, turn on your camera, snap a picture of you, draw a funny picture on it, and then send it through your printer as you look on in confusion. This has, yes, actually happened to me.
There are so many vulnerabilities along the grid that trying to fix all the little holes could drive software engineers crazy. So, to keep us all sane, let's focus on minimizing the damage instead of eliminating it altogether.
There are three points of entry for the smart grid:
The consumer segment:
This segment includes devices like your phone or tablet or computer.
The concentrator segment:
This segment includes your router or a wireless gateway. This segment manages maybe a dozen or so consumer devices.
The backend:
This segment includes a few servers that manage thousands of concentrators. When the backend goes down, whole regions can go dark.
Of course, while the most important point along the grid is the backend, the most vulnerable point is the consumer segment. It's the most vulnerable because security hinders a user's ability to enjoy his product, so we as consumers often ignore security. But really, if a hacker gets access to your phone, you're the only one affected. So instead of spending millions of dollars and hours trying to save us from ourselves, doesn't it make more sense to focus on the backend, where, if a hacker gets access, thousands of systems could be affected?
Freescale Semiconductor Inc. agrees, and its QoriQ T4240 with Layerscape addresses these issues with Trust 1.1 and 2.0. Freescale defines a secure product as something that satisfies four requirements:
It has an irreversible configuration, which means that it has a secure boot and is tamper-resistant because the code has been hardwired into the silicon.
It is uniquely identifiable with strong authorization requirements.
There are runtime integrity checks.
It has secure communication channels.
As a result, the right code will only work with the right security key. No security key means the product is effectively bricked. And with Freescale, if its product senses tampering, then the flash that stores all the authorization codes will be wiped so the codes cannot be stolen.
Considering that anywhere from 50 percent to 73 percent of passwords are used over and over again, credential stealing can become a serious problem. Freescale's solution eliminates the possibility of credential stealing by assuming the possibility of a security breach and minimizing the damage from the start.
Keep in mind that these security measures aren't for your phone or computer, but for enterprise-level servers that handle thousands of smaller systems, ensuring that the backend stays up so we can keep using our phones.
Security should be happening on the backend, and the people at the Freescale Technology Forum agreed. It was quite refreshing to sit in on a discussion that was willing to address the fact that you cannot secure the grid from the consumer segment, even if it is the most vulnerable.
Server end security is more sophisticated and requires much more work than user end security. It is important to protect that part of the cycle because all the information may be accessed if a server has been hacked into.
Vulnerabilities from a consumer's end are only a part of the problem. We can add as many layers of security as we want on the consumer end, and that will never solve the problem. It will just waste money and anger the customers. The bigger threat, which Freescale's solution is directed towards, in on the server end.
Credential stealing on that end can be as simple as someone accidentally downloading a behind-the-curtain keylogger to get as many passwords as possible. Those passwords can then be used to open up other secure networks. (or steal Sony PS3 passwords... or linkedin passwords... or government passwords?)
IMO, security should be focused on those types of security breaches that can bring down regional communication or power supplies. Those security breaches don't come from the random transactions we make on our cell phones.
Minimizing damage doesn't mean stopping the intrusion – it means minimizing how much theft can occur once the hacker is inside, and that's what Freescale's solution does.
Michelle, it seems difficult to prevent credential theft because every user is exposed to threats ona regular basis. A mechanism that would help to reduce the theft impact could be to go for an additional layer of security when performing transactions.
That's right, but going further I was thinking implication due to biometric smart for bypassing vulnerability at current stage; it seems real applications are still not widespread, imo benefits could be a lot.
Credential stealing is so common in most of the sector, irrespective of it's a software or hardware. So far no tamper proof solutions are available, but there should be some mechanisms to minimize the user's bad experiences. Now a day's real-time token generation is also not safer because of many reasons.
I've always been leery about the consumer market and smart technology. "Smart" seems to add a layer of uncertainty that hardwired plain-old-systems don't have to face (yet.) I also agree that focusing on the infrastructure is where the attention should be. Although getting into the grid is possible through the consumer interface, breaking into the infrastructure can wreak so much more havoc. This week's experience with power failures and record high heat should remind us how dependent we are on energy and that a prolonged outage costs lives. If your e-mail goes down, it's an inconvenience. If you lose power...it's another story.
Absolutely - which is why its better to stop worrying about stopping all threats (because that's impossible) and instead worry about minimizing the damage.
Credential stealing is one place that designers can look to in order to minimize the data theft, but every single person using the system is a vulnerability so it's a tough order.
As impressive as Freescale's solution may sound (and that is not eh only one of its kind), the fact that attack techniques progress in parallel to the protection mechanisms remains and that is what makes security a difficult problem to solve.
The difficulty in designing effective security mechanisms is mainly because of the fact that a designer has to factor in all possible threats, which is a very difficult task. While a designer may put in a lot of effort say to tamper proofing a device, an attacker that sits on the opposite side of the planet may develop methods to perform a remote attack that can be successful whilst maintaining his anonimity as well!
Tamper proofing is a brilliant marketing tool because most of us think about security in terms of tangible concepts such as a big safe with a huge lock on it or a door with 10 locks. As long as one provides a 'sense of security' to an average customer, a sale is almost guaranteed. The customer usually sleeps comfortably until something goes wrong.
An attacker never challenges a system via its strongest point. A successful attacker is the one who is able to identify the weakest point in the system where he performs the attack. The key question is 'Has the designer accounted for all possible threats?'
I must also add that a security system designer's job is much more difficult compared to an attacker. This is because a designer has to ensure that the system is protected against ALL attacks. However, an attacker has to find only ONE weakness to exploit and only needs to crack the system ONCE to be successful.
EBN Dialogue enables and encourages you to participate in live chats with notable leaders and luminaries. Not only editors and journalists, but the entire EBN community is able to comment and ask questions. Listed below are upcoming and archived chats.
Archived Dialogues
Thailand Stages a Comeback Join EBN contributor Jennifer Baljko on Thursday August 23, 2012, at 11:00 a.m. EST for a live chat on how electronic manufacturers in Thailand have shored up their supply chain to reduce the impact of future natural disasters.
Euro-Crisis: What It Means for High-Tech Firms Join EBN Editor in Chief Bolaji Ojo and Contributing Editor Jennifer Baljko on Thursday, July 12, at 10:00 a.m. EDT for a Live Chat on high-tech and Europe's economic difficulties.
Microsoft Surface: Potential Winners & Losers What are the implications for the electronics industry supply chain of Microsoft Corp.'s decision to launch its own tablet PC? Join industry veteran and EE Times' systems and OEM expert Rick Merritt on Tuesday, July 3, at 12:00 pm EDT for a Live Chat on this subject.
Join EBN contributor Jennifer Baljko on Thursday August 23, 2012, at 11:00 a.m. EST for a live chat on how electronic manufacturers in Thailand have shored up their supply chain to reduce the impact of future natural disasters.
Peter Drucker famously said "Trying to predict the future is like trying to drive down a country road at night with no lights while looking out the back window." Yet in the razor's-edge world of electronics—with a lean supply chain and just-in-time demands—the need to know the future is vital.
While no one really can accurately predict the future, we can take guidance from another Drucker saying which is the best way to predict the future is to create it.
You've heard the saying "the No. 1 supply chain risk is your people." That hasn't always been the case. But today's complex global supply chain requires a new type of multitalented employee. It's one who understands, finance, marketing, economics, is savvy with technology, graceful with relationships and can think analytically.
Where are these people? Are universities properly preparing the next generation supply chain professionals? How do train your existing workforce for these new, demanding positions?
Brian Fuller, editor-in-chief of EBN, will lead a 60-minute Avnet Velocity panel discussion that will ask and answer these and other questions swirling around today's supply-chain talent challenges.
To save this item to your list of favorite EBN content so you can find it later in your Profile page, click the "Save It" button next to the item.
If you found this interesting or useful, please use the links to the services below to share it with other readers. You will need a free account with each service to share an item via that service.
Tweet This