WikiLeaks and Stuxnet - Smart Grid Wakeup Calls

The past couple of weeks have been pretty seminal for anyone concerned about the state of Internet security and the bigger picture as to how much we could – do – and should – trust the Web. These two strange words – WikiLeaks and Stuxnet – have suddenly entered our lexicon and there is a lot to be concerned about in the world of smart grid.

WikiLeaks has garnered more attention simply due to its scale and breadth of coverage. By exposing the unvarnished realities of global politics using the very tools that diplomats assumed would protect them, they make the security issues around social networking sites like Facebook seem trivial. The very fate of the free world rests in the hands of a few, and with some simple keystrokes, WikiLeaks has laid human nature bare for everyone to see. The intended effects have been achieved, not just by embarrassing the upper echelons of power, but by showing how vulnerable the Web can be.

By the way, I am in no way trying to minimize the privacy issues around Facebook. They are equally troubling giving how popular these sites are, and while Facebook serves far less noble purposes, they also show how fragile trust and privacy really are in the Internet world. WikiLeaks has far deeper consequences, but whether the players are highbrow or lowbrow, a great deal of collaborative activity can be quickly undone by a handful of clever and determined people.

Stuxnet is far more sinister, but given its most public incarnation, the lines between good and evil are less clear. Pretty much everyone in both the West and Arab world wants to stop Iran from acquiring nuclear power. No country has more to lose than Israel, and all the players know that Iran cannot practically be stopped from outside-in. Attempts to physically bomb these reactors as the Israelis bravely did in 1981 would be folly now, as Iran has learned its lesson from Osirak. Without veering into a geopolitical narrative, I’ll just say that the smarter way to go is from the inside-out, and that’s where Stuxnet comes in. It’s quite brilliant, really, and coming back to the good versus evil debate, the desired results can be achieved this way without loss of life or messy mass destruction.

In its native state, technology of course is amoral, and simply follows instructions. Stuxnet and WikiLeaks are great examples of this, and serve as timely flashpoints for smart grid. Whether good or evil intentions, they show the fragile state of Internet and software security. So many aspects of our lives depend on these elements, and until a major breach happens, we don’t realize how much we take these things for granted. In some ways, they are as basic to modern life as simple necessities like water, and look how easy it is to compromise our water supply. If you favor chemical or biological warfare, water is a very easy target, and could quickly bring our world to a standstill in a worst-case scenario. Software or Internet sabotage is no different – there is always someone out there smart enough and/or evil/angry enough to use these as vehicles to achieve a desired outcome.

This brings me to smart grid. After water and oxygen, energy is the most important life force for the modern world, and as smart grid evolves, software and the Web will play an increasingly central role. Just like we don’t build huge fences around every source of water, we don’t normally think of power stations as targets for attack. Of course, this thinking is prevalent in the telecom world, but as voice moves deeper into IP, all kinds of new vulnerabilities arise. Smart grid is on the same path, and as we’ve seen now with Stuxnet and WikiLeaks, threats can come from some very unlikely places.

Historically, power producers haven’t had much to worry about, as most energy generation has been local. Efforts to destabilize or incapacitate electricity would typically be on a small scale, and that doesn’t provide much leverage for someone looking to gain something. Smart grid, however, sets the stage for something grander, especially if the vision of a U.S. national grid is achieved. Clearly, the more centralized the grid becomes, the more attractive it is as a target. The power grid cannot be made redundant in the spirit of Arpanet, which was designed for this very purpose (to survive a nuclear holocaust).

I’m not a security expert, but the proximity of these two recent events – Stuxnet and WikiLeaks – should make these concerns a pressing issue for utilities. For starters, security cannot be minimized or assumed, and to protect yourself from the malicious doings, you have to think maliciously and expect that these forces are out there. Waiting to develop security safeguards only after a malicious event is not a winning strategy, especially for such costly infrastructure as smart grid. While smart grid offers great upside for utilities, there is a lot of new risk as well, and to mitigate that they should be probing Stuxnet and WikiLeaks for lessons learned any way they can.