Early this year, fellow Cutter Consultants Mitch Ummel, Mike Rosen, and I wrote an Executive Report on the Smart Grid. In that report, we talked about all the potential that the Smart Grid offers, how it would be designed, and also about the serious problems that such an ambitious undertaking faces — especially problems related to reliability and security. We expressed fears that since the next generation of Smart Grid electrical utilities is based on current standards taken from the Internet and the current generation of operating systems, it would be subject to serious attacks by more and more sophisticated hackers which, in turn, could seriously jeopardize the reliability and security of our most critical infrastructure. Boy, were we on the mark.
The ink was hardly dry before we realized that we were more prescient than we could have possibly imagined. Indeed, while we were writing our report, security experts around the world were already documenting a new kind of Internet malware, the Stuxnet virus. In July and August, many of the top security labs around the world began reporting on a new, very sophisticated virus whose objective, like many viruses, was not immediately apparent. Just this week, however, two respected security experts gave us the answer: the Stuxnet was in fact an Internet bomb.
The cyber worm, called Stuxnet, has been the object of intense study since its detection in June. As more has become known about it, alarm about its capabilities and purpose have grown. Some top cyber security experts now say Stuxnet’s arrival heralds something blindingly new: a cyber weapon created to cross from the digital realm to the physical world — to destroy something (Mark Clayton, The Christian Science Monitor, 22 September 2010).
Stuxnet is now the subject of serious debate around the world. Many experts believe the virus was developed by a very sophisticated, very serious group of top-notch software security experts probably financed and controlled by a nation state with an equally serious intent. The target of this worm, it appears, was a single facility; most likely the Iranian nuclear facility at Bushehr, and it was focused directly at a bit of technology core to the electrical utility industry — SCADA software from the German giant Siemens.
So here we are a decade ahead of our time, with a serious cyberattack that sounds a whole lot like a 1980s sci-fi thriller — but it isn’t, and it ought to get the top minds in all of the software industry focused. What should the next generation of the Internet, our basic operating systems, and our most critical infrastructures look like? And how do we get there before something — like some major piece of electrical infrastructure — literally blows up in our faces?
Finally, a bit of good news. I noticed as I was finishing this piece that the US military’s cyberwarfare operations is “advocating the creation of a separate, secure computer network to protect civilian government agencies and critical industries like the nation’s power grid against attacks mounted over the Internet” (Thom Shanker, Cyberwar Chief Calls for Secure Computer Network, New York Times, 24 September 2010).
This last bit is truly good news, and perhaps someone with some real purpose and deep pockets is working on the problem, because without a really secure operating system and networks, the SmartGrid is going to look pretty dumb.
Editor’s Note: This is an advance copy of next week’s Enterprise Architecture Advisor, which we are posting now due to the timeliness of Ken’s commentary.