The Vulnerabilities of State Imposed Smart Grids

“The city of Miami and several commercial partners plan to rollout a “smart grid” citywide electrical infrastructure by the year 2011. This rollout was
announced on the heels of news that foreign agents have infiltrated our existing electrical infrastructure and that recent penetration tests have uncovered numerous vulnerabilities in the proposed technologies. Simultaneously, the National Institute for Standards in Technology (“NIST”) has recently released a roadmap for producing smart grid standards. In this whitepaper, I will discuss the flaws with the current guidelines and map them to the criticisms of similar regulatory mandates, including the Payment Card Industry Data Security Standard (“PCI DSS”), that rely heavily on organizations policing themselves…

As of the writing of this white paper, NIST has released a draft framework for review that includes some of the proposed standards. While there are several security standards listed in the framework, NIST appears to be making the same mistakes of previous regulatory mandate governing bodies. For example, the PCI DSS standards have been criticized for not requiring a high-level of security in environments that process cardholder data. Specifically, one of the major criticisms is the “self policing” aspect of these standards. The credit card companies (American Express, Discover
Financial Services, JCB International, MasterCard Worldwide, and Visa Inc.) are responsible for ensuring that relevant companies are compliant with the standards. If a company is deemed non-compliant, then the credit card companies issue what they consider to be the appropriate punishment…”

source: blackhat.com