If Internet voting is so safe, why is the power grid so vulnerable?

Of course the answer is that Internet voting is not safe, much more vulnerable than the power grid. But why don’t we know that? Could it be that voting is largely a Government managed function and therefor Government articulation of vulnerabilities, and public expenditures on security would be less welcome?

Today we have a story from the LA Times highlighting vulnerabilities in the power grid: Security holes in power grid have federal officials scrambling <read>

Adam Crain assumed that tapping into the computer networks used by power companies to keep electricity zipping through transmission lines would be nearly impossible in these days of heightened vigilance over cybersecurity.

When he discovered how wrong he was, his work sent Homeland Security Department officials into a scramble.

Crain, the owner of a small tech firm in Raleigh, N.C., along with a research partner, found penetrating transmission systems used by dozens of utilities to be startlingly easy.

How are grid vulnerabilities different from the vulnerabilities of electronic voting and Internet voting in particular? We can start with the article subtitle:

In Congress, the vulnerability of the power grid has emerged as among the most pressing domestic security concerns

Internet voting is hardly a concern in the Connecticut Legislature which unanimously passed Internet voting two years in a row mandating the Secretary of the State and Military Department do what the DoD, experts from Homeland Security, and the National Institute of standards say is impossible.  And even here grid security is a big concern of state government.

Then again maybe they are also the same in some ways:

“There are a lot of people going through various stages of denial” about how easily terrorists could disrupt the power grid, he said. “If I could write a tool that does this, you can be sure a nation state or someone with more resources could.”…

Some members of Congress want to empower regulators to force specific security upgrades at utilities. Others are attacking whistle-blowers and the media, demanding an investigation into disclosures of how easily the country’s power grid could be shut down.

Here is a difference. Who would even attempt insuring the safety of our election system? Let alone Internet voting?

Lloyds’ appraisers have been making a lot of visits lately to power companies seeking protection against the risk of cyberattack. Their takeaway: Security at about half the companies they visit is too weak for Lloyds to offer a policy.

Power companies are actual monopolies, but so are local election departments. Some of the same issues apply:

The problem, said Scott White, a security technology scholar at Drexel University in Philadelphia, is that “you are basically dealing with these monopolies that are determining for themselves which expenditures are a priority. Security has not generally been one.”

Utilities deny they’ve ignored the problem, pointing to the billions of dollars they say they’ve spent to upgrade outdated computer systems and close security holes.

Here is a difference, something seldom seen when Internet voting is adopted and declared successful:

They are signing contracts with security firms like Booz Allen Hamilton to investigate such things as to how to keep potentially mischievous devices out of the equipment they buy, often from foreign suppliers. The security firms help clients sift through reams of confidential intelligence provided by federal agencies. They simulate cyberattacks.

“It is the equivalent of war gaming, like the military does,” said Steve Senterfit, vice president of commercial energy at Booz Allen Hamilton.

Here in Connecticut we pride ourselves in the safety of 169 autonomous elected election departments. But that also has its downsides. Like the power grid, electronic voting involves users’ computers or distributed military computers:

But critics, including many in Congress, say more needs to be done to shore up a grid increasingly exposed to attacks. They note that so-called smart grid technology, which allows operators to calibrate the flow of energy from an increasingly diverse pool of sources, has opened new security risks.

The technology relies on devices in remote locations that constantly send signals to substations to help control when juice needs to be brought on and offline. The smarter the grid becomes, though, the more entry points an attacker can exploit.

“The whole idea of a smart grid is to push equipment further and further away from the substations,” Crain said. “Some of it is even in people’s homes. It’s physically impossible to secure it all.”

Here is a difference: The grid is apparently not on the Internet, so it is actually just a little harder to compromise:

The vulnerabilities Crain exposed, for example, had been overlooked because taking advantage of them requires an attacker to have access to closed, local networks. Now, a cyberterrorist with a little knowledge and the right laptop can gain that access and cause chaos in a regional power system merely by linking up with the control panel at a secluded electric vehicle charging station.




Leave a Reply

You must be logged in to post a comment.