by clicking on the page. A slider will appear, allowing you to adjust your zoom level. Return to the original size by clicking on the page again.
the page around when zoomed in by dragging it.
the zoom using the slider on the top right.
by clicking on the zoomed-in page.
by entering text in the search field and click on "In This Issue" or "All Issues" to search the current issue or the archive of back issues respectively.
by clicking on thumbnails to select pages, and then press the print button.
this publication and page.
displays a table of sections with thumbnails and descriptions.
displays thumbnails of every page in the issue. Click on a page to jump.
allows you to browse through every available issue.
GCN : November 2012
18 GCN NOVEMBER 2012 • GCN.COM CYBEREYE BY WILLIAM JACKSON T H S Department has issued an alert about vulnerabilities in a control system for solar electric systems that could allow unauthorized users to access the system and execute malicious code. The equipment is sold by the Italian systems integra- tor Sinapsi, and although a proof-of-concept exploit has been published, no exploits have yet been reported in the wild. The alert is a reminder of the need to incorporate security into increasingly complex and interactive power grids, however. With the Energy Department fund- ing research and development and implementation of new technology for a Smart Grid, it is imperative that software and hardware be built to emerging standards for IT security. The alert was issued this month by the DHS Indus- trial Control Systems Cyber Emergency Response Team (ICS-CERT) in response to a published report on vulnera- bilities along with an exploit. Italian researchers Roberto Paleari and Ivan Speziale found the problem in a vari- ety of photoelectric system control servers and published their findings in September. The researchers said they found multiple security issues that could allow unauthor- ized users to gain remote execution of code within the systems. Management Web pages in device firmware are vulnerable to SQL injection, allowing access in some cases with no authentication. This can expose username and plain text passwords for ac- counts on the system. There also are some "hard coded" accounts on the equipment with predefined passwords that cannot be changed or removed. The researchers warned that the same management server is used in a number of control products for solar power systems from di erent manufacturers and that all probably share the vulner- abilities. "We are not aware of an updated firmware that cor- rects the issues described in this advisory," Paleari and Speziale wrote. "Users should avoid exposing the manage- ment interface of the device on the Internet." The Smart Grid now being developed is intended to incorporate a variety of dis- tributed energy sources, in- cluding solar and wind power. When they become part of the national power distribution and delivery system, such vul- nerabilities could conceivably provide attackers with access to the wider grid. The Defense Department already is experimenting with such systems. The department is developing next-generation microgrids to enable local generation and storage of power on bases. Integrating microgrids with commercial grids not only could protect against outages but also enable better local energy supplies and help balance demand and supply. However, integration also could introduce new vulner- abilities. Advanced power grids are not without protection. The National Institute of Stan- dards and Technology has been charged in the Energy Independence and Security Act of 2007 with identifying and developing the technical standards for security and interoperability to ensure that utilities, manufacturers, equipment testers and regula- tors will be working on the same page. But standards de- velopment is a slow process, and security standards are not mandatory for manufacturers or users of equipment in the private sector.• WHO CAN BEST BE TRUSTED WITH MOBILE DEVICE SECURITY? The growing use of mobile devices for work has raised the profile of mobile security to new heights in government. A recent survey on password usage for the security company ESET by Harris Inter- active suggests some guidelines for mobile security: Allow the devices to be used only by old, rich married people. According to the results of the survey, the more stable and economically secure a person is the more likely he or she will use a strong or complex password. The survey queried 2,129 U.S. adults about how they use passwords. Those most likely to use passwords containing letters, numerals and symbols are: • Age 55 or older, 89 percent • Married, 89 percent • Highest incomes, 89 percent Single youngsters under the age of 35 are the least likely to use complex passwords, at 77 percent. Other measures of password security followed similar patterns. Feel free to take these results with a grain of salt, however. Overall, the number of people who claimed to use strong pass- words was 84 percent. Either a lot of applications are requiring strong passwords, or a lot of people are lying. --- William Jackson SOLAR-POWER SYSTEM'S FLAWS SHINE LIGHT ON SMART GRID THREATS