Monday, October 26, 2009

Electric Car Conundrum: V2G a Smart Grid Blessing or Curse?

Initially arriving in the US in low volume in late 2010, the addition of thousands and later millions of cars with 5-10 KW battery packs drawing power from (and sometimes giving back to) the grid is cast as both a positive and a negative, depending on your point of view.

On the positive side, as this article says, high performance, deep cycle lithium ion and lithium air batteries en mass may be the energy storage solution the industry has been searching for. Here's an example starring Duke:
Duke Energy committed to an electric vehicle future when it committed with the FPL Group to buy 10,000 electric vehicles and plug-in hybrids in the coming decade, as they upgrade their fleets. The energy storage in these vehicles could eliminate the need for peaking plants and enable the expanded use of renewable energy. Duke Energy’s electric vehicle future may save billions in future power plant investments.
Sounds good, but others worry, here, that local electrical infrastructure can barely handle the additional iPods and iPhones it's had to deal with lately. Adding clusters of electric cars charging at approximately the same time each evening might break the camel's back in many neighborhoods. According to Peter Darbee, the CEO of Pacific Gas & Electric:
A high concentration of plug-in electric vehicles poses a serious challenge to utilities. Plug-in electric cars could draw electricity equivalent the amount needed to run one home, or up to three homes in certain places. You can see if you have three or five electric cars arrive in a neighborhood, you're going to overload the local circuits, and that will lead to blackouts. So we see it as an opportunity but we also see it as a challenge of significant proportions.
We all know how neighbors like to mimic and compete with each other (have you seen the Halloween decorations next door !?). One electric car will beget two will beget ten or twenty. Scheduling software will help, but much depends on fast this goes, and how close to edge local circuit gear is at the outset.

Nissan Leaf photo credit: Wikimedia Commons

Monday, October 19, 2009

Why Smart Grid Security is about so much more than Smart Grid Security

Frankly, after having worked in the security industry for ten years now, there are days when I feel like I've had my fill. At a recent Smart Grid conference I sometimes wished I could focus solely on cool new functionality like Vehicles to Grid (V2G) for instance.

But then I remember that what got me into energy was a passion for renewable technologies. A passion which was refreshed last week when by futurist Ray Kurzweil, speaking at MIT's Enterprise Forum, reminded us that solar energy technology is now on an exponential growth curve, just seven evolutionary steps away from reaching price/performance parity with the cheapest fossil fuels: coal.

Well guess what? If solar was ready for prime time today the grid couldn't handle it. Wouldn't that be depressing? We've got a few more years to get the grid ready by making it smarter, more flexible and able to handle the intermittent aspect of solar and wind.

So we need this Smart Grid to be up, running and well along its nation-wide implementation in the next 5-10 years. During this period, security consultancies like IOActive and Wurldtech will continue to tell us that the Smart Grid is a house of cards, ready to be blown over by casual hackers, let alone organized criminal gangs, non-state combatants, and nation states determined to harm the USA. There will be times when we'll second guess what we're doing, when we'll question whether NERC's vigilance and NIST's Smart Grid security standards are up to the task, whether key industry players are putting enough thought and effort into the security elements of their solutions, or are simply trying to sell us what was "secure enough" in the past.

Ultimately, the Smart Grid must both appear to be secure (so we continue to invest in and deploy it) and actually be secure, so it doesn't suffer a knock-out blow in its formative days. All this security stuff, while potentially tedious to some, is an acknowledgement that a secure Smart Grid is a mandatory prerequisite to our nation's energy future, nothing less.

Photo: Wikimedia Commons

Thursday, October 15, 2009

Military Planning For Prolongued Outages via Smart/Micro Grid Technologies

While the US Department of Defense has many unique tasks and requirements, many of its concerns and challenges re: the current grid, Smart Grid and Smart Grid security are common to all enterprises. Much of what motivates DOD motivates others, including:
  • Desire for continuous operation and continuous service to customers by keeping core systems running during (possibly prolonged) power outages impacting local communities
  • Energy efficiency savings via reduction in electricity and fossil fuel usage
  • Demonstrating proactive/compliance measures vis-a-vis climate change and the increased use of renewable energy sources
  • Maintaining confidentiality/privacy of data and doing all of the above is a safe and secure manner
So along those lines, here's an excerpt from a recent post on the DOD Energy Blog on the so-called "brittle grid" problem I believe you'll find interesting:
Eighteen months have now passed since the public release the "Defense Science Board Task Force Report on Energy" This is from the section called "Managing Risks to Installations":
For various reasons, the grid has far less margin today than in earlier years between capacity and demand. The level of spare parts kept in inventory has declined, and spare parts are often co-located with their operational counterparts putting both at risk from a single act. In some cases, industrial capacity to produce critical spares is extremely limited, available only from overseas sources and very slow and difficult to transport due to physical size.
In many cases, installations have not distinguished between critical and non-critical loads when configuring backup power systems, leaving critical missions competing with non-essential loads for power. The Task Force finds that separating critical from noncritical loads is an important first step toward improving the resilience of critical missions using existing backup sources in the event of commercial power outage. The confluence of these trends, namely increased critical load demand, decreased resilience of commercial power, inadequacy of backup generators, and lack of transformer spares in sufficient numbers to enable quick repair, create an unacceptably high risk to our national security from a long-term interruption of commercial power.
Granted, DOD's not the only organization with these concerns ... and the obligation to plan accordingly. Hospitals, police & fire, essential services, etc. all have to think this way. DOD is exploring campus microgrid strategies (including on-site power generation, energy management and energy storage systems, and more) to allow bases to "island" themselves away from commercial grid infrastructure.

The technology is getting to the point where this approach is becoming just as feasible for industry. We'll be investigating further and will post the results right here.

Photo Credit: Kristen Holden on Flickr

Tuesday, October 13, 2009

Smart Grid Security: Answers in Questions

Over the past year, Andy and I have written about the risks and opportunities in the growing software sector of the Smart Grid Marketplace. We have described the space, some of the firms, the investment, and what we are seeing for security in those organizations we speak with. In response, and I think with genuine interest, we've been asked what we are worried about, and in turn, what recommendations would we specifically make to individuals who are either investing in these solutions, or who are actually building them.

In the recent NIST strategy and requirement recommendations release, there was a substantial body of information to be reviewed, and this post is not meant to summarize or to supplant those results (obviously). This is a relatively lightweight view of heavy duty and high-level considerations in software as a critical element in the development of the Smart Grid. It is a practical list of questions that organizations should be able to answer before they commit to software that will either replace or broker their interactions with the Smart Grid.

What is the software's provenance?
Provenance is a term that gets thrown around a lot, but I use it to express the idea of origin. Where did the software come from? Who made it? What was it made from? While absolute provenance is difficult or impossible to ascertain, these answers can help to guide risk awareness and management. Is it new software built for me? Is it existing software that has run similar systems elsewhere? Is it a new solution from an existing partner, or revision 0.9 from a start-up? Is it built from the ground up, or does it contain elements of legacy applications, particularly those that my have been written with a different security mindset? By understanding more about the roots of software, the strategy to secure its use will be better informed.

Why ask the question? Unless you know about the origins of software, it is very hard to put together a plan to ascertain its security. Knowing who built it provides a resource to ask about the way in which it was built. Knowing about its components provides information to use in testing it or researching testing done by others.

What is the plan for ongoing governance?
Governance, similarly, has a variety of depths of detail and application, particularly in IT. For our purposes, the questions can be limited. How will the software be updated? Who will make those decisions? What is the process to initiate or approve a change? New software in any environment, and even established software in a dynamic environment, will face frequent opportunities and requirements to change. Understanding the models through which those changes are considered, approved, and delivered enables organizations to measure and manage their own risk from flux in the software, and in any collateral instability introduced to dependent systems.

Why ask the question? Instability = Insecurity. Haphazard or non-existent governance leads to more frequent changes, less testing time for the solution in place, and to inevitable discontinuities if the software is a component of a larger system. Weak governance also increases the opportunities and likelihood of malicious coding behavior by simply increasing the chaos during the software delivery process.

What does the software do with data?
Data is at the root of almost every application's function and purpose. Whether it exists to generate data, to gather it, or to analyze it, data is not only central to the application, it is often the prime target for an attacker. For that reason, there are multiple facets to consider. What kinds of data does the application gather, where does it come from, and how does it enter the system? Once the data has entered the system, does it get stored, and is it stored with appropriate protection of privacy and integrity? If the data ever moves between components of the system or between multiple systems, is it appropriately protected by the software for privacy and integrity? Does the system restrict access to the data, and is access control sufficiently granular to permit only authorized individuals to enter into the system? Each of these questions naturally results in a series of more technical and specific questions about the behavior of the application, but requiring answers to these high-level queries will mean that these will not be ignored.

Why ask the question? Data is central to the smartness of the Smart Grid, and its protection is expected by subscribers, is in many cases mandated by regulation, and is certainly necessary to ensure reliable operation of the Smart Grid.

How has the software been tested?
The testing of software, particularly for security issues, is still a developing field. There are a variety of approaches and mechanisms, each with their own strengths and deficiencies. What testing has been done, and on what components? What approaches were used, and with what results? Have all components been considered for security issues prior to their inclusion, and how were they vetted prior to selection?

Why ask the question? Understanding the testing process for the software can uncover blindspots to some sets of security issues, and can also identify weaknesses in methodology that can indicate systemic problems from the provider. If the testing ignores a specific area, like data storage or access control, then that lack of attention raises the likelihood that there could have been a similar lack of focus during its construction. Testing has many facets, and security must be among them.

These questions are intended to be a very brief introduction to some of the underlying and quite concrete issues that must be considered during the Grid's evolution to a Smart Grid. In time, each of these areas must be expanded into multiple levels of detail, but for now, this is a start. It is the start of generating more informed awareness, and of describing the types and amount of data that is required to feel secure during the adoption of new Smart Grid technologies.

In return, though, having those answers will certainly bring more confidence, more security, and more opportunity for success in the new Smart Grid.

Thursday, October 8, 2009

Islands No More

In a bracing report from Australia, we learn from the Sydney Morning Herald that Integral Energy was inundated with a virus on non-critical systems, but at such a penetration level that they chose to rebuild 1000 desktop machines to eliminate the problem before it "spreads to the machines controlling the power grid."

The security consultant interviewed in the piece, Chris Gatford from HackLabs mentions that in his experience there is ample evidence that the networks may well have been connected despite the efforts of the utility to separate them. This is particularly problematic, I am sure, because there are not only power control systems to worry about, but also online payment, user account management, and other relatively advanced functions at Integral Energy.

His comments seemed familiar to me, so I went back through my notes, all the way to a report from the team at Riptech in 2001 ( Bought by Symantec) called " Understanding SCADA System Security Vulnerabilities ", where the authors describe a very similar disconnect between assumptions and reality in these internal networks:

MISCONCEPTION #1 – “The SCADA system resides on a physically separate, standalone network.”
Most SCADA systems were originally built before and often separate from other corporate networks. As a result, IT managers typically operate on the assumption that these systems cannot be accessed through corporate networks or from remote access points. Unfortunately, this belief is usually fallacious.

In reality, SCADA networks and corporate IT systems are often bridged as a result of two key changes in information management practices. First, the demand for remote access computing has encouraged many utilities to establish connections to the SCADA system that enable SCADA engineers to monitor and control the system from points on the corporate network. Second, many utilities have added connections between corporate networks and SCADA networks in order to allow corporate decision makers to obtain instant access to critical data about the status of their operational systems. Often, these connections are implemented without a full understanding of the corresponding security risks. In fact, the security strategy for utility corporate network infrastructures rarely accounts for the fact that access to these systems might allow unauthorized access and control of SCADA systems.

MISCONCEPTION #2 – “Connections between SCADA systems and other corporate networks are protected by strong access controls.”
Many of the interconnections between corporate networks and SCADA systems require the integration of systems with different communications standards. The result is often an infrastructure that is engineered to move data successfully between two unique systems. Due to the complexity of integrating disparate systems, network engineers often fail to address the added burden of accounting for security risks.

As a result, access controls designed to protect SCADA systems from unauthorized access through corporate networks are usually minimal, which is largely attributable to the fact that network managers often overlook key access points connecting these networks. Although the strategic use of internal firewalls and intrusion detection systems (IDS), coupled with strong password policies, is highly recommended, few utilities protect all entry points to the SCADA system in this manner.

I think that the team at Integral Energy knows this as well. Their actions show that they felt it necessary to take serious and disruptive measures to eradicate a virus outbreak before it jeopardized the entire infrastructure. Their willingness to speak of it publicly also provides a real service to those of us who are considering the impacts of the introduction of multitudes of new systems and new access points into those same networks.

One sees allusions to the concept of separate networks, with various properties, in existing regulation, CIP descriptions, etc. If we can agree that there are likely to be unintended cross-overs between these systems and their populations, then we must also agree to stop considering the artifice of disjoint networks as being anything but an anachronism, and treat the security of each network with the same rigor and protective approaches, regardless of our faith in its isolation from sources of corruption.

Wednesday, October 7, 2009

CSOs and the Smart Grid

Setting the Stage
So you're an executive in charge of security at a medium, large or very large organization. You might be called Chief Security Officer (CSO) or Chief Information Security Officer (CISO) or maybe VP or Director of Security. You most likely report to the Corporate CIO, or you're in a business division and you and your boss plug into a General Manager. You decide, with blessing from above for the big stuff, the following:
  • Where you'll get the biggest risk reduction (or compliance) bang for your limited budget buck
  • Which technologies get purchased and implemented
  • Which vendors will augment your in-house security team, and,
  • Corporate security policies, and how to best promulgate them to other parts of the co. for whom security is at best an annoyance, and at worst, something to be openly resisted
Yours is a world of risk management as you oversee the wellness (e.g., integrity, reliability, performance, compliance) of your IT, networking and communications systems (and true CSOs own physical security as well). In addition to managing for threats coming from those directions, in recent years, new threat vectors from service oriented architectures (SOA), Web 2.0 and cloud computing have kept you busy.

Hey, Have you Heard of Smart Grid?
So how much time do you spend on future threats? If you have heard of the Smart Grid, and if you've been reading up on it, then you probably don't need to read further here. You're in the top 10% of your class and get a star on your forehead. If however, you're like some CSOs I've talked with who claim to have never heard the term, then this is your wake up call. There has been little written to guide CSOs through the early stages of preparing to protect their organizations in a world where the power systems they rely on look increasingly like the Internet (and in some cases are the Internet!).

How is it different from today's electrical grid? For starters, it's a 2 x 2-way system. Thanks to advanced metering infrastructure (AMI) and net metering, electricity and usage information will flow from generators to consumers and back again. The total amount of information, which in the beginning will be substantial, will quickly become enormous. Data protection will be crucial, and demand management strategies which could save your organization significant money, could also get you in trouble fast. Water and other services will also be impacted for better and worse. In short, for each benefit a Smarter Grid will bring an organization, there is a commensurate risk to mitigate. And it's your job to know (and plan for) this.

Only CSOs at utilities see this world first hand, and even in the energy and utilities vertical, many of those CSOs work in a balkanized world where their policies touch only IT, and the "rubber meets the road" part of their company, field operations, doesn't want to anything to do with them.

So most CSOs are left to infer what they need to know from a mountain of Smart Grid articles and a multiplicity of Smart Grid conferences. My guess is once they've poked a toe into these confusing waters one time, they soon find their time better spent working on present challenges. The appropriate information has not yet been boiled down for this most important enterprise leadership function ... one that could and would do the right things, proactively, if it had the right knowledge to work with.

CSO Info Resources Not Too Helpful Yet
Where do CSOs turn for expert guidance and to learn from what their successful peers are doing? Why, the journals and other news sources that serve them. Yet from the looks of these two articles from CSO Online and the CSO Roundtable, all they're getting is high level introductory material that in no way considers how Smart Grid trends intersect with CSOs' particular responsibilities. I would advise these orgs to get on the ball: it's their job to see over the horizon and around corners to give their readers the info they need to protect their companies ... and their jobs.

No Answers Yet, But Here are a Few Starter Questions
NIST and other standards bodies are working around the clock to bring appropriate and helpful security standards to this new domain and you don't have to know them yet (however, for a sneak peak, here's the most recent draft edition of Smart Grid Cyber Security Strategy and Requirements from NIST). So much is still in flux that doing too much at present might be as bad as doing too little. But that doesn't mean you shouldn't start getting your head around this challenge and thinking through some of the scenarios. Here's a handful:
  1. Supply Chain - Similar to Y2K preparation in some respects, even if you get your house in order for the arrival of the Smart Grid, if the companies yours depends on are not prepared it may affect you. It's time to talk about this with them.
  2. Vehicle Fleet - More choices are coming, including hybrid electric, full electric, natural gas, etc. Are you thinking about the challenges and opportunities that present themselves in beginning to move away from gasoline and diesel? What are the security implications of your enterprise depending on these new transportation technologies?
  3. Local utilities - All utilities are under guidance to prepare for Smart Grid standards and technologies. What are your providers doing in your different locations and how soon will their actions begin to affect you? What do you need to do to not get blind sided?
  4. Smart Grid pilots - With stimulus help from the Fed Gov, pilots are springing up everywhere. Related to number 3 above, are there any pilots going on you could participate in? While this might take resources away from more proximate concerns, the education might more than pay for the time invested.
  5. Centralized policy and control - If yours is a geographically distributed operation, to what extent will you attempt to define and enforce Smart Grid-related security policy in a uniform way, versus allowing disparate facilities and offices to determine their own best approaches?
That's all for now, but on each of these and many more there's a ton of thinking and planning to be done. While in most cases it's too early to implement, it's certainly not too early to imagine.

And Then There was None

News from the Smart Grid Investment Grant program

Early Birds win again! Looks like the interest and enthusiasm for Smart Grid Programs has rapidly outstripped even the Government's own $3.4B largess. In an amendment dated September 21, the DOE announced that:
The Department of Energy has received a significant number of high quality applications and our review continues. The dollar value of applications far exceeds the funding available under this Funding Opportunity Announcement. As a result, Phase III is canceled.
Given the facts cited above, the Department may decide to cancel Phase II following final selection decisions made on applications currently under review.

So, what was intended to be a three phase investment program in new approaches to energy and grid management has become at best a two-phase program, and likely a single shot of stimulus into the Grid. Taking the amendment on its face, that the dollar value of applications already received far exceeds the funding available, we can conclude:

In the planned Phase I application period, running from the initial solicitation date of June 25th, 2009, to August 6th, 2009, there were requests for grants FAR EXCEEDING $3.4B. This means that, on average, the DOE received grant requests FAR EXCEEDING $113M every business day of the Phase I application period.

Each of these applications was expected to include many things, not least among them a well-articulated security plan. You will remember, from the cyber security requirements description:

Submitted Project Plans are also required to include a section on the technical approach to cyber security. Cyber security should be addressed in every phase of the engineering lifecycle of the project, including design and procurement, installation and commissioning, and the ability to provide ongoing maintenance and support. Cyber security solutions should be comprehensive and capable of being extended or upgraded in response to changes to the threat or technological environment.

Yikes. And more specifically must include:
  • A summary of the cyber security risks and how they will be mitigated at each stage of the lifecycle (focusing on vulnerabilities and impact).
  • A summary of the cyber security criteria utilized for vendor and device selection.
  • A summary of the relevant cyber security standards and/or best practices that will be followed.
  • A summary of how the project will support emerging smart grid cyber security standards.
In 20ish years of working in security, I have seldom found an organization that could create this level of cyber security detail within six months for an existing system, much less create it in 30 business days for a brand new project.

The infusion of SGIG capital has definitely gotten things moving, but we should all hang on. This looks to be a bumpy ride.

Monday, October 5, 2009

Conference Alert: SCADA and Control Systems Security Summit

Just the facts, M'am:
  • What: a gathering of like minded individuals intent on learning more about threats posed by systems not well known or understood by IT and Internet security crowd. Similar to mainframes in that they were originally conceived to run in an utterly disconnected world, early SCADA implementations (many still performing critical roles today) were designed with little thought to access control and authentication. Yet SCADA and other types of electronic control systems are as much a part of the emerging Smart Grid as will be the latest hardware and software offerings from CISCO, GE and SilverSpring. Because they have remained relatively obscure outside the operational utilities domain, developing strategies to secure them is now the order of the day as development of the Smart Grid leaps ahead.
  • When: 7-9 December 2009
  • Who: DHS, DOE, NERC and NIST will be there, joined by others from government and industry
  • Where: Washington DC (venue to be named)
  • How: For more info and to register, click here
Preparatory Resources
Photo courtesy of: Ian David Blum on Flickr

Surge Protection: The New Smart Grid Data Challenge

As has often been written, the advancements of the Smart Grid are founded in information. Data is used to inform consumption, to make rates more dynamic, and to enable the next-generation power prosumer. In reading a recent piece on potentially mandated Smart Metering in the UK, the Telegraph raises the issue of data handling relative to today's data management. In short strokes, 44 million homes were typically measured twice a year, making for 88 million entries for data. In the new system, every home is measured twice a day, meaning that those 88 million entries have now become over 32 billion. Now this sounds like a lot, and let's quickly look at the new challenges that arise for organizations seeing this kind of increase:
Data Center Expansion
The types and volume of data associated with Smart Grid use will mean a new need to bring Internet-style data centers into the complex mesh of Utility control systems
Data Organization and Retention
With Time of Use pricing and user charge recovery for power generated, a sizable subset of this data will no longer be simply transient and used in the aggregate. Individual elements will need to be captured and tagged for later retrieval over whatever period is chosen by regulators as appropriate for looking back.
Data Privacy
While there may be dubious benefit to stealing the private data from individual citizen's Smart Meters, it is naive to think that privacy concerns will not find their way into regulation, meaning that data will need as well, to be partitioned when needed longer term, destroyed when transient, and never left in an unknown state.
I led with the UK piece, because it does a relatively non-threatening analysis of data gathering trends from a Smarter Grid.

The US Smart Grid, however, has a series of challenges that expand on this by many times. Back in May, Beth Pariseau did a piece on Smart Grid storage for where she interviewed a variety of players, including Austin Energy's CIO, Andres Carvallo. The data usage trends described are nothing short of mind-boggling.

In the Austin Energy data, for phase one of the roll-out which included 500,000 meters, the increase in yearly data storage went from 20TB to 200TB, with disaster recovery redundancy. This is for 15 minute sampling, and first stage (appears to be largely home-oriented) integration. Ignoring smaller sampling frequencies (resulting in much higher data storage) necessary for some Smart Grid functionality, this presents a model of about 400 MB per meter per year. ( 200,000,000,000,000/500,000 ).

While this sounds mind-numbing, there is substantiation (and a reasonably close ratio) in the same piece, this from Pacific Gas and Electric, who added 1.2PB of memory (and growing) to support 700,000 meters, or over 170MB per meter per year. (This was sampling only twice per day).

What conclusions can we draw from all of this?

  • Massive Data is about to swamp existing infrastructure, requiring some hard thinking about how to architect, secure, segment, and deploy, the data centers that will accommodate it.
  • There is striking variability in the amount of data that organizations are expecting, seeing, and preparing for. Work is needed on what information should be gathered, what needs to be stored long-term, what needs to be tagged with user information, and what needs to be treated as private.
  • This is a new area for providers. The storage, record keeping, and maintenance of all of this data, particularly that which needs to be help for longer regulated periods, is unlikely to be a current function of the provider budget and functional organization. The steps to rationalize this area financially is critically important. Any plan to advance smart metering should include these costs in justification or grant request.
  • Every new idea for the Smart Grid, particularly those in the soft grid investment space must detail the additional burden they are likely to place on providers from a data acquisition, data management perspective.

    Like so much of our economy, these advancements are changing the Grid from a Power economy to a Data and Power economy. To survive and thrive these new requirements must be considered. In the medium and long term, those organizations which consider, and then capitalize on, all of this data acquisition, will find themselves in a much better position to add services, ensure satisfaction levels, and find new ways to make the Smart Grid even Smarter.

    [ And by the Way: In their August 2009 report on "Assessment of Demand Response and Advanced Metering", FERC presented a partial scenario (80M meters) and a full deployment scenario (140M meters) by 2019. Assuming that we feel comfortable in the midrange of the data descriptions used earlier, this would imply the need for the creation of infrastructures necessary to organize and manage roughly 100PB of information within the next ten years. Good luck to us all. ]

  • (SmartGrid diagram courtesy of US D.O.E).

    Friday, October 2, 2009

    Smart Money on the Smart Grid?

    The Venture Capital business is a brutal one. The process can appear to be like Darwinian Natural Selection on speed, as venture dollars drive multiple entrants into an emerging space in hopes that as the weak are weeded out, their own investments will survive and thrive. At worst, there is cold comfort in the fact that the compressed timeframes will help them to identify their own latent failures more quickly so that they can cut their losses.

    I was discussing this mechanism of investment acceleration yesterday with a colleague who does some later stage (profitable stable companies) cleantech investing, and he was remarking on the Klondike Gold Rush-like movement by some Venture firms into cleantech, and into Smart Grid startups particularly. The Smart Grid boom, in his view, is the first and closest child of the Internet boom. Biotech (another area of large investment) has been a very different model, with its long lead-times and eight or nine digit price tags. I had to agree. So much of the Smart Grid is looking like Soft Grid, and successful startups are bringing in management software, efficiency software, upgraded infrastructure and communications. It really does feel like the early days of the Internet, where technology startups faced relatively low costs to enter into a new market, where the existing infrastructure needed evolutionary enhancements pretty regularly, and where the established players were unlikely to step outside of the box to make those changes happen. In the Internet era it was telecommunications companies who provided both the enabling backbone and the lack of groundbreaking higher-level innovation that created the opportunity for entrepreneurs. Now it is the utilities' turn.

    In sheer numbers, the investment is amazing. The Cleantech Group reported yesterday that the cleantech sector accounted for 27% of venture investing in the second quarter, which shows how enormous this wave is, totaling over $1.5B for that period. They also reported that many of the largest investments went to firms which were also leveraging Government funding dollars. So, what does this foretell?

    It foretells a glut of new technologies, advancements, approaches, and failures. Larger organizations will be able to invest their own time and money on comprehending and capitalizing on the meaty part of the wave, while these new entrants stay at the crest, and either find the ride or the rocks as the industry approaches the first winnowing stages. Ordinarily, this kind of furious growth yields rapid progress, and markets and nations benefit from the rapid determination of good and stable solutions. Whether this will work for the Smart Grid is yet to be seen. The nature of power, and the economics of traditional utility finances can make this tumult and its turbulence a disaster.

    Venture investors expect to see failures, their models assume them. The Government investors expect to see, well, whatever. The government is funding policy through technology.

    Power providers and customers, however, can not be tolerant of too much instability, and so we hope that adoption of these technologies will remain proactive but prudent, regardless of the "energy" that all this investment may put into the grid.

    Image courtesy of flickr :