I soon learned my job was to stress to potential partners and customers that it was time to take stock. To sort out, if they hadn't already, what hardware and software their enterprises depended upon most. The idea being: you can't remediate what you don't even know you have.
Well, what do you get when you do a real inventory (also referred to as the practice of "asset management")? First of all, lots and lots of grunt work if you're being thorough. But beyond that there's plenty to learn about your own operations and efficiencies:
- How much shelf-ware (software your org bought but doesn't use) you're paying for in yearly maintenance/support
- As with the US Navy, how many redundant applications you have, and how much money you might save through consolidation (i.e., pulling the plug on the older, less functional, harder to maintain ones)
- How well your org adheres to policies that matter, like industry interoperability standards, or how many digits are required in the year field
How's this apply to Smart Grid security? Much of the work to be done to get ready for AMI and Smart Grid capabilities involves linking and integrating systems that were previously isolated from each other - that wasn't a Y2K survival requirement. Of course there are other big differences between preparing for Y2K and roll-out of the Smart Grid. With few exceptions, the Y2K window opened and closed in a 24 hour period, while new Smart Grid applications and equipment have been rolling out in fits and starts for several years, and will continue to arrive for the foreseeable future. And the threats to Smart Grid systems are infinitely more varied and complex than the year date problem was to computers more than a decade ago.
Jack and I maintain that you can't secure (or demonstrate compliance with) what you don't even know you have. You can't understand the most vulnerable junction points between your IT and SCADA systems if you're not really sure how one or both is secured on its own. It's hard to prepare to roll out needed enterprise access control or single sign-on capabilities when you have no idea how current users are granted or denied access to key systems pre-Smart Grid.
As more utilities turn to asset and portfolio management processes and systems as a precursor to doing Smart Grid right, there's reason to believe a resurgence of taking stock a la Y2K is at hand. And beyond being better prepared to operate in the highly interconnected world of the Smart Grid, there are additional benefits to be had for utilities seeking greater self knowledge.