Anyway, in the discussion of securing data for the Smart Grid, we are re-empathizing the two key points that we have made previously, and will continue to hit upon.
- A new and unprecedented volume of data is coming your way
You can either plan for it, and figure out how to secure it before the deluge starts, or you can simply let it all come and hope that the sheer volume of it will bury the evidence of your obvious lack of security forethought.
- Your data is not all one flavor or type
You need to break it up according to its security needs, its use in applications, and its likely combination with other types of data. Do this, and you may save untold hours and millions in efforts to partition it later, or to design a new series of systems that must first process the indigestible mass every time they need a new tidbit of data.
In the Hexad, the venerable characteristics of Confidentiality, Integrity, and Availability are importantly augmented by the additions of Control, Authenticity, and Utility. Through the addition of these new descriptors, there is a natural clarity that arises around the description of security requirements for various data and service components.
I have translated more complete descriptions of the Hexad here, from the recent Webcast:
This is a start, for those of you with less time or feverish interest to go very far for a more in depth treatment. For folks who would like a very good introduction, with examples, from the fellow who coined the term "Parkerian Hexad", Michel Kabay, I really recommend this self-playing PowerPoint presentation from his work at Norwich University, from his overview page, it is here, and while it takes a couple of minutes to load, I think it is a great introduction for those of you just digging in. It also concludes with a description of what IA jobs mean in terms of responsibilities. I think this is also prime fodder for individuals just digging into roles as security leads within utilities, or those of you looking to hire roles like that.
Why learn these terms?
Unlike many industries that adopt new technologies and new business models incrementally, the utilities industry is jumping into the mix with both feet. There is little room to slow the pace of integration of new IT technologies in order to stop and compartmentalize the areas of investment based on security concerns or characteristics. The situation that has been created is one of rapid change and rapid growth.
By attempting to apply the security characteristics, and by answering the questions that inform the identification of issues, there are many interesting issues that will be brought to light. Smart meter location is just an address. Pair it with a user, and you have an identity or privacy problem. Similarly, in the case of outbound or control data, authenticity, integrity, and availability are all key.
Creating a checklist for all of the data involved in an application, and then having a discussion of how these useful and discrete characteristics apply, will lead to a much earlier, and much higher level conversation about why this kind of focus on Smart Grid Security is necessary.