Tuesday, November 30, 2010

Smart Grid Security Lessons from WikiLeaks?


UPDATE: Brilliant IBM colleague Jeff Jonas post on WikiLeaks implications and some potential first steps forward for sensitive-data intensive orgs. Click HERE to read it.
-----------------------------------------------------------------
We talked about this today a little on day one of the 2nd Annual Canadian Smart Grid Summit in Toronto. Not sure how the other participants felt, but for me, in the early days of designing and deploying world class security and privacy controls for the electrical utility industry in the wake of WikiLeaks makes me want to stop and reassess. Everything.

From an information security point of view WikiLeaks founder Julian Assange is a villain as dangerous as any penned by Stan Lee. And in Army Private Brad Manning, we've got the perfect lackey ... a worst-case scenario inside threat and substantially misguided youth who may not live to fully appreciate the damage he's caused his country and its allies.

Manning is no Megamind; far from it. The security flaws he overcame were policy shortcomings, not technical exposures.

While no organization is bullet proof, other sectors often point to the US DoD as an exemplar of security best practices. And who knows, maybe DoD has the best policy in DIACAP, the best internal and external guidance in the world, and the best tools and security controls money can buy. But you know what? Nothing prepares you for the thing you didn't see coming.

As North American utilities work to achieve and maintain rudimentary security via NERC CIP compliance, implement best practice cyber and physical security controls in IT and OT, and wrestle with how to best combat future threats as powerful as Stuxnet, WikiLeaks lessons should have them question every foundational assumption about what they're seeking to protect, how they're going to protect it, and from whom.

This Atlantic article, How the Pentagon Hopes to Prevent More WikiLeaks Embarrassments" tries to shine some early light on potential ways out of this morass for the Pentagon and State Department. But for me, pondering enormous Smart Grid data flows, in organizations that never had to segment and store anything like this before, has me wanting to call a time out.

We've all got a lot to learn from Stuxnet and now WikiLeaks. It's much too much in too short a period of time to assimilate. But we've got to try. We've got some big decisions to make in 2011 and we'd better get most, if not all of them right.

Photo credit: Michael Vroegop on Flickr.com

No comments: