Tuesday, December 28, 2010

The Counterintuitive Security Benefits of a Sub-Optimal Smart Grid

Even though I’d always take the worst form of government in the world except for all the others, over all the others, sometimes one might be forgiven for longing for a country with an omnipotent, benevolent, entrepreneurial, clear-thinking, decisive, dictator (see above). Perfect, centralized direction could crush cultural and bureaucratic inertia, and make sector modernization a lot simpler than it is in some places right now. Right?

Consider the situation in the US and other countries where power, particularly power over power systems, is distributed across many organizations. Earlier this month, Pike Research Smart Grid analyst Bob Lockhart responded to a few questions regarding the state of grid security ownership. You can read this exchange HERE.

Lockhart notes that in the US, the bulk of the electric system (not to be confused with the Bulk Electric System) falls outside the jurisdiction of Federal authorities. The burden for guiding and protecting the distribution system belongs to the utility regulatory offices in each state, each which sets its own policy. It should also be noted that in the absence of Federal policy on privacy, that too is left to each state.

It's Good to be King
In countries where the utilities are 100% owned and operated by the government (not normally a very effective or efficient approach I am compelled to mention), the guy(s) in charge can move directly to issues of how they want to develop and operate their grid, how fast they want to modernize, and how much security rigor they want to enforce ... or not. I mean, who's going to tell them "no"?

But Kingship has its Limits
Lest we envy other authoritarian countries' ability to orchestrate grid changes too much, even the world’s most powerful, best intentioned dictator could only do so much with the current slate of challenges that comprise the overall Smart Grid security challenge. Imagine you were this dictator and wanted to bring rapid, comprehensive security improvement to your nation's electric infrastructure ... what would you do with the following:
  • Employee awareness and education. Email, web use, mobile, USB and other removable media safe use practices, etc. Would the death penalty for policy violations due the trick?
  • Ensuring compliance with emerging interoperability and security standards, internal and international. Actually, if you're a real pariah state, who cares about international?
  • Making sure new grid systems, those built by utilities themselves as well as by vendors in the supply chain, are developed with security baked in from the get-to, applying Secure by Design principals. This is important on both IT and operational technology (OT) systems like SCADA and Intelligent Control Systems (ICS). How to motivate the supply chain is a big issue. I mean, you can't kill your suppliers, right? 
  • Devising rules and standards for comprehensive security controls for grid systems, from generation, transmission, distribution, consumption and edge. You're going to SMEs for this,and unless you've completely sealed your borders, many of these folks long since departed to countries where they were paid fairly for their expertise.
In these issues and others, the dictator may find his wickets just as sticky as those facing other governments. And there’s another aspect that levels the playing field on behalf of countries with multiple layers of jurisdiction and guidance that varies by region or state. Countries with government owned monopolies may establish large, country-wide sourcing contracts which tend to homogenize the equipment that gets deployed. This is great for interoperability, but makes in easier for an attacker who, once in, can potentially cause great and widespread harm via a single point of attack (note: Stuxnet's apparent success on systems sourced from just two suppliers) .

The Security Benefits of Variety
Lockhart sums it nicely:
... countries with a government monopoly grid can take a one-size-fits-all approach. On the down side for them, that implies that a single attack against their entire national grid could be successful and there is probably a single point of attack for that grid. Here in the USA we have over 3,200 utilities -- some with millions of customers, others with a few thousand. So obviously they are not going to all be running on the same infrastructure and therefore the same security approaches will not work for all. It is not unthinkable that some smaller utilities will end up clients of service providers running cloud computing environments. Those will probably be private clouds, but still a centralized, third-party cloud. Personally I think that’s a good thing because small enterprises cannot afford as sophisticated security as a large-scale integrator of clouds will implement.
Agreed. So maybe the takeaway is that as much as we rail against and lament the chaos, inefficiency and sub-optimality of our current approach, it is, from a security perspective and with apologies to Voltaire: the best of all possible worlds.

Photo credit: Allstar/Paramount/Allstar

No comments: