Tuesday, March 1, 2011

Smart Grid Security East Going Great, but Where are the SCADA/ICS Companies?

For folks who had the privilege of attending both the first conference in San Jose and this second one in Knoxville, there are several things that jump out at you now that we're more than halfway through:
  • Interest is up ... My guess is that there are 2 to 3 or maybe 4 times more attendees overall, and that a much higher percentage are utilities personnel. Also, the conference and exhibit area feels more robust, probably because there are many more sponsors and partner orgs involved
  • AMI/meter vendors are getting better and better on security. I was especially moved by Edo Dubrawky's talk on how very thorough he and his team are on software security issues at every stage of the development lifecycle. Definitely seems like solid progress
  • Still, after attending Travis Goodspeed's "Embedded Systems Vulnerabilities from the Bottom Up" session I don't think I'll ever trust any electronic device ever again (and that's going to make this job tough). You should see what he can do with toys, toasters, garage door openers and more. All the meter guys (and the rest of us) were paying close attention. So progress is happening, but determined super geniuses still can show we have a long way to go in many departments
But my main issue is that while there's more coverage of Operational Technology (OT) SCADA and ICS security issues, to me it feels like we're still not doing nearly enough. Part of that is that the conference remains skewed heavily towards IT vendors and attendees coming from IT backgrounds. While some of the boutiques who provide OT security services are present, the big OT players should be here telling us how they're responding to Stuxnet's wake up call in their current installed base as well as in their future designs. So, to that end ...

Dear Siemens, ABB and the rest: how about you attend next time and help make this the more meaningful, balanced and productive conference I believe the organizers intend it to be? Apart from the fact that we still haven't figured out, as an industry and a community, how to demonstrate progress to our stakeholders (i.e. measurement/metrics), inadequate consideration of pressing OT security matters is the biggest elephant in the room. An electric-sector security pachyderm we're going to have to deal with one way or another ... and soon.

Photo credit: Namibnat/Vernon Swanepoel on Flickr.com

No comments: