Tuesday, March 15, 2011

Smart Grid Security Truth: You Can't Do What You Don't Measure

Are you part of a Smart Grid security task force, working group, support group?  No?  Look to your left and look to your right. Chances are, one of those folks is. It's getting pretty crowded, with many folks and organizations toiling away trying to figure out what a future-state secure Smart Grid should look like layered on top of our largely insecure and aging legacy grid. Two thing's are certain: there are lot of us, and we're awfully busy.

It reminds me of the wood chopping anecdote inside Steven Covey's Seven Habits of Highly Successful People, which goes something like this:
A group of loggers is busy chopping away doing great work under the supervision of the managers and achieving high productivity and throughput. Someone from a mountain overlooking the forests notices something and shouts "hey, you down there ..." Reply: "we are busy, and making great progress" ... and the person on the mountain yells "Wrong forest!"
Which is to say, we can chop all the Smart Grid security wood we want, but if we don't come up with a way to show our mountain top-dwelling managers that we're working in a forest that matters to them, then it's all for naught. We have remember that these are the folks who not only write our paychecks, but also approve the regulations, and who fund the R&D and ultimately purchase the security products and services we present to them as solutions.

You know and I know that increased emphasis on (and competence in) cyber security is an absolute must if this grand initiative called the Smart Grid is going to succeed. Whatever would keep anyone, you might ask, from aggressively funding our activities and the security of this most critical piece of critical national infrastructure? Is robust Smart Grid security not as American as mom and apple pie? (Other countries may have to substitute patriotic food stuffs here ... I'm going to assume reverence for mom is universal).

Well, the answer to why we have to struggle for every last scrap of support is painfully simple: it's because most executives and government leaders perceive no improvement beyond status quo ... no change for the better, from the current level of cyber risk the nation's electric utilities are already carrying.

Put yourself in their shoes for a second. Would you continue to allocate scarce human and financial resources, or prioritize legislation, for activities for which their is no clearly discernible business impact/result/payback?

Look around inside our own tightly knit community and you'll quickly see that even the true Jedi masters have no ready tools for objectively describing the current state or for referencing indicators that reveal improvement  to outsiders.

So, how might we know if our many activities are helping? Why through measurement and reporting, of course. And some folks out there have mentioned this to us in none-too-subtle a fashion. In the recent Government Accountability Office (GAO) report titled: "Electrical Grid Modernization: Progress Being Made on Cybersecurity Guidelines, but Key Challenges Remain to be Addressed" lack of measurement tools was one of the primary findings:
The electricity industry is ... challenged by a lack of cybersecurity metrics, making it difficult to measure the extent to which investments in cybersecurity improve the security of smart grid systems. Experts noted that while such metrics are difficult to develop, they could help compare the effectiveness of competing solutions and determine what mix of solutions combine to make the most secure system.
Furthermore, our experts said that having metrics would help utilities develop a business case for cybersecurity by helping to show the return on a particular investment. Until such metrics are developed, there is increased risk that utilities will not invest in security in a cost-effective manner, or have the information needed to make informed decisions on their cybersecurity investments.
So, to help keep this long post from getting too much longer, I recommend a couple of things to you, dear reader:
  1. First, read the recent Gartner Group brief called "Why Communication Fails: Five Reasons the Business Doesn't Get Security's Message" by analyst Jeff Wheaten. It's excellent, and helps map out what's lost in translation when executives try to understand security in their orgs but can't fathom the highly technical, specialized language that's used to describe it. It has some excellent recommendations for improvement, and while it's not energy sector-specific, it doesn't need to be. (Note: unless your org is already a Gartner subscriber, it's going to cost you a bit, but nothing close to what it costs having the funding rug pulled out from under your feet)
  2. It's easy to think of reasons why security metrics (or if you'd prefer, measurement) are difficult or impossible to do in our sector. So take that as a challenge and come up with one or two, preferably nice and simple, that'll have people saying "man, that's brilliant". I'd prefer they were high level and didn't require near-realtime sensor readings and massive analytics. Hint: how about something along the lines of Smart Grid and security maturity models?
Still with me? OK, let's do this thing.

Photo credit: tmorkemo on Flickr.com

No comments: