Monday, May 21, 2012

Measuring Security? In the Electric Sector? Are you Serious? Someone Is.

Tried making the case most recently with Time for Electric Sector to Measure Up on Security and Smart Grid Security Truth: You Can't Do What You Don't Measure but couldn't detect a measurable response.

Without a lingua franca for security, how will anyone ever know which organizations are doing a comparatively better or worse job? Whether one's own organization is kicking butt or having its butt kicked?

Chances are the only folks with this information today are hackers who spread their attacks across dozens of them. They can see which utilities offer them an easier path in than others. But I don't imagine they're sharing this information too freely.

I'm tired of this ambiguity. Perhaps you are too. And so, it seems, is the State of California.

With this press release last month, the California Public Utility Commission (CPUC) announced its intentions:
Today [the commission] took action to ensure the effectiveness of Smart Grid investments by developing 19 metrics that will be used by Pacific Gas and Electric Company, Southern California Edison, and San Diego Gas & Electric to report on Smart Grid deployment, as part of annual reports to be submitted to the CPUC.
You'll see it also announces the creation of working groups to investigate, among other things, the creation of metrics related to cyber-security.

Of course, as some of THESE COMMENTS reveal, not everyone thinks this is a good idea. Or at least, not an unambiguously good idea. In my experience to date, security metrics are something individuals argue over, and never agree upon.

Maybe California can break the mold. I'd love to see it, even just a few baby metrics to get started. The industry will be so much better off when it moves decisively towards measurement.

Photo credit: BVincent1013 at