New Book Educates and Guides Smart Grid Security Stakeholders

Between them, authors Gib Sorebo, energy sector security lead for SAIC and Michael Echols, expert security consultant to many utilities including, recently, the Salt River Project in Arizona, have the chops to go deep into the technical weeds of grid security risks, challenges and solutions. Fortunately, however, in their just-published book on the subject, their aim is quite different than a technical tour de force:

For those who argue that one cannot secure a system without knowing how it works or the consequences of implementing the wrong security, this book is for you. Our goal is to make the Smart Grid and all its warts accessible to not only cyber security practitioners, but also to media, policymakers, regulators, engineers, utility executives, and even to consumers to understand the interplay between the automation of the electric grid and security.

Titled Smart Grid Security: an End-to-End View of Security in the New Electrical Grid, the book is very current, having just become available for purchase on Amazon and elsewhere in December.

There's much I could point out to you that's worthwhile, but the job of the blog is to alert you to the availability of a resource, and give you an opinion on whether it might be worth your time, not to do a full book review.

But to give you a feel for the types of topics Sorebo and Echols reach, consider this piece pulled from a chapter on operations and outsourcing:

Monitoring for cyber-threats through an incident identification and response strategy should extend beyond the traditional boundaries of the utility itself .... Vendors are typically connected to multiple utilities that are connected to multiple vendors ... the question becomes: if Vendor A is compromised,  how many utilities does it affect? And how would those utilities know if they were affected or not?

Sounds pretty overwhelming, but this is not a scare book. Throughout the nearly 300 pages, they keep their descriptions of cyber risks, vulnerabilities and other challenges as dispassionate as possible. The passage above is followed by:

To mitigate [risks like these], utilities and vendors must begin to insert cyber security into their maintenance and support contracts .... If a vendor loses information deemed to be private, then they are generally required to report the fact that there was a breach .... However, there appears to be no legal requirements for a vendor that is compromised and that has direct access to a utilities' control system .... As part of a good incident response security posture, [increased] collaboration may be necessary in the highly interconnected organizations that support the bulk electric system including utilities, vendors and service providers.

So there you go. And there's more helpful details on this and many other topics for folks charged with bringing security capabilities to fruition. I highly recommend this book for anyone for who cares that their grid is as reliable,  efficient and secure as possible, even as it goes through the many changes involved in becoming a Smart Grid.

Webcast: Smart Grid IT Systems Security

Just a reminder - this is a very high level intro to this topic, most appropriate for business folks and new initiates. If you're looking for more meat, much more detailed guidance is referenced in the presentation.

Also, looks like we've found a format that'll work for the webcasts. For best results, recommend you click on the "full screen" icon located in the extreme lower right-hand corner. OK then? Here's the latest from the series ... see what you think:

SGSB Webcast 3: Smart Grid IT Systems Security

View more webinars from Andy Bochman.

Internet Co's will Embrace Smart Grid, but will Energy Co's Embrace Internet?

This piece in MIT's Technology Review describes a few of the economic incentives for Internet companies like Akamai to investigate and invest in energy market-aware hardware, software and networking gear.

The ability to throttle back energy consumption could have another benefit for massive Internet companies, the researchers say. If an energy company were struggling to meet demand, it could negotiate for computation to be moved elsewhere; the researchers say that the market mechanisms needed to make this possible are already in place.

Expect much more of this in the near future from companies well versed in rapid adaptation via flexible, well managed IT operations. But what to expect of utilities and other energy ecosystem players? One of the patterns that's emerged from conversations we've had with industry is that most utilities have succeeded until now by purposefully avoiding aggressive IT innovation. The logic being that energy generation and delivery need to be 99.99% reliable, whereas IT and the Internet have a not undeserved aura of instability (see "blue screen of death" and the "three fingered salute" as well as recent pervasive troubles in Twitter-dom.

How a history and culture of IT skepticism will affect future energy co. adaptation to Smart Grid technologies remains to be seen ... but we'll be watching.

Cyber-Energy Security at USEA

I like this SAIC presentation from last month, in particular where it addresses which part of an energy org is the best one for addressing looming cyber-related security issues. The enterprise IT shop is recommended, though of course, many if not most energy co. IT operations are not prepared for the scope or complexity of this task as it relates to the Smart Grid. (more on this to follow).

It also does a nice job of characterizing cyber challenges that seems right for this moment, but also would have been on target well before the dawn of the Smart Grid:

• There is a growing focus on the impacts of risks and vulnerabilities to critical energy infrastructure
• System complexity is growing through expanding interconnectivity of systems
• Digital systems are proliferating, extending the electronic perimeter to new system components and participants
• Lots of legacy investments that need to be secured alongside newer, unproven technologies
• What level of investment and focus on securing infrastructure will be enough?

Smart Grid and DOD's Global Information Grid (GIG)

Some very interesting architectural comparisons and analogies.