Moving Beyond Technical: Use Security Governance Strategies to Integrate Security with the Mission

If like me you've come to the conclusion that a tech-centric strategy can only get us so far in energy sector cyber risk management, then you might want to see some of the source materials I've come across in my explorations.

The two I'll point to in this post are from Carnegie Mellon University's CERT program and PricewaterhouseCoopers' cybersecurity consulting practice.  What they have in common is that they are both several years old.  This is not VC or DARPA-funded cutting edge stuff.  It's human behavior stuff, and as such, it's not on an upgrade path anything like iOS, Android, or "Next Generation" firewalls. But neither are these concepts rapidly deployable, as you'd be hard put to find them put into practice widely at many utilities in 2013.

New Book Educates and Guides Smart Grid Security Stakeholders

Between them, authors Gib Sorebo, energy sector security lead for SAIC and Michael Echols, expert security consultant to many utilities including, recently, the Salt River Project in Arizona, have the chops to go deep into the technical weeds of grid security risks, challenges and solutions. Fortunately, however, in their just-published book on the subject, their aim is quite different than a technical tour de force:

For those who argue that one cannot secure a system without knowing how it works or the consequences of implementing the wrong security, this book is for you. Our goal is to make the Smart Grid and all its warts accessible to not only cyber security practitioners, but also to media, policymakers, regulators, engineers, utility executives, and even to consumers to understand the interplay between the automation of the electric grid and security.

Titled Smart Grid Security: an End-to-End View of Security in the New Electrical Grid, the book is very current, having just become available for purchase on Amazon and elsewhere in December.

There's much I could point out to you that's worthwhile, but the job of the blog is to alert you to the availability of a resource, and give you an opinion on whether it might be worth your time, not to do a full book review.

But to give you a feel for the types of topics Sorebo and Echols reach, consider this piece pulled from a chapter on operations and outsourcing:

Monitoring for cyber-threats through an incident identification and response strategy should extend beyond the traditional boundaries of the utility itself .... Vendors are typically connected to multiple utilities that are connected to multiple vendors ... the question becomes: if Vendor A is compromised,  how many utilities does it affect? And how would those utilities know if they were affected or not?

Sounds pretty overwhelming, but this is not a scare book. Throughout the nearly 300 pages, they keep their descriptions of cyber risks, vulnerabilities and other challenges as dispassionate as possible. The passage above is followed by:

To mitigate [risks like these], utilities and vendors must begin to insert cyber security into their maintenance and support contracts .... If a vendor loses information deemed to be private, then they are generally required to report the fact that there was a breach .... However, there appears to be no legal requirements for a vendor that is compromised and that has direct access to a utilities' control system .... As part of a good incident response security posture, [increased] collaboration may be necessary in the highly interconnected organizations that support the bulk electric system including utilities, vendors and service providers.

So there you go. And there's more helpful details on this and many other topics for folks charged with bringing security capabilities to fruition. I highly recommend this book for anyone for who cares that their grid is as reliable,  efficient and secure as possible, even as it goes through the many changes involved in becoming a Smart Grid.

Pike's New Smart Grid Security Report Available

Boulder, Colorado-based Clean Tech research firm Pike Research recently released a comprehensive report on the current state and market size of the security business related to global Smart Grid initiatives. This is such a nascent market, you've got to give them credit for even attempting this project. And having seen it, I can say it's a darn good piece of work. You can see Pike's own description and the table of contents HERE as well as register to pay and get a copy (yes, it costs significant money).

If you want to get a better feel for the experience of the lead author, Bob Lockhart, THIS detailed Q&A on Smart Grid security was just posted yesterday, 8 December 2010. There's a lot of goodness in the interview, and I like this comment here on getting employees on the right (and same) page:

One area of security that gets too little attention in smart grids is employee awareness. It is critical for employees of utilities, systems integrators and other involved entities to understand what security is implemented, why it is there, and their responsibilities to support it. This requires a proactive education program. Whether we’re talking e-mails, Web courses, or stand-up instruction matters less than that the points are gotten across to the workforce.

In light of this year's biggest attacks: the one targeting IP theft at Google and dozens of other large co's, Stuxnet, and Wikileaks, it's clear that employee awareness (and it's lack) and behavior played a major role in all of them. In his big report, Bob tackles standards, business drivers and technology challenges too, and I think he describes it all with a substantial amount of mastery. Might be worth your while to check it out.

Photo credit: krytofr on flickr.com

Don't Bully Brave Smart Grid First Movers

Just a short one this week, but with a point I think is well worth airing. A few months ago I wrote a post called "Security isn't the Biggest Threat to the Smart Grid" in which I linked to, and commented on articles taking a previously lauded utility and its partners to task for mistakes that appeared obvious in hindsight.

All I want to say is that we're all in exploratory mode and will be for some time. Much of the technology is new, the standards are still forming and the new business models are embryonic at best. We should profusely thank each and every utility that has the guts to move out early and take a few calculated risks. From them we get early views of what works ... and what doesn't, that can be leveraged by all who follow.

I'm sure that some customers and regulators will disagree, but from this lofty perch, you won't  hear me beat up on any utility for taking the lead on security or other actions that help bring the shape of the future Smart Grid more clearly into view for all of us.

Photo credit: http://www.flickr.com/photos/pointshoot/

Opinion: Industry, not Utilities, Needs to Make and Better Articulate Business Case for Smart Grid Changes

Have you noticed there are rich veins of knowledge and experience in certain parts of the Web that aren't visible to Google? Well, if like me you dedicate some small part of your life to reviewing the reader comments that follow online articles on grid security and privacy, you'll feel like we ought to just throw in the towel on this whole Smart Grid thing right now. Actually, I've got my fingers crossed that those doom-spouting commenters are not representative of the general population.

However, you'll find a few places of real value for would-be Smart Grid implementors and advocates, similarly obscure to most search engines. Here are a few Linked-in groups, notably: SmartGrids - Energy & Water, and Smart Grid Security (you'll have to sign up for LinkedIn to participate but that's not hard). There's some marketing going on, but also substantive discussions and debates on the present and future of the grid, led by folks who know the space first hand.

One of these nuggets was posted in the Energy & Water group by Paul Duncan of GSD Energy Consultants, a former Navy Chief Petty Officer whose career also includes several years building demand response solutions for GridPoint customers. On a thread posing the question of whether utilities personnel need to do a better job articulating ROI for Smart Grid projects, here's his response, from a sympathetic and pointedly self-critical perspective:

Therein lies the problem.

With rare exception, it is nearly impossible for personnel at a utility to keep up with the repeated shotgun blasts of information and technologies that are coming their way day after day. Not only are utility personnel generally ill-equipped to understand all of this new hardware and software, we, as an industry, have been evolving at a high rate of development speed, resulting in rapid transformation of capabilities and further confusion on the utility-side of the table. Industry folks love to talk about advanced power electronics, advanced software systems to aggregate distributed energy resources, real-time decision processes, and more.

Yet I see utilities struggling with the value propositions and implementations of AMI networks, let alone anything downstream (and technologically more advanced) of those platforms. This is because (although many of us hesitate to admit it) AMI does represent a large change within a utility -- a change in billing processes, a change in work flow, and a change in data management.

When the utilities' "do-nothing/zero change" model of risk avoidance yields a non-zero, positive fixed rate of return on deployed assets, we end up competing against the legacy knowledge level with technology and business processes that have higher perceived risk than the "do-nothing" alternative. In my opinion, we in the industry have done an extremely poor job at helping the sponsor within the utility get their hands around risk mitigation issues, resulting in limited pilots, limited results, and a failure to show convincing scalability.

I am a firm believer that until we, not utilities, can further quantify the ROI of our products and services, and do so at a risk-differential level that is not too far from the normal business risk-level of the utility, that we will be stuck with limited pilots as well as slow adoption by our utility clients. We must do a better job in our product architecture to quantify the ROI of our products and services, so that the utility manager can reduce their learning curve, compare and contrast alternatives, and in the end, have a greater understanding of the technologies available from industry. Until then, I feel that "Smart Grid" will remain largely external to the utility, resulting in slow adoption.

I immediately responded to this piece because it speaks to what I have seen in the field as well. Basically, that there is no place in a utility for technology for technology's sake. And that risk tolerance compared to other sectors is super low ... and thank goodness for that. It's industry's job to formulate and clearly articulate low risk solutions that improve the lives of utilities personnel and their clients, and to arm their champions with the compelling evidence they'll need to get their projects prioritized.