Energy Firms Not Ready for Cyber Insurance?

Or so says corporate underwriter and veteran cyber insurance provider, Lloyds of London, in a BBC article last week:

Any company that applies for cover has to let experts employed by Kiln and other underwriters look over their systems to see if they are doing enough to keep intruders out. Assessors look at the steps firms take to keep attackers away, how they ensure software is kept up to date and how they oversee networks of hardware that can span regions or entire countries.

Sadly, as the article goes on to say:

After such checks were carried out, the majority of applicants were turned away because their cyber defenses were lacking.

Whitsitt on What's Up with the NIST CSF

Before you click through on the link provided below, I have to tell you that this write-up is not just about the NIST Critical Infrastructure Security Framework (CSF), but it's also a review of the current state of the security profession/practice/belief system, depending on your vantage point.

Penned by Jack Whitsitt of EnergySec, who among other things helped design the cyber security policies for the Transportation Security Agency (TSA) when it was just getting started. Be forewarned: Jack is no ordinary security guru. Because he's a practicing artist too, he brings both hemispheres to this challenge, and as a result, his perspectives and insights are unlike what you'll likely encounter anywhere else.

Declaration of Independence and Intent

I've been warming up and working in this space for years now, and if you've been a Smart Grid Security blog subscriber or an intermittent visitor, you may have noticed an evolution in cyber security thinking of sorts. Well, with changing the world as my goal, it's time to stop treading water and start swimming like I mean it. I just left IBM in order to bring a new type of security advisory service to energy sector organizations. Here’s a brief version of the concept:

You often hear that culture change is the hardest thing to accomplish in an organization. That may be, but to help put our sector’s cybersecurity preparations on a better course, I’m developing an approach focused on increasing organizational awareness and improving internal communications about the security issues that matter. It begins with senior leadership, extends throughout the enterprise and doesn’t stop until it reaches service providers and the supply chain. Most engagements will begin with an in-depth orientation briefing for senior stakeholders, followed by periodic meetings and dedicated hours of access so that I can be a resource whenever my input is needed.

An Industry Starts to Pivot: Electric Utilities' Shifting Business Models in the Rise of Solar

Amory Lovins and Karl Rabago saw this coming a long time ago.

Now the Wall Street Journal (not Grist, not Mother Jones, not Rolling Stone) references the EEI distributed solar dispatch from earlier this year and runs with it. Not just early/first mover NRG, but the old guard is chiming in too: AEP, Duke, Southern Co, Nextera, Dominion, PG&E ... you get the
picture.

First up is Nick Akins, American Electric Power CEO:

On its face you would look at it and say distributed generation is a threat. But on the other hand we see it as an opportunity because our business is changing. There's no getting around it.

Other big utility CEOs join the chorus and soon the message is unmistakable.

Time for the Electric Sector to Measure Up on Security

Let me begin by saying I'm so sick of alarmists. We are implored to "Constant Vigilance!" by Mad Eye Moody and to constant vigilance we at the SGSB are committed. But not to constant cowering.

OK, that said, you may recall I have a jones for business metrics. So much so that lately I've been suggesting them to the DOE Electric Sector Cyber Risk Management Maturity folks for inclusion in the Program Management part of their model.

Amidst the latest spate of Smart Grid security fear and loathing (documented here and here last week, and earlier here and here and etc.), maybe what Congress, FERC, utility boards of directors, consumer protection groups, and the man on the street need is evidence that we're making progress on protecting the grid and its constituent elements from the various forms of lurking badness out there.

Maybe that evidence, to be readily consumed by all of the above, needs to be communicated in plain language. Let's agree that business language is plain language.

So let's begin with Enernex CEO Erich Gunther's GridSec 2012 monster keynote preso Pragmatic Approach to Utility Cyber Security and one slide in particular "Approaches that Fail". These should all be quite familiar to y'all by now:

• Attempting to explain the situation technically
• Overwhelming with statistics – number of attacks, names and types of attacks, enumerating systems potentially affected
• Using the “sky is falling approach” – we’re doomed!
• Depending on government and regulation to “fix it”

For me, this outstanding presentation was an expertly crafted electric sector extension of Gartner Group analyst Jeff Wheatman's seminal 2011 paper: "Why Communication Fails: Five Reasons the Business doesn't get Security's Message".  I'm going to grab one of Erich's "Pragmatic Conclusion" bullets to segue to the next piece:

• We need to be more well versed in the disciplines of the core businesses we are trying to protect

By apparently Divine intervention, Robb Reck's article, Making Security Metrics that Matter (to Business) was just published on InfoSec Island, where I found it this morning. The morning of the same day (today) I actually needed it.

Robb begins by asking security folks:

What are the strategic goals for your organization in 2012? Can you recite them off the top of your head? If you can't, you're not alone. The inability of enterprise security teams to answer those questions is one of the biggest obstacles facing our discipline today, and it's the biggest reason current [overly technical] security metrics do not grab the attention of organization leaders.

He provides some excellent large and small company examples and begins his conclusion with:

Gone are metrics like “vulnerabilities found” and “patch level.” In their place are metrics that directly address the priorities of the business. By crafting the metrics in the language of our business leaders, we are demonstrating the value of their security investment in a way that matters to them.

I'll begin and finish my conclusion with the one security business metric that rules them all: the appointment and empowerment of a Chief Security Officer (CSO), with purview across the entire enterprise, and the authority to set and enforce security policy in both the IT and OT realms.

Show the man on the street and others an expanding list of utilities with CSOs as described above, and you can bet they'll all be sleeping better at night. And maybe we can all get up before the next alarm goes off.

Photo credit: mnapoleon at Flickr.com

GridSec Texas Wrap-Up: One More Time with Tweets

Here's a few of the tweets from myself and others from GridSec day 2 to give you a tapas-style version of what when down:

• Erfan Ibrahim: a mosaic of entities hold liability for grid security, but customers usually know/interact with only one. #GridSec
• At #GridSec, Darren Highfill says we're already paying for security, we're just not calling it that, invoking Russian Roulette metaphor.
• Both keynoters said cyber security maturity models (like DOE's bldg now) & business metrics might reduce likelihood of legislation”#GridSec
• Brese & Gunther both said cyber security maturity models (like one DOE's bldg now) & business metrics might reduce likelihood of legislation
• At #GridSec just asked DOE's Robert Brese & Erich Gunther what would utilities have to do to put Congress more at ease re cyber security ... 
• Recommend using Gunther's #GridSec preso 4 coaching security folks on thinking/speaking in language that's understandable to business folks 
• Enernex CEO Erich Gunther kicking off #GridSec day 2. Echoing yesterday's theme of connecting security w/ safety for better business comm 
• At #GridSec good presentation on offensive cyber security aka Active Defense. Discussing Hactivism, Cybercrime, Cyber Espionage, Cyber War 
• Strong messages from speakers @ #GridSec on importance to move from geek speak to business speak so those C level folks get #ICSsecurity 
• Several presentations at #GridSec are finally linking security to safety. #ICS http://www.us-cert.gov/control_systems/icsjwg/presentations/spring2010/08%20-%20Walter%20Sikora.pdf is a preso given a couple years ago 
• #gridsec You can stop the Stuxnet artifact, but private industry does not have the means to protect against nation-state adversaries 

What was different this time? Well:

• Without any prompting, I heard metrics, and especially business metrics mentioned quite a lot this time
  There was much discussion around control system security. In fact, one guy who attended the "Beyond AMI" panel yesterday said it was exactly because it wasn't about AMI. Duh!

• As I said in a previous post and tweets above, linking security and safety was a common theme this time around
• Lastly, we had more utilities here this time than ever before. Seems like a no brainer, but without their real-world, pragmatic "what works" insights, this effort wouldn't be half as worthwhile

Sad to see it come to a close, but close it always must. Re-connected with all the old folks, and met many new ones, and that was great. Didn't get to say anything like a proper good bye to folks so it looks like au revoir until October back on the west coast when we do this again. Andy

Security isn’t the Biggest Threat to the Smart Grid

You’d be forgiven for thinking that with the recent excitement over the Stuxnet virus (here, here and here) and other cyber threats, that this blogger believes that security issues present the biggest challenge to the success of a national Smart Grid.

But there's something else that threatens the grand Smart Grid project on an even more fundamental level: we all have to believe in the goodness of this work enough to see it through ... even when there are setbacks. And sometimes it seems we might not.

The corollary of the oft-cited Field of Dreams baseball diamond axiom “If you build it, they will come” is the far less-often cited “… and if you don’t, they won’t”. In 2010 we’re still in the Smart Grid’s infancy, and while it’s not yet clear what’s the right way to build it, this case has shown that failing to plan and permit up front is one guaranteed way to fail. The net net is that the Smart Grid will not be fully deployed in Boulder … not for the foreseeable future anyway.

According to SmartGridNews, Greentech Media and earth2tech’s Katie Fehrenbacher:

The real problem is that [they] didn’t perform a cost-benefit analysis prior to starting the project. [Also] the group originally didn’t file for a “Certificate of Public Convenience and Necessity” … when the project started … a filing that would have enabled the PUC to cap costs of the project to protect rate payers.

Go back to an online debate we held on the Smart Grid Security Blog and the SmartGridNews site almost a year ago. We began with a post I called “First Mover Disadvantage”, turning a standard business school strategy on its head. The basic idea was that in these very early days, there’s far too much uncertainty (e.g., technology, standards, business models, regulatory environment, etc.) for companies, especially electric utilities, to get a jump on the market without enduring substantial setbacks and risk enormous costs for themselves and their rate payers.

Jack’s response, "Not the Lead Dog? Get used to the View", made the case that despite the uncertainty, those utilities with enough chutzpah to get their hands dirty, make mistakes, learn from them and press on, would command a disproportionate share of influence in the market over those sitting on the sidelines waiting for the eventual shake out.

I like both of these ideas, and surely a decent university debate team could make a lot of hay advancing either argument. But I’m going to say that the SmartGridCity project is an example of moving big and early, and in-so-doing, doing it wrong from the get-go. Projects this complex, with this many players, will inevitably be quite risky, and therefore must be managed extra carefully. There is less room for short cuts, and even when designed and managed flawlessly, they may still endure their share of lumps. These folks sealed their fate in the beginning, and added insult to injury by boasting so publically about their achievements.

It’s that last part that bothers me the most as the biggest threats to the success of the Smart Grid aren’t what you might first imagine: it’s not cyber terrorists, regularity inertia, or flawed technology that most threaten the build-out of the US national Smart Grid. Rather, it’s a potential public perception that promised Smart Grid benefits aren’t nearly worth the costs that could kill it before it's born.

In the early days when we're still trying to figure out what works, there are going to be more Bakersfields, BG&E's and now Michigans for sure. But it's important that the industry ensure that success stories make their way to the media at least as often as the gotcha's. I want to focus on the security challenges facing the Smart Grid, but won't be able to do that for long if we don't get the thing fielded in the first place.

Photo credit: Nieve44/La Luz at Flick.com

Opinion: Industry, not Utilities, Needs to Make and Better Articulate Business Case for Smart Grid Changes

Have you noticed there are rich veins of knowledge and experience in certain parts of the Web that aren't visible to Google? Well, if like me you dedicate some small part of your life to reviewing the reader comments that follow online articles on grid security and privacy, you'll feel like we ought to just throw in the towel on this whole Smart Grid thing right now. Actually, I've got my fingers crossed that those doom-spouting commenters are not representative of the general population.

However, you'll find a few places of real value for would-be Smart Grid implementors and advocates, similarly obscure to most search engines. Here are a few Linked-in groups, notably: SmartGrids - Energy & Water, and Smart Grid Security (you'll have to sign up for LinkedIn to participate but that's not hard). There's some marketing going on, but also substantive discussions and debates on the present and future of the grid, led by folks who know the space first hand.

One of these nuggets was posted in the Energy & Water group by Paul Duncan of GSD Energy Consultants, a former Navy Chief Petty Officer whose career also includes several years building demand response solutions for GridPoint customers. On a thread posing the question of whether utilities personnel need to do a better job articulating ROI for Smart Grid projects, here's his response, from a sympathetic and pointedly self-critical perspective:

Therein lies the problem.

With rare exception, it is nearly impossible for personnel at a utility to keep up with the repeated shotgun blasts of information and technologies that are coming their way day after day. Not only are utility personnel generally ill-equipped to understand all of this new hardware and software, we, as an industry, have been evolving at a high rate of development speed, resulting in rapid transformation of capabilities and further confusion on the utility-side of the table. Industry folks love to talk about advanced power electronics, advanced software systems to aggregate distributed energy resources, real-time decision processes, and more.

Yet I see utilities struggling with the value propositions and implementations of AMI networks, let alone anything downstream (and technologically more advanced) of those platforms. This is because (although many of us hesitate to admit it) AMI does represent a large change within a utility -- a change in billing processes, a change in work flow, and a change in data management.

When the utilities' "do-nothing/zero change" model of risk avoidance yields a non-zero, positive fixed rate of return on deployed assets, we end up competing against the legacy knowledge level with technology and business processes that have higher perceived risk than the "do-nothing" alternative. In my opinion, we in the industry have done an extremely poor job at helping the sponsor within the utility get their hands around risk mitigation issues, resulting in limited pilots, limited results, and a failure to show convincing scalability.

I am a firm believer that until we, not utilities, can further quantify the ROI of our products and services, and do so at a risk-differential level that is not too far from the normal business risk-level of the utility, that we will be stuck with limited pilots as well as slow adoption by our utility clients. We must do a better job in our product architecture to quantify the ROI of our products and services, so that the utility manager can reduce their learning curve, compare and contrast alternatives, and in the end, have a greater understanding of the technologies available from industry. Until then, I feel that "Smart Grid" will remain largely external to the utility, resulting in slow adoption.

I immediately responded to this piece because it speaks to what I have seen in the field as well. Basically, that there is no place in a utility for technology for technology's sake. And that risk tolerance compared to other sectors is super low ... and thank goodness for that. It's industry's job to formulate and clearly articulate low risk solutions that improve the lives of utilities personnel and their clients, and to arm their champions with the compelling evidence they'll need to get their projects prioritized.

Is the Smart Grid Inducing Labor?

"The fight is never about grapes or lettuce. It is always about people."

- Cesar Chavez

It seems there's a wire crossing happening amid the hard-working folks who are helping create and manage the Smart Grid. In spite of positive initial reactions to federal investment in the creation of the Smart Grid, the law of unintended consequences is bringing some consternation among the ranks of organized labor as Smart Grid programs move from philosophy to reality.

While the introduction of the Smart Grid Investment Grant (SGIG) program was applauded by many in the labor community as the beginning of a new market for skilled technicians (see: this AFL-CIO blog post, or this IBEW promotional video), some actual deployments are not being greeted as favorably.

On January 19th, 2010, the Kennebec Journal reported that IBEW Local 1837 was "speaking out against" a new Smart Meter installation project by Central Maine Power (CMP). It was funded to the tune of $96M through the SGIG with a total cost of roughly $190M. Seems that the project would likely eliminate some 141 positions over time, and that did not sit well with the union.

The tensions at CMP, however, are not unique. In October, a plan by the board of Memphis Light, Gas and Water Division (MLGW) received similar criticism from the IBEW, which noted that roughly 400 meter reading jobs would be lost in that plan.

So how can there be such a disconnect?
The Smart Grid is comprised of much more than just smart metering. It involves redundancy, resiliency, and quality of power, and ease of integrating renewables and storage, and more. Today's unfortunate reality, however, it that investment has been overwhelming skewed to Smart Metering. Smart meters, and the improvements in automating, and "remotifying" the reading, turn-on, and cut-off of power, are seen as early wins. They do not appear to jeopardize the delivery of power, and can very quickly demonstrate cost efficiency by decreasing truck rolls. This is both a reaction to the government's emphasis on "shovel-ready" projects to fund, and to the ease with which a utility can justify projects to regulators as cost-savers, paying off capital costs in short order through reductions in labor costs. As a result, the union teams, originally anxious to generate skilled labor to drive the construction of the next generation of transmission and distribution, is left, instead, with a short-term need for installers who will be wiring up the elimination of hundreds of jobs for their meter reading brethren.

What to do?
One of the factors underlying the development of the Smart Grid is very much people-related. We have written of it here briefly in the past, but it deserves another shot. An aging workforce manages the existing Grid, and it is retiring at a rapid pace, even in this tough economy. In an article from April of 2008 in "Power" magazine, the percentage of retiring workers is pretty daunting:

When we then look to the remediative measures that folks are taking, we see impacts related to new technologies:

Rightly or wrongly, about 90 percent of utilities are looking to use new technologies to augment the diminishing staffing, while they continue to employ traditional staff supplementation techniques.

New Smart Grid technologies are creating a raft of new opportunities for a new generation of skilled labor. Whether it is the implementation and management of transmission and distribution technologies within utility infrastructure, as already looked to by the unions, or the creation of new skills and laborers to assist in residential, commercial, and public construction of power systems that will leverage these new capabilities, the opportunities are many.

Within the greater IBEW, there are already efforts underway to help to address this need, including the "National Utility Training Trust", reported on here in "The Electrical Worker", and it looks like they are moving forward to capitalize on the growth in the Smart Grid.

As we have written about previously in the areas of IT adoption and data usage, well-trained personnel are vital to the security of the infrastructure as it grows, and these new resources can integrate security considerations into their own interactions and behaviors with the Grid and its computational components. New workers have the opportunity to advance their careers, their marketability, and their value, with a focus on these additional skills.

This growth though, is not going to come for free. The Smart Grid and the market for power will benefit from this new wave of skilled professionals, but some of that market and advancement will need to be cost-justified through transitioning and reeducating existing personnel. I hope that as the Smart Grid grows, the labor pool increases to fuel it, and organizations such as the IBEW Local Chapters become champions of that change and growth ... not adversaries, who could introduce impediments that might hobble the same workers they seek to protect.

First Mover Disadvantage in Smart Gridland

It's been proven that it works in chess and as everyone knows, like a charm in tic tac toe. In the business world, according to Wikipedia, first mover advantage: "... is the advantage gained by the initial occupant of a market segment. This advantage may stem from the fact that the first entrant can gain control of resources that followers may not be able to match."

Well, as you know, in the heavily regulated utility sector, it's not exactly a cut-throat competition. In fact, it's not a competition at all. But that doesn't mean it's not worth watching who's out of the gate first with AMI and Smart Meter deployments, who's received Smart Grid Investment Grant (SGIG) funds and is now obligated to deploy something of significant size, and who's holding back, keeping their powder dry.

The earliest of early movers (you know who you are in that big state just north of the Rio Grande) who began their own experimenting long before the SGIGs were a twinkle in the current administrations' eyes are probably best positioned to make the right Smart Grid technology deployment decisions at the times and places of their choosing. But the new first movers, the 100 or so SGIG grantees, who are making deployments now of thousands or millions of residential Smart Meters, are, IMHO, in a less than optimal position.

They are choosing hardware, software and communications tech well before most of the relevant standards (including security) have settled. Are moving before their customers, in some cases, are fully in tune with what's going on and how it will impact their bills or their service. They've often asked for rate relief to fully fund these deployments and may well be asking for more in an unfortunately short amount of time when it turns out they've placed bets on the wrong vendor and standards horses.

From speaking with analysts, utilities, and some of their providers, my sense is: laggards may have a real advantage here. How's that you say? Here's how:

• As long as they are active and attentive laggards, waiting, watching and learning, they may come to thank their lucky stars that their SGIG proposals were not selected
• They can tinker with residential pilots that number in the tens or hundreds of meters, vs. thousands and millions
• They'll have a longer lead time to educate and prepare their customers for coming changes
• And laggard utilities will be able to select and deploy, with far more confidence than they can in early 2010, technologies based on a more mature, settled standards landscape

As the Latin proverb says, "Fortune favors the bold". Or maybe Bill Shakespeare has the words most appropriate here: "Discretion is the better part of valor." For the moment, hold your course laggards, but watch, learn, and get ready for your turn.

Photo Credit: CarbonNYC / David Goehring @ Flickr

All Want to be the Cisco of the Smart Grid

By which they mean the dominant provider of essential, ubiquitous and lucrative hardware and software to build out the massive beast called the Smart Grid, the power distribution network analog of the ever expanding Internet. Here's how Investor's Business Daily describes the tussle to become the Smart Grid's 800 pound gorilla:

Leading the way among startups is Silver Spring. It's raised close to $200 million from venture capitalists and other investors and been dubbed by some in the green movement "the Cisco of smart grid." The catch: Cisco also aims to be the Cisco of smart grid. Networking gear leader Cisco Systems has proclaimed smart grid as its next billion-dollar business. But also looking to be the Cisco of smart grids are IBM,General Electric, AT&T and Silver Spring investor Google, among others.

Sounds like it could become the mother of all VHS vs. Betamax wars. Hope the winning vendors and formats  arrive with significant security baked in, else you-know-what will ensue.

A Wave of Smart Grid Security Solutions is Building

You can expect more and more of these announcements in coming months as the press coverage amps up awareness (and concern) about smart meter and smart grid vulnerabilities, and security solutions providers (pick your metaphor): smell blood in the water and start jockeying for position. Here's how Industrial Defender and InGuardians phrased it in yesterday's press release:

The combination of Industrial Defender's industrial control and SCADA expertise, coupled with the AMI cyber security assessment capabilities of the InGuardians team, is a key building block of the Smart Grid initiative and will ultimately provide industry leadership and expertise toward its protection.