From DOD Energy Blog: Time for a US Oil Change?

Navy refueling at speed

To grid heads no other incident did more to change our business than the great Northeast Blackout of 10 years ago; it's a big reason there's such a thing as the Smart Grid Security blog. But I'm cross-posting this from DOD Energy blog as it reflects on the singular most important energy event in some of our lifetimes. One which changed the nation, changed the global economy, and continues to reverberate 30 years after.

On the heals of last week's post on China surpassing the US to become the biggest importer, two recent articles ponder oil's place in our world, particularly in light of how it was used as a weapon against the US during the Arab-Israeli War.

The first, Does OPEC Still have the US over a Barrel? brings the events of those days back vividly. If you're old enough, this will conjure up a scary memory. If you're young enough, this may sound like a Tom Clancy (RIP) novel, but it was far too real for those managing the crisis in 1973:

“I’m sitting at my desk at the Pentagon,” recalls James Schlesinger, then secretary of defense, “and a cable comes in, and it reads: ‘In accordance with the orders of His Majesty, we are obliged to cut off all oil supplies to your 6th Fleet and to your forces in western Europe. Signed [Saudi oil minister] Zaki Yamani.’ ”

More on the Model: are Utilities Planning for the Future or Hoping it Doesn't Come?

A few weeks ago I posted about threats to the traditional investor owned utility (IOU) business model and I'm still soaking in what EEI and others are saying. Since then, I:

• Attended a presentation on the future of renewables at MIT given by energy futurist Dr. Eric Martinot. You can download Martinot's full 2013 report HERE and follow his periodic updates HERE
• Also had a great conversation with another energy futurist, Chris Nelder, after reading his Greentech Media Article titled "Adapt or Die: Private Utilities and the Distributed Energy Juggernaut". Nelder's personal site is HERE
• Read THIS from Bloomberg, a name not normally associated with wild or starry eyed cleantech visions. Bloomberg analysts are predicting very strong gains with renewables comprising up to 37% of total power produced by 2030

I'm not a self proclaimed futurist, nor do I play one on TV or the Web. And I know if I was on a debate team, I could find plenty of arguments (e.g., low cost natgas, end of renewables subsidies, slow updake of EVs, etc.) for thinking it'll be business as usual for IOUs for decades to come.

Energy Security Update: Renewables Economics Hitting German Utilities Hard

A week or so ago I posted about an EEI report warning that many if not most utilities are ill equipped to adapt to shifting business models arising from the build-out of distributed energy generation technologies.

In what some call a vicious cycle, the more technology allows customers to partially or fully remove their loads from the grid, the fewer payers there are to support the maintenance (let alone the modernization) of the grid's vast and aging infrastructure. I also asked readers to consider the implications for cybersecurity thinking and spending in the context of these types of mounting economic pressures.

Now I've got another article for you ...

It's Hard for Utilities to Improve Security when Their Business Models are Increasingly Insecure

This one's not about security, unless you consider the well-being of the utilities who own and operate most of the grid to be security related.  In which case this post is completely about security!

Greentech Media (GTM) has just written a short piece highlighting some of the take-aways of a new Edison Electric Institute (EEI) report called "Can the Utility Industry Survive the Energy Transition?" and I'd say both the GTM article and the full EEI report are well worth your attention.

Re-Calibrating Cybercrime Costs and Responses

A few days ago the NYT published an article called "The Cybercrime Wave That Wasn't". What !?!

I read the title again, cleaned my glasses, counted to ten, took a deep cleansing breath, and looked at it again.

It still said the same thing. How disappointing. But maybe, I thought, it was just another piece of anti-sensationalist faux-journalism.

Here's a slice for you:

Credentials and stolen credit-card numbers are offered for sale at pennies on the dollar for the simple reason that they are hard to monetize. Cybercrime billionaires are hard to locate because there aren’t any. Few people know anyone who has lost substantial money because victims are far rarer than the exaggerated estimates would imply.

If you read the article, the authors unpack their analysis that shows the upward bias and roundup errors that appear "among dozens of surveys, from security vendors, industry analysts and government agencies" and they note that they "have not found one that appears free of this upward bias."

They don't go as far you'd think they would if they were true anti-sensationalists, because they remind the reader that despite the fact that it appears actual cybercrime losses are much lower than the many reports on the subject seem to indicate, there's still major cause for concern:

... this is not a zero-sum game: the difficulty of getting rich for bad guys doesn’t imply that the
consequences are small for good guys. Profit estimates may be enormously exaggerated, but it would be a mistake not to consider cybercrime a serious problem.

Sounds pretty fair and balanced to me. And so I was well prepared when Computerworld (and many others) reported yesterday that an analyst firm called Group-IB after reviewing the Russia cyber underworld's 10Q and 10K reports, audited by an unnamed Big 4 accounting firm, estimated that Russian cyber criminals bagged $4.5 billion last year.

Inclined now to be skeptical of large numbers in this area, I asked someone who should know, and he said the absence of a methodology section in the report made it hard to take the claims seriously.

Of course, since you already know I'm a card carrying member of AAAJOA - Anti-sensationalist, Anti-alarmist Amateur Journalists of America, it may be hard to take my post entirely seriously. But I like the fresh perspective the NYT authors, Dinei Florencio and Cormac Herley, brought to a topic which we've all been rather slow to question in the past. Kudos.

Image credit: Public Domain Photos on Flickr.com

Go On Admit it: You're Exposed and Vulnerable on the Holi and all the other Days

What began last week with a call for a new set of security attributes, now continues with a fleshing out and update of our thinking re one of the key security constituents: vulnerabilities.

In his latest mega-post, you'll find some cyber security truth telling that's as much psychology as technology. With Sigmund F staring you down, one arm akimbo, the other hoisting a cigar, Jack begins with a consideration of how much emphasis our society places on identifying and remedying personal weaknesses of all kinds, and the effects thereof:

... most people overreact to their personal insecurities, and even those imaginary weaknesses can create wholesale changes in behavior.

And then quickly pivots to the cyber security realm:

Once we switch tracks to begin the discussion of vulnerabilities within software or systems, our nature somehow changes. We stop compensating and obsessing, and begin the easier tasks of ignoring and rationalizing. We do not treat vulnerabilities as potential disasters, and we definitely do not get therapy to help us talk through the underlying issues that have created our vulnerabilities and insecurities. We seem to just move on, waiting for the actual disaster to prod us into some reaction to problems we had known about (at least in the abstract) for a good long time.

We build armies, navies and air forces to protect ourselves from actually and potentially hostile other nations. With some exceptions, we buy and don expensive helmets in case we fall or get hit when riding our bikes. We wash our hands in an attempt to keep potentially harmful germs at bay. So why do we think of cyber security threats and responsibilities differently? 

The FULL POST offers more insights and potential solutions. And if you want more Sigmund, and a little bit of Carl, you go see David Cronenberg's latest film which features both of them: A Dangerous Method.

This Week the Economist Loves and Hates the Smart Grid

I confess I typically love The Economist magazine. Its tempered and wide-ranging world news reporting and "tough love" takes on the US culture and economy form a nice middle path at a time when many media outlets have gone decidedly left or right.

But while it's unusual for me to find much fault with their news, the opinion piece in this week's issue "Reliability of the Grid: Difference Engine - Disaster Waiting to Happen", about the recent San Diego outage and the current state of the grid really rubbed me wrong.

By now you probably know the drill:

What is rarely mentioned in all the proselytising about the smart grid is that it adds a vast layer of hackable points to the network—some 440m by 2015, according to Lockheed Martin’s Energy and Cyber Services. Every smart meter in the home will be a hackable device. The same goes for all the routers at substations. As the saying goes, if you can communicate with it, you can hack it. Today, you can cut off the power to someone’s home by shinning up the nearest electricity pole and throwing a switch at the top. Once smart meters become widespread, you will be able to do that remotely, from the far side of the world.

Proselytising? Jeez. Security challenges are "rarely mentioned"? Yeah right. This blog's primary mandate is countering, in its own modest way, the overwhelming ratio of FUD based Smart Grid scare articles with ones that tell a fuller albeit less dramatic story. And thank you, large defense contractor, for adding fuel to the fire (not). The author of this Economist piece went back almost a year to find a FUD-soaked interview with a now departed Smart Grid security practice manager for the 440 million hackable points factoid. There's more I could say about this excerpt and the rest of the article but let's move on. This is supposed to be a short, readable post after all. Get in, get out.

In a piece dated one day later, September 17th, titled "Energy in Japan: Out with the Old" we get the counter argument for a Japan recovering from Fukushima :

Japan needs a smarter grid, with electricity prices that vary according to demand. Power should cost more when demand is high and less when it is low, giving people an incentive to run the washing machine in the middle of the night. It should also be simple for new producers of electricity—from clever start-ups to big industrial firms—to sell power back to the grid.

Nice, but oh so different in content and tone. So what's your ultimate recommendation, Economist? Should we freak out and do our best to scuttle all local, regional and national Smart Grid initiatives due to the looming horrors you describe in article 1? Or should we keep our heads on straight, and build out the Smart Grid for the sound economic reasons you give in article 2, while working overtime to ensure it's as safe and secure as possible? Inquiring minds want to know.

Photo credit: Steve Snodgrass on Flickr.com

Attacking Trends

Thanks to an energy infrastructure-focused former Navy officer (but not Mike Assante) for distributing a link to this article over the weekend. That's the way security folks are btw. The weeks often blend seamlessly into and through the weekends. And it's neither good nor bad that they do. It's just the way it is. And it's the way they are.

You'll find this piece to be part history review, part current situation update, and finally prognostication about where cyber attacks trend lines are pointing. Overall, there's a lot to like in this Freakonomics article, but here are the two para's that stood out the most for me.

The first comes from cyber security pundit and blogger Bruce Schneier. To the question of whether things are actually getting rougher out there or do they just seem that way, he concludes:

It’s not that things are getting worse; it’s that things were always this bad. To a lot of security professionals, the value of some of these groups is to graphically illustrate what we’ve been saying for years: organizations need to beef up their security against a wide variety of threats. But the recent news epidemic also illustrates how safe the Internet is. Because news articles are the only contact most of us have had with any of these attacks.

I like that last line of course. And then there's this from security researcher Tal Be’ery of security product company Imperva, who paces us quickly through the evolution of cyberspace and the increasing value of what we (and the bad ones) can find there:

Here’s where we reach a critical problem: companies are poised for the old cyber security model which was designed to keep the bad guys out. However, the same convenience that allowed individuals to access data from their living rooms meant hackers could too, say from a Starbucks, or a dorm room or Timbuktu. The old paradigm—keep them out—stopped working. Protecting the network, while still important, became secondary to protecting data. Few have recognized this evolution—except hackers. Today, of the $16 billion spent on security [cross sector], less than 10% goes to data protection.

I'd add application security to data security to cover not just the target, but the new primary attack vector. Network and system security, as the saying goes, are necessary, but these days, far from sufficient. 

You can read the full article HERE, and I recommend you do. There's a lot more to it.

Reading the Smart Grid Tea Leaves in the Era of Abundant Natural Gas, Falling Renewables Prices, and Perpetual Cyber Attack

Heck, these aren't tea leaves, these are clear direction signals, neon lights flashing what's coming in letters 100 feet high. The late-night rantings of some cellar dwelling blogger? Far from it, everything below was on the May 31, 2011 front page of the Wall Street Journal when I made my customary pilgrimage to wsj.com over the first coffee of the morning:

• Germany is officially moving off of nuclear power ... entirely ... sooner than you might think possible for such a huge, industrial economy. Natural gas and a huge push on renewables are how they're going to get there
• US and global companies and governments are under cyber attack ... constantly ... seriously. Lockheed claims to have successfully detected and defended against this latest assault, but they are not always successful
• The US, aware of the rising tide of attacks, is trying to figure out how to push back ... with kinetic military force. Not sure how successful that's going to be

Renewables costs are falling and will continue to do so. For this we leave the Journal and turn to a guest blog at Scientific American:

The cost of solar, in the average location in the U.S., will cross the current average retail electricity price of 12 cents per kilowatt hour in around 2020, or 9 years from now. In fact, given that retail electricity prices are currently rising by a few percent per year, prices will probably cross earlier, around 2018 for the country as a whole, and as early as 2015 for the sunniest parts of America.
10 years later, in 2030, solar electricity is likely to cost half what coal electricity does today. Solar capacity is being built out at an exponential pace already. When the prices become so much more favorable than those of alternate energy sources, that pace will only accelerate.

This is even better, from ABC News in Australia: Renewable energy will only get cheaper: study.

Question 1: Can the current grids handle the projected levels of natural gas and intermittent renewable power in Germany and elsewhere? Part of the solution may be GE's new highly efficient and fast ramping turbine that should make natural gas a better renewables backstop. But surely it'll take more than this.

Question 2: Can we build out the new grid in ways that make it reliable and secure enough to handle all this change? That remains to be seen, and remains the ongoing subject of this blog.

OK, time for more coffee!

Getting Very Tired of Smart Grid (and other) Security Whiners

I think I still have a little hangover from yesterday's post where I linked to a piece that had senior people worrying very publicly about the potential security shortcomings of the increasingly smart grid. Then this morning it hit me: I'm sick and tired of wimps, Chicken Littles, Eeyores, Glums (see TV show: The Adventures of Gulliver), etc., who spend all their time covering up and encouraging the rest of us to do the same.

I don't want to associate with those who live their lives in fear. I don't want that rubbing off on me. I'm focused on learning, helping and building, as are most of the people I am closest to, in work and in private life.

And here's an antidote to fear mongering if you want one: a short paper just penned by a US Navy Captain and a Marine Colonel that attempts to set a strategic course for the USA. You'll get the gist of this 15 page document from a short excerpt from the preface:

Porter and Mykleby give us a non-partisan blueprint for understanding and reacting to the changes of the 21st century world. In one sentence, the strategic narrative of the United States in the 21st century is that we want to become the strongest competitor and most influential player in a deeply inter-connected global system, which requires that we invest less in defense and more in sustainable prosperity and the tools of effective global engagement.   

Investing less in defense will certainly trigger some Pavlovian alarms. But I get from it that the focus is less on money, and more that we would seek a less defensive posture, a less defensive mindset. Instead, we would arm ourselves to the teeth with technological innovation, improved education, and accomplish force projection through getting our economic house decidedly in order. Think about the global shock and awe produced when our books are balanced and our economy roars back into life aided by neither smoke nor mirrors.

Here's a new National Strategic Narrative when you're ready to lose the fear and stride confidently into the remainder of the 21st century. And no, I'm not in la la land. A big part of this is securing the grid and ensuring our future energy needs are adequately, if not abundantly, met.

I Mind this Gap: The Distance Between the Future Smart Grid and Today's Mix of Security Challenges

For a critic of alarmist, sensationalist Smart Grid headlines, I'm a bit surprised the blog editor in me approved this one by the blogger in me. But to dust off a 50 cent word from grade school writing class. it was the juxtaposition of two statements made in the past few days that got me going.

One is a great reminder of the very many compelling reasons we're building this thing from one of the industry's most articulate Smart Grid advocates, GTM's Senior Smart Grid Analyst David Leeds. The other is a sweeping cautionary statement on Stuxnet-like threats last week by one of the most respected security minds in the business, former AEP and NERC CSO Mike Assante, (now CEO of NBISE).

Here are a few snippets from Leeds' piece. First, what the Smart Grid will do for us:

The ... smart grid will not only bring new communication capabilities to mission-critical grid devices and end-user appliances in order to optimize energy efficiency, reliability and security, but will also serve as the enabling platform to plug in the next generation on clean energy technologies, such as rooftop solar systems, wind farms and electric vehicles.

And from an economic perspective, why we need to build it now:

While today’s distribution grids, lacking real-time visibility and control, are largely running blind and consequently costing the U.S. economy approximately $100 billion to $150 billion each year in power outages, tomorrow’s grid, much like the human body’s own nervous system, will have sensory intelligence embedded throughout, giving the grid the ability to anticipate disruptions, and even to self-heal.  

OK, I'm motivated ... let's build this sucker stat!  But hold on ... the gap I'm referring to in the title, is, of course, the yawning chasm between what you hear Leeds' saying must be done, and Assante's message (which we're about to get to), which communicates that as a nation, we're not ready for this.

Mr. Assante is not an alarmist - far from it. In fact, that's why his word counts for so much in this space. But his vocation and experience put him perpetually on the lookout for issues that bring risk to critical infrastructure systems, and when he sees one, his job is to sound a considered, highly targeted alarm audible to senior decision makers, which is what he just did in Washington.

Here's one of his first points - it sets the high-level stage for some of the more granular suggestions he makes later on:

Developing and implementing effective indicators, defenses, and countermeasures to cyber threats like Stuxnet demands that we look not just to the security community but also to the system designers, planners, engineers, and operators of our essential technology and physical infrastructures. We must take a prudent and proactive approach that enhances our ability to learn and apply knowledge fast enough to manage the dangerous consequences that come with these types of attacks. We can no longer ignore known system weaknesses and simply accept current system limitations. We must admit that our current security strategies are too disjointed and are often, in unintended ways, working against our efforts address the highly-advanced security challenges facing our cyber-dependent critical infrastructures.

That's a lot, a whole lot. Maybe too much to hold in main memory. But then he puts a finer point on it, shining light on operational systems ...

No one should be shocked that cyber exploits can be engineered to successfully compromise and impact control systems. Study after study has identified common vulnerabilities found across control system products and implementations. The exploitation of a hard-coded password design in one vendor’s implementation will not be an uncommon or isolated occurrence.

And finally, towards the close, here's one of several actions he recommends:

Require critical infrastructure asset owners and control system vendors to report industrial control system specific security incidents and the U.S. government must provide up-to-date information to asset owners and operators on observed adversary tactics and techniques, especially when investigations reveal attacker capabilities to side-step or exploit relied upon security technologies.

Not a full solution, mind you, but certainly a firm step in the right direction from where we are now: make more information available to the community so we can more quickly adapt and update our defenses. Today in the energy sector, there's nothing like this. Hence, a gap in knowledge.

Then there's this: we're concerned that Stuxnet's massive attack penetration strategy that defeated most current cyber defenses, armed with more broadly targeted payloads in future versions, and it's definitely getting attention. But less obvious, yet almost as much of a concern. is that a focus on High Impact Low Frequency (HILF) a.k.a., advanced cyber threats, might prompt utilities to take their eyes off more mundane, but nevertheless serious, day-to-day attacks on their systems.

This second gap is the one in setting security priorities ... between preparing for advanced threats as well as ensuring that essential security best practices and defenses are maintained to combat everyday threats from malware, criminals, insiders, etc. There's crawling, walking, then running, and so far on securing the electrical infrastructure, most would say we're crawling.  And then there's walking and chewing gum at the same time: preparing for diverse threats and doing a good-enough job on all of them. This is not a job for wimps, and it's going to take a long time before we see significant progress.

So let's end with David Leeds, alright? When security challenges seem overwhelming it's always helpful, for me anyway, to revisit why we're putting ourselves through all of this in the first place.

[The] U.S. is hardly alone in promoting smart grid as an economic growth engine; virtually every major economy is now either piloting or deploying smart grid technologies, and it’s now understood that you can not run a digital 21st century economy on a 20th century grid.

Maybe we can fuse Leeds' economic drivers with Assante's security cautions and recommendations and come up with a middle-path approach that keeps attackers at bay and keeps the LED lights burning bright.

Click HERE for more on HILF threats and what we might do about them.

Photo credit: Cindy Andrie on Flickr.com

Upbeat Utility Economics Update

When you're in the trenches with utilities looking at day-to-day challenges with a lot of granularity, it's easy to lose track of the bigger picture trends. For example, we're almost always talking about how many utility folks (internal and contracted) it takes to implement NERC CIP compliance programs. It's a lot of course, especially for orgs who always feel resource constrained ... and of course, are aging by the minute.

And the fourth version of the CIPs with its expanded scope only promise to add to the workload, and the expense.  But guess what?  High above these electric sector security and governance skirmishes float financial analysts.  Picture them as smartly suited genies on flying carpets woven from $100 bills, foretelling the economic future sector by sector.

And what are they saying of our beloved one? Here's a starter from "Utility Stocks Energized" in this past Sunday's WSJ:

"It's funny to say 'growth' and 'utilities' in the same sentence, but it's more of a growth sector than people think," says Jamie Cox, managing partner at Harris Financial. What's powering this growth? A building boom. Some higher-potential utility companies are upgrading their power plants, building out transmission lines or expanding into renewable-energy markets such as solar -- all of which could help boost future profits and dividends.

So how do you like that? As various pundits ponder the lethargic pace of the clean tech revolution and others pronounce it much ado about nothing, those in the rarefied air of the brokerages see what's plainly in front of everyone's noses, and signal that it is good.

Will "energized" investors' new flows of money further spur the infrastructure modernization and build-out of Smart Grid capabilities? How deep into a utility operation might those funds trickle down?  And if the money does come, how soon can it be expected? I might have to leave all of this to my MBA friends, but IMHO anything that communicates confidence in the economic vitality of the sector only serves to embolden the community further.

And what of security? Sounds like there are going to be a lot of new and somewhat complicated systems to protect. And maybe, maybe more so than in the past, it might just feel like there's some money available to afford the necessary protections. We'll see.

Pushmi-pullyu: Utilities and Regulators Tussle over Forward-looking Projections vs. Backward-looking Reporting

What matters more for forecasting: imagining where you're going or describing where you've been?

We've had talks with utilities who, facing looming, life-altering technology, regulatory and business model changes, are trying to do more than merely recount the budgetary planning steps they've taken in previous years. We've also spoken with ones who aren't ready for this kind of change and don't want to hear about "future test years," for example.

But as the Washington Utilities and Transportation Commission (UTC) noted several years ago:

"... as imprecise as forecasting may be, projected test year data based on reasonable forecasts should consistently come closer to expressing future conditions than purely historic data will."

I'd say that's doubly and maybe triple-y true given the current and foreseeable state of major flux the industry is going to be in for the next bunch of years.

What has set this in motion, at least in part, is the Energy Independence and Security Act (EISA) of 2007, that lays out the requirement for utilities to get more future oriented in their thinking and planning. Here's the applicable part (Section 1307) that's causing some contention:

(a) Section 111(d) of the Public Utility Regulatory Policies Act of
1978 (16 U.S.C. 2621(d)) is amended by adding at the end the
following:

(16) CONSIDERATION OF SMART GRID INVESTMENTS-

A) IN GENERAL- Each State shall consider
requiring that, prior to undertaking investments in
non-advanced grid technologies, an electric utility of
the State demonstrate to the State that the electric
utility considered an investment in a qualified smart
grid system based on appropriate factors, including:

(i) total costs;
(ii) cost-effectiveness;
(iii) improved reliability;
(iv) security;
(v) system performance; and
(vi) societal benefit.

Sounds like a great idea to me, but of course I'm far removed from the operational trenches, not to mention the politics involved in these activities. As other language in the act stipulates, states don't have to play along with this guidance, and as this GTM article points out, North Carolina is just saying no. In the ensuing policy vaccuum, that leaves the state regulatory org, the NCUC, battling it out over what its utilities (Progress, Duke, Dominion) should be reporting on.

Fortunately, security reporting has survived in both the proposed NCUC guidance as well as in the counter proposals of two of the three utilities involved. But seems to me that in an industry where many of the constituents are embracing new information and energy technologies, new relationships with its customers and partners, and new ways of defining and monetizing its capabilities, stalling on EISA is a short-sighted rear-guard action.

In any sector, little, including security posture, is enhanced by clinging to outmoded planning and reporting practices. In battles between the past and the future, the future (almost) always wins. It'll be a great thing for all involved when the entire industry is moving in the same direction.

Imaginary animal credit: http://3dcadnews.blog.com/

Seeking a Balanced Perspective: How Cyber Risks to Grid are and are not MAD

As you may suspect by now, Jack and I are not fans of alarmist language. You won't hear us using terms like "Cyber Pearl Harbor" or "Cyber 9/11" unless our purpose is to debunk them, as Jack did quite thoroughly on his former blog, Suitable Security, here. We find that hysteria is not a particularly promising state of mind to be in when one is attempting to make the world better, safer and more secure. And that's the lead-in to this second post re: the recent 60 Minutes feature on ominous trouble in Cyberland.

Oh, one more thing before the post really starts -- I should explain the kitten. This kitten is here to help you relax. OK? Let's begin.

MAD, or Mutually Assured Destruction, is a Cold War-era term which neatly describes why nuclear deterrence works and has so far kept our planet from being reduced to a glowing ember from a massive thermonuclear exchange. You are still relaxed I see ... that's good.

Last week we posted a link to, and a couple comments on, an alarming 60 Minutes episode on cyber security risks to critical US infrastructure. It described how vulnerable the US is to computer hackers and used examples from DOD, the financial sector and the electrical grid. An additional level of disturbing detail was provided by former Director of National Intelligence (DNI) Mike McConnell, who said he's certain that foreign code is resident on national grid systems. Our own anecdotal experience with critical systems in other industries corroborates this. In hacker lingo: we are "owned."

Still relaxed? You should be, because there's ample evidence, in the 60 Minutes material and elsewhere, that even as we are heavily targeted, we also have substantial penetration of our potential adversaries' systems. Hence, the resemblance to MAD. I'm making this comparison preemptively before some journalist or K Street analyst does, because I think it's worth laying a few of the cards on the table and thinking about this in a non-alarmist fashion. Here's a short list of attributes to compare and contrast:

Nuclear characteristics:

• Once underway, nuclear war is for keeps: you're either launching nukes or you're not
• Though some once believed in it, "limited nuclear war" is generally considered unlikely
• While we work to make missile defense a reality, our best defense against nuclear attack has been a good offense (see: deterrence)
• Damage from nuclear exchanges is usually believed to be catastrophic
• With missiles and bombers heading our way, it's fairly easy to discern the origin of attack, and hence, the attacker
• There are currently 9 countries listed as nuclear nations. Others seek to join this group, but it's expensive, complicated and time consuming, not to mention dangerous and sometimes destabilizing

Grid Cyber characteristics:

• Probes and attacks are happening all the time by multiple parties and damage of various degrees is being absorbed by all involved
• All cyber war is, by definition, limited
• Our best defenses are multi-layered, resilient and constantly evolving
• Damage is infinitely variable in severity and often hard to detect
• Often cannot identify attack origin or attacker
• Any country, organization or individual with access to the Internet can be an attacker

So the Cyber wars are already well underway and yet you are still able to read this post on your computer or smart phone. This is because given the degree of inter-dependency of the global economy, most industrialized nations have little desire to wreak massive cyber havoc on their neighbors, who, while they compete in many domains, are also full time partners. Though you'll sometimes hear speculation to this effect, especially as it concerns the Smart Grid as a "hackers' paradise", it's unlikely (though possible) that catastrophic harm can befall the diverse US national grid from cyber attack alone. But that doesn't mean major localized or regional damage couldn't be wrought.

Take aways:

• Unlike with nukes, where deterrence between nuclear nations has worked so far, no one is fully deterred from experimenting with and sometimes wielding cyber weapons against our grid or other critical US infrastructure systems. Most nations do, however, seem deterred from launching massive cyber attacks on us and others ... and life and commerce go on
• International crime gangs and other non-state bad actors abide by completely different rule sets from those described above. Deterrence means much less to them, so we've got to continue to bring our cyber security "A game" to the Smart Grid build out as well as to the rest of our critical national infrastructure
• Understanding and accepting that all sides "own" other systems conjures up the alternative title to the Cold War classic "Dr. Strangelove," which was "How I Learned to Stop Worrying and Love the Bomb." I'm not suggesting you begin loving cyber risks to the grid or Smart Grid; just want you to worry a little less if the 60 Minutes piece has rendered you sleepless or immobile. Clearly we’ve got work to do, but as NASA and the NY Times said today, we’re not going to die tomorrow or the day after tomorrow
• For a somewhat more detailed, balanced examination of cyber risks to the grid, see University of Minnesota's Dr. Massoud Amin's short paper "Electricity Infrastructure Security", PDF downloadable here.

So, if you've made it this far, I've got a question for you: did the kitten help?

Photo Credit: Catherine Caf on Flickr

Smart Grid Security on Marketplace

Breathless enthusiasm for the Smart Grid build-out meets the voice of reason, coming in this instance from CSIS's James Lewis:

We want to build a secure smart grid but we also want to build it in a hurry and you can't have both.

From a recent public radio interview here.

Utilities Consider their Demand for Smart Grid Data

While many smart grid start ups are counting on access to a wealth of energy use new data, utilities are counting the costs of acquiring, maintaining and securing data that doesn't help them do their job better or make money. This Greentech Media post gets at pats of this tension:

The problem, says Andrew Tang of Pacific Gas and Electric, is that utilities need to make money from data if they're going to spend money on handling it. "More granular data... if I don't need it for system reliability and I can't monetize it, why would I want to buy it?" he said.

Read further down, however, and you'll see a few very solid comments in response, including this one:

Consumers and utilities don’t necessarily need more data. They don’t do anything with the rich data they already have (i.e. their electric bill). The role for start-ups, in my opinion, is to translate that data into something useful for both consumers and utilities. And I believe there is a lot of money to be made for companies that can figure out how to do that well.

Translating data into something useful, allowing it to reach those who can use it, and keeping it secure all the while ... that's the job.

A Wave of Smart Grid Security Solutions is Building

You can expect more and more of these announcements in coming months as the press coverage amps up awareness (and concern) about smart meter and smart grid vulnerabilities, and security solutions providers (pick your metaphor): smell blood in the water and start jockeying for position. Here's how Industrial Defender and InGuardians phrased it in yesterday's press release:

The combination of Industrial Defender's industrial control and SCADA expertise, coupled with the AMI cyber security assessment capabilities of the InGuardians team, is a key building block of the Smart Grid initiative and will ultimately provide industry leadership and expertise toward its protection.

NPR on Electricity in America

Airing this week, this series looks (or perhaps, sounds) promising.