Supply Chain Security Awareness on Upswing for Energy and Comm Sectors

10/25/12 Update: Huawei just said it is ready to have all its source code tested for security. Would other vendors be so bold?

------------------

If you don't subscribe to the online version of the Wall Street Journal, you probably don't get its daily CIO feed, which provides a nice topical tapas-sized taste of what's on folk's minds every morning.

One of those folks is me, and I've been stirred up lately by all the press (The Economist, 60 Minutes, etc.) and Capitol Hill attention Chinese communications equipment maker Huawei has been getting. Personally, I haven't have any direct contact with Huawei or its products, but I have a gut-level response when a company gets pilloried solely on where it's headquartered or the nationality of the owner(s).

Mid 2012 GAO Update on Grid Security ... and a Mea Culpa

Before teeing up the most recent GAO report on electric sector cybersecurity, I'd like to use this pixelated platform to speak back to a quote attributed to me last week that raised the hackles of some utility professionals (and it should have).

First, I'm neither a security-focused PR flack for the electricity industry, nor a gotcha journalist trying to capture eyeballs by vilifying utilities and scaring readers. Rather, I'm a member, supporter, advocate, and hopefully, sometimes, a constructive critic of the enterprise of keeping the grid safe and secure while updating it for the 21st century.

So here's the thing: a recent interviewer quoted me as saying senior management doesn't have a very good understanding of their security posture. While I'm sure I've said something like this a hundred different ways on the blog, it's never been intended as an insult or attack, but rather as observation of the current state of affairs at many but not all utilities. The way  this was captured and framed in the article, however, losing nuance and a few other qualifying words along the way, it definitely came off as a blunt attack ... and I'm not the only one who noticed. Sorry about that ... wasn't my intent.

However, support for this type of generic observation comes from things everyone in the industry already knows, and that the GAO lists on the highlights page of its July 2012 report. Here are the last 4 challenges, partially addressing utilities, partially the larger industry ecosystem:

• A focus by utilities on regulatory compliance instead of comprehensive security
• A lack of security features consistently built into smart grid systems
• The electricity industry did not have an effective mechanism for sharing information on cybersecurity and other issues
• The electricity industry did not have metrics for evaluating cybersecurity (AB: of course I'll come back to this one before the post is over!)

All of these things make sense to folks who've either been in a utility or have worked with utilities and/or regulators for some time. There's a logical history to each of them that explains where they came from and why they remain challenges to be solved. 

And you'll note (and it angers some of the more concerned security pundits when I say this), that whatever US utilities have done so far has apparently been enough to keep cyber attackers from having major successes to date.

As this post is now getting too long and trying to do too many things, let's end with another invocation on the benefits of business-oriented metrics, this time courtesy of the GAO itself:

... Having metrics would help utilities develop a business case for cybersecurity by helping to show the return on a particular investment. Until such metrics are developed, there is increased risk that utilities will not invest in security in a cost-effective manner, or have the information needed to make informed decisions on their cybersecurity investments.

The GAO, I think, comes from a similar position, in some ways anyway, as this blog. The cited report mentions not just shortcomings but positive actions taken so far. The GAO, the SGSB (this blog) and plenty of other groups and individuals simply want to see utilities and the industry be safe and successful while they modernize to meet the demands of our times. Neither are interested in criticism for criticism's sake, but only to suggest better possible methods. I'll leave it at that for now.

Security Scare Tempest in a Water Pump

There's an adage that goes something like this: think before engaging mouth. Though sadly I'm not always successful, I try to adhere to a modified version of the same principle: wait a while before posting on breaking (and especially alarming) news.

This approach paid off again, as the facts are now officially available. Here's what you need to know about the recent, widely-reported water utility control system attacks ... from the US Industrial Control Systems Cyber Emergency Response Team (ICS-CERT):

After detailed analysis, DHS and the FBI have found no evidence of a cyber intrusion into the SCADA system of the Curran-Gardner Public Water District in Springfield, Illinois.

and furthermore ...

There is no evidence to support claims made in the initial Fusion Center report – which was based on raw, unconfirmed data and subsequently leaked to the media – that any credentials were stolen, or that the vendor was involved in any malicious activity that led to a pump failure at the water plant.  In addition, DHS and FBI have concluded that there was no malicious or unauthorized traffic from Russia or any foreign entities, as previously reported. 

So what can we/you do?

At this time, there are no specific recommendations other than to ensure you are following security best practices. ICS-CERT recommends reviewing Improving Industrial Control Systems Cybersecurity with Defense-in-Depth Strategies.

So it's time to once again to get back off the ledge and go back to work. Thanks to various Big Blue and other industry colleagues who helped keep me up to date on this. For the full ICS-CERT note, click HERE.

Photo credit: Tim Parkinson at Flickr.com

This Week the Economist Loves and Hates the Smart Grid

I confess I typically love The Economist magazine. Its tempered and wide-ranging world news reporting and "tough love" takes on the US culture and economy form a nice middle path at a time when many media outlets have gone decidedly left or right.

But while it's unusual for me to find much fault with their news, the opinion piece in this week's issue "Reliability of the Grid: Difference Engine - Disaster Waiting to Happen", about the recent San Diego outage and the current state of the grid really rubbed me wrong.

By now you probably know the drill:

What is rarely mentioned in all the proselytising about the smart grid is that it adds a vast layer of hackable points to the network—some 440m by 2015, according to Lockheed Martin’s Energy and Cyber Services. Every smart meter in the home will be a hackable device. The same goes for all the routers at substations. As the saying goes, if you can communicate with it, you can hack it. Today, you can cut off the power to someone’s home by shinning up the nearest electricity pole and throwing a switch at the top. Once smart meters become widespread, you will be able to do that remotely, from the far side of the world.

Proselytising? Jeez. Security challenges are "rarely mentioned"? Yeah right. This blog's primary mandate is countering, in its own modest way, the overwhelming ratio of FUD based Smart Grid scare articles with ones that tell a fuller albeit less dramatic story. And thank you, large defense contractor, for adding fuel to the fire (not). The author of this Economist piece went back almost a year to find a FUD-soaked interview with a now departed Smart Grid security practice manager for the 440 million hackable points factoid. There's more I could say about this excerpt and the rest of the article but let's move on. This is supposed to be a short, readable post after all. Get in, get out.

In a piece dated one day later, September 17th, titled "Energy in Japan: Out with the Old" we get the counter argument for a Japan recovering from Fukushima :

Japan needs a smarter grid, with electricity prices that vary according to demand. Power should cost more when demand is high and less when it is low, giving people an incentive to run the washing machine in the middle of the night. It should also be simple for new producers of electricity—from clever start-ups to big industrial firms—to sell power back to the grid.

Nice, but oh so different in content and tone. So what's your ultimate recommendation, Economist? Should we freak out and do our best to scuttle all local, regional and national Smart Grid initiatives due to the looming horrors you describe in article 1? Or should we keep our heads on straight, and build out the Smart Grid for the sound economic reasons you give in article 2, while working overtime to ensure it's as safe and secure as possible? Inquiring minds want to know.

Photo credit: Steve Snodgrass on Flickr.com

The Importance of Context when discussing Smart Grid Security

Sometimes those of us who speak with the press end up finding that our intended meaning, stripped of context, can become distorted beyond recognition in articles which then spread more darkness than light. What follows is an open letter, just released, from former NERC CSO Michael Assante to you, and all the members of the community that seeks to keep the US and other global grids (as) safe (as possible) from cyber attackers.


I recently had an opportunity to learn about the importance of context. I tried to help someone understand the challenges of regulation and cyber security in the context of smart grid technology deployments and electric infrastructure, and learned once again how polarized this topic can become. Certainly many can appreciate the challenge of communicating with clarity on this topic, as it can be nuanced, highly-technical, process-laden, and mired in the details of a little-followed piece of history and U.S. federal and state law.

Let me begin by providing some of the context, or background, that explains why I work hard to help develop a better understanding of how cyber security impacts operational technology in critical infrastructures. As a boy I was fascinated with the engineering required to generate and deliver electricity. To me, the power system represented a grand achievement that demonstrated what dedicated men and women could accomplish.

My father worked for a utility and was rightfully proud of the public service his company delivered to homes, schools, manufacturing plants, and hospitals. He worked with impressive machines that excavated coal, and cutting edge control centers with analog light displays. But the thing that made the biggest impact on me was the dedication with which my father and his colleagues performed jobs, and their uniform sense of mission, as they clearly understood that what they did made people’s lives better. I was quick to appreciate the vision, investment, and effort that enabled vast natural resources like coal and hydro-power to be turned into electricity, which was then transported and delivered over vast distances to every household and business.

The success of the electricity industry in designing, building and maintaining an incredible system of systems, continues to inspire children and adults alike. It has grown to become a critical infrastructure that underpins modern society. The delivery of highly-affordable and reliable electricity has paved the way for the industrial and technological revolutions that have transformed global economies. It is ironic that over the last forty years of progress, we have also created a significant set of challenges that need to be addressed as a consequence of our continued innovation.

The rapid advancement and application of digital technology has improved electric system operations, reliability, and process efficiency. But it carries with it a heavy responsibility. We must now safeguard this increasingly ubiquitous element of the grid from those who would seek to disrupt technology and cause harm.

This dilemma of digital technology is that, like electricity, it enables great things but can cause great damage if not managed properly. There is one very important difference, though. The nature of electricity is understood sufficiently to prudently manage the risks it can present, whereas cyber threats are constantly evolving and are co-adaptive (the threat will consider the protections you have employed and find ways to circumvent or compromise them). This has led me to conclude that many of the difficulties we experience addressing cyber security come less from how the electricity industry behaves, and originate more from the complex nature of digital technology and the unique risks it engenders.

Many of you know that I have often shared my thoughts on the difficulties of managing cyber risk in the complex and vast systems that comprise power grids. There are a number of necessary constraints, such as the golden rule of “first, do no harm” (do not negatively impact system reliability and safety). Other challenges have more to do with state of industrial control system technology and the tough job of keeping up with the rapid changes in technology and the evolving capabilities of would-be cyber attackers.

NERC and the industry have pioneered the use of mandatory reliability standards as one tool to manage risks to reliability across the complex weave of entities that comprise the bulk power system in North America. I am confident that progress will continue to be made by NERC and the industry, but it takes time to learn what works well when dealing with the scale of the bulk power system and specifically, when trying to address the difficult-to-bound risk that comes from cyber threats. I, like many others, understand that we must continually evaluate the processes we use to develop and manage the CIP standards. We must consider the effectiveness of the standards requirements when compared to how digital systems are being compromised by current cyber attackers. Cognizant of the risks of unintended consequences, we need to fully understand the behaviors we are promoting by using standards that require strict compliance. Finally, we need to be mindful of the spirit and goal of the standards and the importance of providing enough flexibility so that utility security programs can adapt to best confront the threats they face.

I have had the pleasure of working alongside of some of the most gifted experts in power engineering and industrial control system security over the years. The power industry has a rich collection of experts often passionately inclined to work together as a community to solve complex problems. Their expertise is essential in determining how to best apply cyber defenses in the highly-specialized environments of power generation, transmission, and distribution. We would also, however, benefit from the experience and learnings of other industries’ cyber professionals who themselves labor to defend highly-targeted networks. I have grown to appreciate the adaptive nature of cyber threats and importance of maintaining a current understanding of how systems are compromised. NERC has engaged with the U.S. government to benefit from its understanding and should continue to look for opportunities to learn from government and cyber security experts from other industries bent on tackling this common problem.

Context matters in how we think about these problems, in how we frame our concerns, and in how we formulate new approaches so that we may attain the many benefits of new technologies while managing the risk. I am confident that we will begin to engineer away the worst consequences, continually find more effective practices and develop the necessary skills to better address sophisticated and ever changing cyber threats. This is a difficult task that will continue to require our best efforts, to include regulation. It is a task that demands a prudent approach as the effectiveness of our investments needs to be measurable and demonstrable. We must continue to innovate if we're to fully enjoy the many benefits of affordable and reliable electricity.

Michael can be reached at michael.assante@nbise.org

Conference Alert: EnerSec Smart Grid Security Summit West 2011

This conference series, the first ever dedicated to Smart Grid Security and Privacy, had a great start last year in San Jose and now returns to California with a head of steam after robust attendance and some very strong content earlier this year in Knoxville.

The lineup keeps getting stronger and this session promises a compelling mix of workshops on day 1, followed by days 2 and 3 with regulator and industry updates, round table discussions and lots of back and forth with what has been in the past a very energized audience.

You can expect a bunch of utilities will be present, and not just the big 3 from California, plus state regulators from CA and TX, fed folks from DOE, NERC, FERC and NIST.  Also, owing to proximity to one of the largest USN bases in the world, we'll likely see some energy-minded sailors present too.

Here's the basic facts for you:

• Dates: 3-5 Oct 2011
• Location: San Diego
• Venue: Town and Country Hotel - click HERE to reserve a room
• For more info and to register for the conference, click HERE

Next week I plan on throwing a few trivia questions at you. Correct answers may earn you a significantly reduced rate for the conference, or at the very least, hearty congratulations.

Photo credit: http2007 on Flickr.com

Newsflash! A Reasonably Balanced Article on Grid Security

First of all, kudos to Discovery News writer Eric Niller for penning a relatively fair and balanced piece this week on Smart Grid Security, with a decent, non-alarmist headline to boot. He quotes me a fair amount, but enough about me, it's two of the other quotes I'd like to address.

First, here's one I don't like, attributed to a large and otherwise highly reputable security firm:

One of the more startling results of our research is the discovery of the constant probing and assault faced by these crucial utility networks. Some electric companies report thousands of probes every month ..."

As you know I'm not a big fan of using words like startling in this context, especially in describing phenomena that are not at all surprising, let along startling. Of course utilities' networks are being probed. And it's a good sign they've got the systems and processes in place to be aware of it. 

Go ahead and plug a new PC in and turn on its wifi radio. Within minutes, if not seconds, even with good security controls enabled, that machine is going to come under some serious scrutiny. It's a fact of life these days. Bothersome? Yes. Annoying? Definitely. Startling? Not in the least. Get real, above-mentioned report writer for large and otherwise highly reputable security firm.

This one I like better. It's a straightforward statement from a straightforward person:

What we are doing is laying a new digital infrastructure over the very reliable and sturdy bulk power system. This digital infrastructure provides a lot of new attack vectors into the electrical system that didn't previously exist.

That's NERC CSO Mark Weatherford speaking, and as you can see, he balances the comment about new attack vectors by reminding the journalist (and thereby, the readers of this piece), that underpinning all the new Smart Grid stuff  is a very robust legacy system. A system that's delivered increasing volumes of reliable power to hundreds of millions of customers for a long, long time.

Overall, pretty good work, especially when so much of the popular press delivers, on a daily basis, heaping helpings of unmitigated FUD. You can read the whole piece HERE.

Silly Smart Grid Security Headline Winner

Here it is: "Survey: 77% of IT Security Professionals Concerned about Smart Grid Cyber Security"

Question: What's going on with the other 23%?

In my experience (and probably yours as well), "IT Security Professionals" are nothing if not concerned ... about almost everything. Maybe the relaxed 23% taking the survey didn't understand the question. Or maybe they didn't bring a #2 pencil.

Well, at least the writers didn't invoke the usual FUD hysterics:

• Cyber Pearl Harbor
• Armageddon
• Apocalypse
• Alarmed, Alarming, etc.
• amd of course ... Cyber 9/11

Compelling (not) full article HERE.

Attacking Trends

Thanks to an energy infrastructure-focused former Navy officer (but not Mike Assante) for distributing a link to this article over the weekend. That's the way security folks are btw. The weeks often blend seamlessly into and through the weekends. And it's neither good nor bad that they do. It's just the way it is. And it's the way they are.

You'll find this piece to be part history review, part current situation update, and finally prognostication about where cyber attacks trend lines are pointing. Overall, there's a lot to like in this Freakonomics article, but here are the two para's that stood out the most for me.

The first comes from cyber security pundit and blogger Bruce Schneier. To the question of whether things are actually getting rougher out there or do they just seem that way, he concludes:

It’s not that things are getting worse; it’s that things were always this bad. To a lot of security professionals, the value of some of these groups is to graphically illustrate what we’ve been saying for years: organizations need to beef up their security against a wide variety of threats. But the recent news epidemic also illustrates how safe the Internet is. Because news articles are the only contact most of us have had with any of these attacks.

I like that last line of course. And then there's this from security researcher Tal Be’ery of security product company Imperva, who paces us quickly through the evolution of cyberspace and the increasing value of what we (and the bad ones) can find there:

Here’s where we reach a critical problem: companies are poised for the old cyber security model which was designed to keep the bad guys out. However, the same convenience that allowed individuals to access data from their living rooms meant hackers could too, say from a Starbucks, or a dorm room or Timbuktu. The old paradigm—keep them out—stopped working. Protecting the network, while still important, became secondary to protecting data. Few have recognized this evolution—except hackers. Today, of the $16 billion spent on security [cross sector], less than 10% goes to data protection.

I'd add application security to data security to cover not just the target, but the new primary attack vector. Network and system security, as the saying goes, are necessary, but these days, far from sufficient. 

You can read the full article HERE, and I recommend you do. There's a lot more to it.

Good Smart Grid Security News from the Land of Nowitzki

You know, as a staunch anti Smart Grid FUDdite, it's not easy for me to praise the article that contains this quote:

If I’m a burglar, for example, all I’ve got to do is hack into the smart grid, and I know when you’re home and when you’re not home.

Ha, it's clear that hacking meters is easy as pie !!!

I think of burglars and immediately wonder what's this person thinking (I almost wrote smoking)? Unless you view what the MIT students famously pulled off in Vegas (as depicted in the film Numbers) as burglary, I just don't see the average, or even the above average burglar investing in Smart Meter hacking school tuition. Heck, they probably don't even have the SATs to get in.

It may be important to note that said quote is from an attorney (and likely a good one) whose helps run his firm's Cloud Computing and Cyber-Security practice team. Certainly that type of statement could drive some revenue.

Nevertheless, the reason for this post isn't the quote and commentary above, it's the title and tone of the larger article that caught my eye. Goes against the grain of 99% of media reports warning of the impending Smart Meter led apocalypse.

Especially good, I think, is this bit near the end:

“It’s impossible to design an impenetrable security system, but we have a multi-layered approach that’s overseen by several offices.” Oncor has a full-time security team that is constantly monitoring and addressing each security alert ... If there are irregularities, the team investigates them. If a problem were to arise, the team would take measures to lock it out of the system.

You don't have to be bullet proof to be secure (enough). And being able to see what's happening, and ready to respond, is key. Got to like it.

How like Texas to be so unlike the rest. You'll find the full article HERE.

Oh yeah, and way to go Mavs !!!

Trailer for Smart Grid Security No FUD Zone

I had a really great time recording my first hour-long solo webcast recently, but sixty minutes of yours truly might be more than you can tolerate. If you're game, though, click on the image above for the webinar boiled down to a relatively spare 3 minutes.

Also recommend you register yourself HERE for the Virtual Energy Forum (VEF). These folks host a ton of extremely good energy speakers (if you'll allow for one recent exception, that is).

Webcast Alert: Virtual Energy Forum - Cyber Security No FUD Zone

As our friend Massoud likes to say, "at the risk of self promotion," would like to let you know that I'll be doing a live presentation on Wednesday, May 25.  I'll have both my IBM and blogger hats on at the same time, so will be discussing topics from the SGSB, as well as describing how IBM is organized and organizing to help electric utility customers improve their security and privacy posture.

Feel free to heckle if you must. Details are below.

Featured Presentation May 25th at 12:00PM EDTLessons from the Smart Grid Cyber Security No FUD Zone Andy Bochman Energy Security Lead IBM Software Group/Rational

Presentation Abstract - The mainstream media gives us daily reminders of the risks anticipated from the emerging Smart Grid. From Smart Meter-related health concerns, to new privacy issues, to perceived exposure to higher monthly electric bills, not to mention new threats to critical infrastructure from solar flares, EMP and Stuxnet. This presentation will give attendees the other side of the story. We'll cover what utilities, regulators, and vendors including IBM are doing to ensure the successful roll out of a safe and secure Smart Grid, essential for enabling the Smarter Planet and our collective energy future.

Click HERE to register.

Security isn’t the Biggest Threat to the Smart Grid

You’d be forgiven for thinking that with the recent excitement over the Stuxnet virus (here, here and here) and other cyber threats, that this blogger believes that security issues present the biggest challenge to the success of a national Smart Grid.

But there's something else that threatens the grand Smart Grid project on an even more fundamental level: we all have to believe in the goodness of this work enough to see it through ... even when there are setbacks. And sometimes it seems we might not.

The corollary of the oft-cited Field of Dreams baseball diamond axiom “If you build it, they will come” is the far less-often cited “… and if you don’t, they won’t”. In 2010 we’re still in the Smart Grid’s infancy, and while it’s not yet clear what’s the right way to build it, this case has shown that failing to plan and permit up front is one guaranteed way to fail. The net net is that the Smart Grid will not be fully deployed in Boulder … not for the foreseeable future anyway.

According to SmartGridNews, Greentech Media and earth2tech’s Katie Fehrenbacher:

The real problem is that [they] didn’t perform a cost-benefit analysis prior to starting the project. [Also] the group originally didn’t file for a “Certificate of Public Convenience and Necessity” … when the project started … a filing that would have enabled the PUC to cap costs of the project to protect rate payers.

Go back to an online debate we held on the Smart Grid Security Blog and the SmartGridNews site almost a year ago. We began with a post I called “First Mover Disadvantage”, turning a standard business school strategy on its head. The basic idea was that in these very early days, there’s far too much uncertainty (e.g., technology, standards, business models, regulatory environment, etc.) for companies, especially electric utilities, to get a jump on the market without enduring substantial setbacks and risk enormous costs for themselves and their rate payers.

Jack’s response, "Not the Lead Dog? Get used to the View", made the case that despite the uncertainty, those utilities with enough chutzpah to get their hands dirty, make mistakes, learn from them and press on, would command a disproportionate share of influence in the market over those sitting on the sidelines waiting for the eventual shake out.

I like both of these ideas, and surely a decent university debate team could make a lot of hay advancing either argument. But I’m going to say that the SmartGridCity project is an example of moving big and early, and in-so-doing, doing it wrong from the get-go. Projects this complex, with this many players, will inevitably be quite risky, and therefore must be managed extra carefully. There is less room for short cuts, and even when designed and managed flawlessly, they may still endure their share of lumps. These folks sealed their fate in the beginning, and added insult to injury by boasting so publically about their achievements.

It’s that last part that bothers me the most as the biggest threats to the success of the Smart Grid aren’t what you might first imagine: it’s not cyber terrorists, regularity inertia, or flawed technology that most threaten the build-out of the US national Smart Grid. Rather, it’s a potential public perception that promised Smart Grid benefits aren’t nearly worth the costs that could kill it before it's born.

In the early days when we're still trying to figure out what works, there are going to be more Bakersfields, BG&E's and now Michigans for sure. But it's important that the industry ensure that success stories make their way to the media at least as often as the gotcha's. I want to focus on the security challenges facing the Smart Grid, but won't be able to do that for long if we don't get the thing fielded in the first place.

Photo credit: Nieve44/La Luz at Flick.com

A New Threat to Old Energy is a New Threat to the Smart Grid

Why? Because any time the press puts the words "hackers" and any kind of energy in the same headline, it impairs our collective confidence that we'll ever be able to secure the promising but IT and Internet technology-dependent marvel called the Smart Grid. Here are a couple of illustrative examples from last week's best/worst Smart Grid enthusiasm-squelching article in Foreign Policy journal titled "The New Threat to Oil Supplies: Hackers":

The SINTEF Group, an independent Norwegian [energy and climate] think tank, recently warned oil companies worldwide that offshore oil rigs are making themselves particularly vulnerable to hacking as they shift to unmanned robot platforms where vital operations -- everything from data transmission to drilling to sophisticated navigation systems that maintain the platform's position over the wellhead -- are controlled via wireless links to onshore facilities.

Ominous sounding indeed. Makes it sound like vaguely-categorized "wireless links" are the villain here. Or maybe it's the onshore facilities that are the security weak link. I don't know, but the typical generalist reader is going to suspect the worst of both. That appears to be the SINTEF Group's intent, anyway. Note to self and readers: always take alarming security reports from analyst groups and small security consultancies with a few spoons of NaCl.

OK, here's another one from the same article, and arguably it's got more teeth:

While the newest oil rigs ... [are] loaded with cutting-edge robotics technology, the software that controls a rig's basic functions is anything but. Most rely on the decades-old supervisory control and data acquisition (SCADA) software, written in an era when the "open source" tag was more important than security, said Jeff Vail, a former counter terrorism and intelligence analyst with the U.S. Interior Department. "It's under appreciated how vulnerable some of these systems are," he said. "It is possible, if you really understood them, to cause catastrophic damage by causing safety systems to fail."

I'm no SCADA expert, but everything I've learned from control systems pro's of late supports Vail's contention that the folks building these things did not anticipate a time when their systems would be exposed to the wider world via wireless or wired connections to other computers, let alone the Internet. I'd say the time will come when folks who want the Smart Grid to be secure and successful, both in reality and in the public's perception, are going to have to go on a security messaging offensive. I know the press makes its money via all things sensational, but consider how many scary Smart Grid cyber security stories you've read this year versus how many you've seen that tell you it's going to be plenty secure because we know how to do it. One way this great and very necessary undertaking can (and may) fail is if no one -- from large enterprises to individual homeowners -- trusts it enough to use it.