Motivation through Compensation: Paying Utilities to Upgrade Cyber Defenses

Now we're getting somewhere!  The long submerged topic of "who should pay" for electric utility cyber security improvements has just breached the surface and is now bobbing up and down in clear daylight.

A recent article in Bloomberg documents several large US utilities' efforts to recover current and future cyber security investments the same way they get paid for other infrastructure programs: by getting clearance from their state utility commissions to approve these expenses in their rate cases.

Actually rate payers (aka electricity customers) will pay one way or another, as they should, for the essential service that makes our modern lifestyles possible.  Possible methods of payment include:

• Absorbing the costs to their businesses and their lives associated with brown outs or black outs or electricity quality issues stemming from successful attacks on control centers or systems
• Paying more every month to cover some, most or all (TBD) of their utilities' cyber-protection expenses
• Or, as Pepco CIO Doug Myers said, as cited in the Bloomberg article, allowing utilities to be reimbursed through federal grants

This concept was articulated more formally by Michael Daniel, special assistant to the President on Cybersecurity, when he included rate recovery as one of a number of cyber incentive strategies for critical infrastructure providers:

Rate Recovery for Price Regulated Industries — Agencies [DHS, Commerce, Treasury] recommended further dialogue with federal, state, and local regulators and sector specific agencies on whether the regulatory agencies that set utility rates should consider allowing utilities recovery for cybersecurity investments related to complying with the Framework and participation in the Program.

As this blog often reiterates, we have to acknowledge and accept the costs of living in a technology-enabled world, where the impulse to cyber secure important services must become every bit as natural as physically securing our more tangible valuables.

Else, I have a nice cave I'd like to show you. And no, it doesn't have wifi.

Helpful Clarifications Still Leave NERC CIP Version 4 Changes Feeling Overwhelming

If your job is to ensure your utility complies with new version 4, certainly you've been scouring info like this for a while now. But if you're a member of electric sector support or regulatory communities, including services providers and state commissioners, it'll behoove you to get a better feel for the massively numerous and often ambiguous compliance hoops through which these folks have to jump.

Sony's Lessons for Electric Utilties

Have been thinking about the continued cyber bludgeoning Sony's been getting and how the utility sector would handle such a long-running, targeted attack. In terms of cybersecurity and privacy protection policies and technical controls, I can't say whether Sony was any better or any worse than its sector peers when all this started.

As far as motivation, certainly, individual utilities can easily incur the enmity of some of their customer base ... it's happened plenty of times before for a number of reasons, and it's happening again in some regions with Smart Meter deployments.

In CSO Online a couple of days ago, CSC's Mark Rasch offered this advice:

All companies have to make accurate risk assessments and carry out their responsibilities to protect personal information they store. "They have to realize they are fiduciaries of customer data and have a moral and legal obligation to protect that data. They need to do everything reasonable," he says. "The cost of repairing after the fact is 10 to 100 times higher than preventing it in the first place."

It's hard not to think of how the Sony saga playing out before our eyes, on top of the daily drumbeat of security attacks and breaches at large enterprises, is spurring some utilities into action, updating their risk calculus, and their controls. And very likely, many others don't see a connection, or a need to change their current defenses.

You can read the full article HERE.

The Fruits of Smart Meter Phobia

OK, so you don't want a wireless Smart Meter on the side of your house because you're sure, despite copious scientific evidence to the contrary, that its radio frequency emissions are going to kill you.

Well, after organizing and making your intentions clear, you have won. Congratulations! You can have it your way and keep the darn thing off your house. One small catch, though: you'll cost a lot more money to support so you'll have to pay extra.

We're working on modernizing the grid so it can support greatly increased amounts of intermittent wind and solar energy. We're trying to reduce our use of, and dependence on, fossil fuels, which will make our world a healthier place by far. Smart Meters have an important role to play by giving utilities a better picture of near-real time energy demand, as well as the means to manage demand during periods of peak consumption.

So, about that cell phone you press against your head? And the computer screens you stare at all day. And the wifi router that forms your home network. And the microwave that's running sometimes while you tidy up in the kitchen. You've tolerated, if not embraced, modernization of other sectors of the economy. Please be a bit more consistent with your fears and let us get on with our work.

Image credit: Zazzle.com

The Near-Inside Cyber Threat to Utilities

DOE's cyber lead Bill Hunteman  just revealed a security guard once told him "I'm your biggest threat" at 2 am one morning. Guard noted he had keys to every room in that utility and was taking cyber security classes in between shifts. Said he could be inside the network attacking systems all night and nobody would know it.

Food for thought at Smart Grid Security East.

Upbeat Utility Economics Update

When you're in the trenches with utilities looking at day-to-day challenges with a lot of granularity, it's easy to lose track of the bigger picture trends. For example, we're almost always talking about how many utility folks (internal and contracted) it takes to implement NERC CIP compliance programs. It's a lot of course, especially for orgs who always feel resource constrained ... and of course, are aging by the minute.

And the fourth version of the CIPs with its expanded scope only promise to add to the workload, and the expense.  But guess what?  High above these electric sector security and governance skirmishes float financial analysts.  Picture them as smartly suited genies on flying carpets woven from $100 bills, foretelling the economic future sector by sector.

And what are they saying of our beloved one? Here's a starter from "Utility Stocks Energized" in this past Sunday's WSJ:

"It's funny to say 'growth' and 'utilities' in the same sentence, but it's more of a growth sector than people think," says Jamie Cox, managing partner at Harris Financial. What's powering this growth? A building boom. Some higher-potential utility companies are upgrading their power plants, building out transmission lines or expanding into renewable-energy markets such as solar -- all of which could help boost future profits and dividends.

So how do you like that? As various pundits ponder the lethargic pace of the clean tech revolution and others pronounce it much ado about nothing, those in the rarefied air of the brokerages see what's plainly in front of everyone's noses, and signal that it is good.

Will "energized" investors' new flows of money further spur the infrastructure modernization and build-out of Smart Grid capabilities? How deep into a utility operation might those funds trickle down?  And if the money does come, how soon can it be expected? I might have to leave all of this to my MBA friends, but IMHO anything that communicates confidence in the economic vitality of the sector only serves to embolden the community further.

And what of security? Sounds like there are going to be a lot of new and somewhat complicated systems to protect. And maybe, maybe more so than in the past, it might just feel like there's some money available to afford the necessary protections. We'll see.

Security Standards Trump all others in Smart Grid Survey

So a bunch of utilities professionals were just polled by a research firm which asked them, of all the different types of Smart Grid-related standards that are being developed/decided right now, which are the most important?

Boy, this is going to make me sound like a total dork, but the results channeled through Jesse Berst's SmartGridNews.com site revealed that Security Wins! Here's a link to the outfit that did the work.

As we stated in a previous post called the Smart Grid Security Confidence Game, the large-scale Smart Grid build-out that waits just beyond the lessons learned in the SGIG pilots isn't going to happen if the utilities, the regulators and the users don't trust the security controls.

All we can say to the good folks at NIST and the multitudinous other orgs charged with arriving at comprehensive security standards for the Smart Grid is: hope you got some rest this week - we need you back on the job stat in 2010.

And FYI: based on emails and other traffic on the cyber security work group community site, they're not actually resting this week either.