Monday, March 29, 2010

Y2K Redux: Smart Grid's Unforeseen Benefits for Utilities

A long time ago I left the Air Force and joined the business world. An exciting job as a technology analyst at Aberdeen Group called me back home to Boston. But after one year in the ivory tower, with the opportunity to meet and in some cases interview some of the major IT movers and shakers of the day (name drop alert: Sam Palmisano, Craig Mundie, Scott McNealy), I chose to dive into the IT trenches and found a spot in a local boutique IT services firm named Primeon. What was Primeon's claim to fame back in 1999? Y2K of course.

I soon learned my job was to stress to potential partners and customers that it was time to take stock. To sort out, if they hadn't already, what hardware and software their enterprises depended upon most. The idea being: you can't remediate what you don't even know you have.

Well, what do you get when you do a real inventory (also referred to as the practice of "asset management")? First of all, lots and lots of grunt work if you're being thorough. But beyond that there's plenty to learn about your own operations and efficiencies:
  • How much shelf-ware (software your org bought but doesn't use) you're paying for in yearly maintenance/support
  • As with the US Navy, how many redundant applications you have, and how much money you might save through consolidation (i.e., pulling the plug on the older, less functional, harder to maintain ones)
  • How well your org adheres to policies that matter, like industry interoperability standards, or how many digits are required in the year field
In short, perceived Y2K threats and remediation costs were used to justify the development or purchase of newer apps and the shuttering of older apps and systems. It became a catalyst for modernization and efficiency that continues to confer benefits to the more aggressive organizations today.

How's this apply to Smart Grid security? Much of the work to be done to get ready for AMI and Smart Grid capabilities involves linking and integrating systems that were previously isolated from each other - that wasn't a Y2K survival requirement. Of course there are other big differences between preparing for Y2K and roll-out of the Smart Grid. With few exceptions, the Y2K window opened and closed in a 24 hour period, while new Smart Grid applications and equipment have been rolling out in fits and starts for several years, and will continue to arrive for the foreseeable future. And the threats to Smart Grid systems are infinitely more varied and complex than the year date problem was to computers more than a decade ago.

Jack and I maintain that you can't secure (or demonstrate compliance with) what you don't even know you have. You can't understand the most vulnerable junction points between your IT and SCADA systems if you're not really sure how one or both is secured on its own. It's hard to prepare to roll out needed enterprise access control or single sign-on capabilities when you have no idea how current users are granted or denied access to key systems pre-Smart Grid.

As more utilities turn to asset and portfolio management processes and systems as a precursor to doing Smart Grid right, there's reason to believe a resurgence of taking stock a la Y2K is at hand. And beyond being better prepared to operate in the highly interconnected world of the Smart Grid, there are additional benefits to be had for utilities seeking greater self knowledge.

No comments: