Tuesday, October 4, 2011

Asset Owners Speak Out/Up at Smart Grid Security Summit West

What a great start. Five guys charged with improving the security posture of their large utilities all on stage, and fielding questions from conference organizer Mike Amadhi and an audience full of security minded folks from all walks of life.

In no particular order, here are a few notes I took organized by speaker:

Jeff Gooding - Southern California Edison
  • Very interested in standards
  • Vendor certification would be desirable, though preferably nothing as heavy as the Common Criteria
  • Finds it takes approx 2 years for an IT security generalist to get up to speed and be competent in the operational technology (OT) arena
Ward Pyles - Southern Company
  • (Partly tongue in cheek, partly not) said Southern Co. doesn't talk security anymore. Rather, it's all about reliability ... doing what's required to keep systems operational and available.
  • To do this, he/they use a different, more business oriented vocabulary
  • Also, working with vendors towards certification
James Sample - Pacific Gas & Electric
  • Security is much more a people than an technology issue
  • Would like to see more standards baked into products at time of manufacture
  • Like Ward, increasingly uses reliability versus pure security in conversations across the business lines
  • Spends significant amount of time pushing vendors to deliver secure solutions
  • Wishes he could spend less time on vendors (above) and more time working with his people
Christopher Peters - Entergy
  • Security pro's must be good communicators and tailor language to fit their audiences
  • Bridging silos is one of his main jobs
  • Having a CXO as a boss is very helpful in accomplishing the above
Stephen Mikovits - San Diego Gas & Electric
  • Very thankful for CPUC's order that CA IOUs generate 10-year forward looking Smart Grid deployment plans, including a major emphasis on security
  • This really helped SDG&E as well as the other utilities by giving them a platform to communicate security  requirements and recommended actions
So there you have it. Several themes emerge: security as reliability, language and communications, silo busting, supplier security and certification, importance of security standards. Seems like most in the audience felt like these were the right notes. I sure did.

BTW - I was working pretty fast. If you spot any typos or inaccuracies here, please let me know and I'll update the post asap.