Monday, May 13, 2013

Energy Sector Orgs: How Would You Know if You Were Secure Enough?

Along with my friend and IBM colleague Jeff Katz, I was recently cited in an article by a new publication called Breaking Energy. One of the things they captured was this statement:
[Legislators and regulators] hear statements that the grid is not secure enough .... That begs the question: how would you know? how do you know how secure it is now?”
If one was hellbent on better securing the grid, how would define your destination and how you know you were making progress towards it? Sorry so many questions.  Maybe you can provide some in the comment space below.

Meanwhile, in this USA Today piece, senior leaders in Washington continue to make alarming sounds about our industry's preparedness:
The power industry [ranges widely in security maturity] from companies that are very good to companies that need a lot of work and a lot of help," Gen. Keith Alexander, commander of Cyber Command, said Friday.
Meanwhile, in the NYTimes, two senior [DHS] officials just said "[a new wave of intrusions] were aimed largely at the administrative systems of about 10 major American energy firms, which they would not name."

Seems we have the motivation. And maybe the means. But I still question whether we have a roadmap, tools, or even language recognize progress. More on this coming up.


Anonymous said...

At the very least the work done on the cyber security maturity model is a guide to getting entities to focus on particular areas of concern right? and it's cheap, one day, and comes with a long list of personnel who influenced its drafting. It's a start, you have to know where to measure before you start making metrics right?

Just Smile said...

Great bloog I enjoyed reading