The first Smart Grid Cyber Security Summit was held recently in San Jose. IBM’s Andy Bochman, in his excellent Smart Grid Security blog (http://smartgridsecurity.blogspot.com) provides a good review of the proceedings, and I’ll add a few of my own thoughts.
The attendance of approximately 75 people was not bad for a first time event, but well below the typical 200-300 people drawn other smart grid conferences. There were few utilities present. My informal count was three, including invited panelists, with none from California. Interestingly, the California PUC was there in force. A similar cyber security event I spoke at in Washington, D.C. in June attracted no more than 25 people, despite a strong speaker lineup. Is cyber security simply not that high on the industry’s priority list?
After listening to some of the expert presentations, it certainly ought to be. The refrain was consistent: the current grid, with its hodgepodge industrial control system (ICS) technologies, is highly vulnerable to a cyber attack that could destroy critical generation and T&D assets. Resulting outages could last for weeks, causing economic devastation. Smart grid integration could make it worse. Utility IT staffs with some security knowledge don’t understand ICS, and operations groups that do don’t trust, or even like, the IT groups.
Nationally, very few experts (perhaps tens to low hundreds) understand enough ICS and IT to be useful. Most industry executives have their heads in the sand. The few that don’t are thwarted by clueless regulators that deny rate cases for even modest security improvements. The recently discovered Stuxnet infestation targeting Siemens SCADA systems (http://www.symantec.com/connect/blogs/stuxnet-introduces-first-known-rootkit-scada-devices) provides the first hard evidence that we should be afraid – very afraid. The passion of the alarm sounded by these speakers was hard to ignore, yet where is the progress?
As a recovering marketing executive, I wondered why this message is apparently not getting through. One completely unscientific (and probably unfair) observation is the security messengers appear to be culturally worlds apart from their utility audiences. They are more likely to be in tee shirts than ties, have longer hair and beards, have body piercings and tattoos, and are proud to have been fired more than once for “telling the truth” to their management. Many have chosen to live in rural locations, have backup generators, and own more than one gun. It is hard to imagine a starker contrast to the buttoned-down-white-shirt-and-tie utility executive. Could this be a major impediment to grid security?
The good news from the conference is the tide appears to be turning in recent months. Smart meter vendors in particular have ramped up security R&D efforts considerably. To paraphrase one panelist: “I’ve cried that the emperor has no clothes, and now he’s hired me to be his tailor”. The virtuous cycle of a recognized need creating market demand that spurs robust vendor R&D seems to be underway. Security standards efforts are in full swing, and though some will argue their efficacy, FERC and other agencies are ready to push them. And judging from side conversations amongst the conference expert comparing their congressional briefing calendars, the US Congress is one group that is listening, with some rare bipartisanship.
At Pike Research, we have been forecasting significant opportunity in the smart grid cyber security arena for some time. Most recently, my colleague Bob Lockhart (also at the conference), authored a report on Smart Meter Security, highlighting specific opportunities in this slice of the smart grid. Security needs be a baked-in part of the “smart” in the smart grid, and the innovation opportunity extends across the value chain, including silicon, software, equipment, communications and services. Let’s hope we get there in time.
Bob Gohn, an analyst with Pike Research, specializes in the smart grid.
