Page 2: Why the weaknesses and what to do about them >>

Editor's note: I was chatting with security veteran Ernie Hayden recently when he started talking about the huge gap between the way utilities *talk* security versus the way they *walk* it. They may ignore smart meter security during testing because "it's just a pilot." Then when deployment hits, they have no foundation and no time to put a robust security program in place. I guess I didn't realize utilities were still so lax. And yet this scary situation can be fixed readily with planning and preparation. I asked Ernie to stop by with his insights. – Jesse Berst

 

By Ernie Hayden

 

For over 20 years, I have been involved in electric industry security -- for the past three years very actively.  My roles have included security participation in a utility’s ARRA grant application, the NIST Smart Grid Cyber Security Working Group, and the NERC Smart Grid Task Force document.  Yet I continue to be concerned about the slow progress being made at electric utilities towards security oversight, governance and implementation.

 

Real life security bungles

For instance, I’ve been pleased with the effect of the NERC Critical Infrastructure Protection (CIP) mandates.  Utilities have done a lot to make their security processes and programs comply with NERC CIP (perhaps because of the real threat of fines).  That said, I’m worried there is more emphasis on security compliance than on true protection on both the physical and cyber fronts.

 

In 2010, I visited a utility and inspected 18 critical substations. The inspections were ostensibly for NERC CIP compliance; however, I was surprised at the physical security problems we found.  For instance, we were able to pick some locks with plastic hotel room keys! We also found ventilation louvers that could be easily removed to allow access into buildings.  Similarly, we found doors where the hinges were attached onto the outside of the door frames thus allowing an intruder to simply unscrew the hinge fasteners and take the door out of its frame.

 

In 2011, I learned of an electric utility which was rolling out hundreds of thousands of smart meters.  The effort was ambitious and well resourced – except for security.  This company only had 1.5 full-time employees (FTEs) assigned to cyber security.  And those personnel were already overtaxed and could barely sustain their existing workload.

 

This same utility never included the NISTIR 7628, Smart Grid Cybersecurity Guidelines, in any of their security policies, procedures or standards.  This was quite a surprise since NISTIR 7628 contains a wealth of knowledge, guidance and details that can be immediately and quickly applied to any smart grid security program.

Next page: Why the weaknesses and what to do about them >>

Talk Back to the Author

Current Comments (1)

Leave a Comment

---

Culture of Security

At DistribuTECH last week, I spoke to an analyst who summed it up nicely when he said that he was more concerned about utilities having a culture of security than with them implementing specific measures. Utilities who adopt a culture of security will naturally move from viewing security as a "gotta do" to a core value and from emphasizing compliance to emphasizing protection.

Bert Williams - 02/03/2012 - 12:07

Leave a Comment

New to this Blog? Need some help?

Email: [?] We will send you an email with an appproval link you must click for your comment to appear.
Full Real Name:	[?] Real comments need a real name.
Subject:	[?] Please provide a short subject for your comment.
Comment:[?] Do not post commercial/sales messages here. They will be deleted. Try: pr@smartgridnews.com PLEASE NOTE:  All HTML codes will be removed from your comment.
CAPTCHA Security Code The numbers (0) and (1) are not used. [?] Please type the characters you see into the box above.
Remember my name? (Uncheck to forget.)
You can not edit or delete your comment once it is posted. Please check for spelling now. Your IP Address is: 54.224.75.101