Click to Print This Page

Back to Article


SmartGridNews.com
The insider's guide to the modernization and automation of electric power

A Controlling Interest in Securing Utility Control Systems
By Andy Bochman
May 11, 2010 - 2:19:50 PM

Energy and utilities control system cyber security expert and firebrand Joe Weiss is making waves again, this time via an interview with CNET in which he describes the current state of progress (and lack of) in this most essential yet often overlooked Smart Grid domain. You see, when word got out that the previously tech-averse utilities were stirring thanks to this thing called the Smart Grid, IT and IT security professionals rushed to sell their services and  wares to utilities' IT shops. 

 

Little did they know (and some still don't) that they can market Intrusion Detection Systems (IDS), Intrusion Prevention Systems (IPS), Single Sign On (SSO), application firewalls, database security, pen testing and application security testing tools, not to mention NERC CIP compliance tracking and reporting systems and more ... til the cows come home, and still leave their utility customers, and their portion of the Smart Grid, woefully unprotected.

 

That's because of the other side of the house. You can call it field operations, or use an acronym like Operational Technology (OT); either way, it's a place where IT professionals fear to tread. And because of organizational culture reasons and the fact that SCADA-based operational systems are so unlike standard IT systems, the IT guys (vendors and utility employees alike) are generally unwelcome outside IT.

 

Weiss, a one man army, has been trying to get this message out to government and industry decision makers for years and is starting to make some significant inroads. Here's an excerpt from the CNET piece, though we highly recommend you read it all:

 

[A] utility's human resources network or their customer information networks are more cybersecure than any power plant, including nuclear, any substation, or any control center in the U.S.  [Why?] Because the utilities got together and came up with a set of criteria, called the NERC critical infrastructure protection (CIP) standards. In those standards they input a number of exclusions and allowed them to self-define what would be "critical." NERC has put out emergency warnings on some of the areas that have been excluded, like telecommunications, but NERC CIPs specifically exclude them. Can you imagine doing a cyber assessment of your IT systems and being told "do not address telecom?" Because of the Energy Policy Act of 2005, electric distribution which is the heart of the smart grid is specifically excluded even though the electrons move from distribution to transmission and back. It simply doesn't make any sense.

 

Here's the full CNET Q&A. And while you're at it, you should read Forrester's take on the CNET-Weiss interview here. It's a little bit utopian in places, but it reminds us that we've been dealing with control systems security for years in other industries, and we like the emphasis on people vs. technology for a change, like here:

 

Deploying smart technologies is not enough. Take time to redefine existing processes and invest in people’s skills and education. You should invest the time and energy in marketing security and risk measures when deploying smart cities and smarter grids from day one.

 

Of course, the people Forrester is talking about dwell in both sides of the utility house. And if Joe Weiss had his way, there'd be more of an open floor plan, with security planning and implementation discussions reaching both IT and operations, and vendors and utility professionals alike understanding that their job's not done until they've secured the whole enchilada.

 

Andy Bochman and Jack Danahy are authors of the Smart Grid Security Blog.

 

You might also be interested in …

Smart Grid Culture War? Power Guys vs. Netheads

The Great Cybersecurity Disconnect: Modern IT and the SCADA-Driven Grid

Seeing NERC CIP Through a Software Lens (and Why You Need a Plan B, C, D & E)

Smart Grid Security news and technologies

 

Stay connected with SGN …

Smart Grid Discussions: Get LinkedIn with Jesse

Smart Grid on Facebook

Follow Us on Twitter

Try our RSS feed

Get our email digest

Subscribe to our FREE eMail News Alert!
Smart Grid Newsletter (SGN) is the insider's guide to the Smart Grid revolution. It consists of a FREE bi-monthly email summary, along with a companion Web site that contains the full stories and other helpful materials.

Benefits of subscribing: SGN is the only central source for all of the news, trends, research and marketplace information relevant to grid automation. In it, you will read about cutting edge technologies; successful pioneers and how they got ahead; regulatory changes that could unleash new markets; the latest research; and new opportunities for sales of grid-related products and services.


© Copyright 2009 SmartGridNews.com