 | |||||||||||||||||||||||||||
|
. Every time we add another smart device to the grid, we add a new vulnerability. Now multiply that vulnerability times thousands of devices from hundreds of different manufacturers using dozens of different protocols. And then add in all the legacy equipment installed before we became sensitized to the smart grid’s security issues.
Just how the &#!! are we supposed to keep all of that safe?
Thankfully, there is a way to toss a “security blanket” over the whole thing, the legacy equipment as well as the new stuff. In this article, I’ll give you a glimpse at the strategy, and then point you to some helpful resources.
The magnitude of the problem
I chatted recently with Duke Energy’s Lead IT Analyst Robert Humphrey in preparation for an upcoming free webinar on smart grid security on Jan. 27. Robert characterizes the problem this way:
How to create a security blanket
You won't be surprised to hear that a key strategy is to devote more resources and attention to the problem. In fact, your first step should be to create a security overlay to your smart grid plan -- the “security blanket” I mentioned – based on an enterprise-scale security architecture.
The picture below shows the architecture consulting firm Accenture recommends to its smart grid clients. For an closer look and for other tips, download Accenture’s smart grid security white paper. It’s a great overview in 16 pages.
. Why you need to attack yourself
Once you’ve got an architecture in place, it’s time to find your own weaknesses, before others can do so. That means performing a thorough risk assessment. With new equipment, the assessment’s goal is to pinpoint weaknesses before it is installed. (In many cases, you can convince manufacturers to fix the problem at their own expense.) Humphrey and others recommend that your assessment include a gap analysis against your own internal requirements and against the emerging NIST standards.
With legacy gear that’s already in the field, you have to determine if the vulnerability can be plugged at a reasonable expense, or if you need to replace with new gear. Humphrey says quite candidly that legacy equipment is the weak link. A lot of it still uses unencrypted text and default passwords. Ouch!
The final step, says Humphrey, is to set up a program to monitor, manage and maintain your defenses.
We’ll cover these steps in the upcoming smart grid security Webinar, which is scheduled for January 27th, at 1pm Pacific (4pm Eastern). It is free to SGN readers while space remains. In addition to Robert Humphrey, we’re bringing in Eric Trapp, head of Accenture’s security practice for North America (and someone who recently led the infrastructure transformation for one of North America’s largest gas & electric utilities.
We’ll also talk about some of the surprise fringe benefits of a smart grid security blanket. For instance, how the risk assessment helps power engineers and procurement officers with their purchase decisions. And how you can feed information to dashboards, analytics and alert mechanisms. Best of all, there will be lots of time for your individual questions.
Below are some additional security resources. Use the Talk Back form below to tell your colleagues about other useful sites, white papers or downloads.
Smart Grid News security channel NIST takes heat for smart grid security guidelines Where to go for smart grid security nuggets and discussion Accenture smart grid security white paper . Stay connected with SGN …
Drop by our Smart Grid News Talk forums
|
|
© 2012 SmartGridNews - Privacy Policy |
|
|||||||||||||||||||||||
Twitter
Facebook
Linkedin
RSS
