Click to Print This Page

Back to Article


SmartGridNews.com
The insider's guide to the modernization and automation of electric power

Smart Grid Security and Your Data: Why a “Hexad-diction” May Help
By Jack Danahy
Jun 3, 2010 - 10:25:52 AM

Soon the edited and filtered version of the Smart Grid Security Blog Webcast #2 on data security will be available, and I encourage all of you who missed the live version to take a listen. (There are plenty of you who will be hearing this set of messages for the first time, as we did very little to publicize the schedule for this piece. We'll improve upon that for Webcast #3!)


Anyway, in the discussion of securing data for the Smart Grid, we are re-empathizing the two key points that we have made previously, and will continue to hit upon:

 

  • A new and unprecedented volume of data is coming your way
    You can either plan for it, and figure out how to secure it before the deluge starts, or you can simply let it all come and hope that the sheer volume of it will bury the evidence of your obvious lack of security forethought.
  • Your data is not all one flavor or type
    You need to break it up according to its security needs, its use in applications, and its likely combination with other types of data. Do this, and you may save untold hours and millions in efforts to partition it later, or to design a new series of systems that must first process the indigestible mass every time they need a new tidbit of data.

 

While preparing and presenting the data security webcast to offer some help in executing successfully given the facts above, I had been on a search for a set of externally developed and accepted security characteristics that were less vague (and therefore limiting) then the usual CIA triad. While Confidentiality, Integrity, and Availability are important, as concepts they are too indefinite. They are too messy. If I copy an encrypted database of private information for later cracking, what fundamental premise has failed? The data is still confidential, it is still accurate, and the original copy is available for all to use. But I have still done something unsettling and bad.

 

In order to present the security concerns accurately and succinctly to the new and largely untainted utility population, there needed to be a richer description that could be used with more accuracy, and more differentiation, as the new and highly varied data sources were contemplated for the Smart Grid. I arrived back at a six element formulation of security characteristics developed by renowned information security scion, Donn Parker, called eponymously, the "Parkerian Hexad."

In the Hexad, the venerable characteristics of Confidentiality, Integrity and Availability are importantly augmented by the additions of Control, Authenticity and Utility. Through the addition of these new descriptors, there is a natural clarity that arises around the description of security requirements for various data and service components.


I have translated more complete descriptions of the Hexad here, from the recent Webcast:


Confidentiality       Access to data is limited to those intended
Control Data is only accessible or changeable by those intended
Integrity Data can be relied upon to be accurate and unchanged
Authenticity Veracity of data source and provenance can be assured
Availability Timely access to data is always ensured
Utility Security or insecurity does not inhibit the practical use of data


This is a start, for those of you with less time or feverish interest to go very far for a more in-depth treatment. For those of you who would like a very good introduction, with examples, from Michel Kabay – the fellow who coined the term "Parkerian Hexad" – I really recommend this self-playing PowerPoint presentation from his work at Norwich University, from his overview page, it is here. And while it takes a couple of minutes to load, I think it is a great introduction for those of you just digging in. It also concludes with a description of what IA jobs mean in terms of responsibilities. I think this is also prime fodder for those of you just digging into your roles as security leads within utilities, or those of you looking to hire roles like that.

Why Learn These Terms?
Unlike many industries that adopt new technologies and new business models incrementally, the utility industry is jumping into the mix with both feet. There is little room to slow the pace of integration of new IT technologies in order to stop and compartmentalize the areas of investment based on security concerns or characteristics. The situation that has been created is one of rapid change and rapid growth.

By attempting to apply the security characteristics, and by answering the questions that inform the identification of issues, there are many interesting issues that will be brought to light. Smart meter location is just an address. Pair it with a user, and you have an identity or privacy problem. Similarly, in the case of outbound or control data, authenticity, integrity, and availability are all key.

Creating a checklist for all of the data involved in an application, and then having a discussion of how these useful and discrete characteristics apply, will lead to a much earlier, and much higher level conversation about why this kind of focus on Smart Grid Security is necessary.

 

Jack Danahy and Andy Bochman are authors of the Smart Grid Security Blog.

 

You might also be interested in …

Warning: The New Security Demands That Utilities Can't Afford to Ignore

Add Nukes, Solar Flares and Pandemic Disease to the List of Potential Threats to the Electric Grid

Smart Grid Security Class Now in Session

Utilities to Invest $21 Billion in Smart Grid Cyber Security by 2015 (press release/pdf)

Smart Grid Security technologies

 

Stay connected with SGN …

Smart Grid Discussions: Get LinkedIn with Jesse

Smart Grid on Facebook

Follow Us on Twitter

Try our RSS feed

Get our email digest
Subscribe to our FREE eMail News Alert!
Smart Grid Newsletter (SGN) is the insider's guide to the Smart Grid revolution. It consists of a FREE bi-monthly email summary, along with a companion Web site that contains the full stories and other helpful materials.

Benefits of subscribing: SGN is the only central source for all of the news, trends, research and marketplace information relevant to grid automation. In it, you will read about cutting edge technologies; successful pioneers and how they got ahead; regulatory changes that could unleash new markets; the latest research; and new opportunities for sales of grid-related products and services.


© Copyright 2009 SmartGridNews.com