IBM on energy cybersecurity: Keep calm and carry on
Editor's note: Often you see Andy Bochman's byline on Smart Grid News posts about smart grid security. But the tables are turned in this interview AOL Energy did with Andy. As usual, what he has to say is definitely worth reading.
By Peter Gardett
For years predictions of the horror show that could happen if the nation's electricity grid was compromised by hackers proliferated in inverse correlation to the number of attacks; the sector went about its peaceful way, adding security as it added increased interconnectivity and meeting standards that left service reliability levels intact.
That "quiet war" in cyberspace is over. The U.S. energy sector is under attack, and there isn't any indication the situation is going to improve.
The building awareness of both the intensity of attacks and the holes in security made the issue a central point of discussion at the AGRION Energy & Sustainability Summit in New York City recently. "There's even more awareness now," IBM Energy Security Leader Andy Bochman told AOL Energy on the sidelines of the event. "We recommend utilities consider a fresh look at fulfilling their cybersecurity functions."
Bochman admits the move lacks the headline appeal of a major new infrastructure outlay, calling it an "incremental change" that will help utilities find their "security baseline." He points out it is much harder to bolt on security after a system has been compromised, and understanding the evolving nature of the problem is the best first step most companies can take.
"Lots of companies don't even know where they are - they need to understand their current risk profile better," he said.
There are few existing standards for those new high-profile cybersecurity heads at utilities to comply with. The North American Electric Reliability Corporation (NERC) has in place CIP (Critical Infrastructure Protection) guidance that provides the only industry-wide "apples to apples" comparison of security for the sector. Bochman and Bartlett said that although those mandatory sector-specific security rules are widely complained about by utility executives, the sector is also thought to be more secure because of them.
While all of this new personnel and security sounds expensive, by beginning to evaluate their IT systems in light of what they actually need, companies could begin to rationalize their IT and end up with cost savings from eliminating redundant systems or personnel, Bochman said.
You should also read...