Cyber security: mandates or volunteers?
Both approaches reveal serious shortcomings
Today we'll revisit a few cyber security conversations, the fundamentals of which I don't believe have changed much over the past two years that I've listened or participated.
Sure, in that period, Stuxnet has appeared, as has Duqu (aka "son of Stuxnet") and a host of other exotically named malware. Without a major, documented disaster on the grid in the United States as a result, however, I suspect that the situation breeds both urgency (thank goodness we have more time) and complacency (if nothing's happened by now, why worry?).
So, looking over recent discussions, I'd name several issues worthy of review.
Mandates versus voluntary measures
This is a perennial debate in many fields of endeavor. The arguments, pro and con, often touch on the following back-and-forths. Top-down action often comes only after a preventable disaster when the pressure is on politicians and bureaucrats to show that they're responsive. That response often gives the appearance of self-congratulatory chest-thumping. Yet officeholders can fairly say that if voluntary measures worked, reactive policies wouldn't be necessary, would they? In fact, proactive, self-motivated measures are always better, but industry is notorious for screaming about over-regulation and then exhibiting laxity and lack of rigor. Conformance, particularly with the out-of-sight, out-of-mind nature of cyber security, may in fact have to be driven by regulators or legislators, with oversight and penalties for laggards. ("Trust me" is the punchline to a joke. "Trust but verify" is a slogan that has endured.) Yet industry can fairly retort that a one-size-fits-all approach is ridiculous and checklists breed a checklist mentality.
That's the chicken-or-the-egg routine. Which way forward? Isn't it possible to set certain benchmarks for people, processes and technology and allow utilities to devise and execute their own, tailored, flexible plans? Right now, there's rumbling about extending NERC CIP (North American Electric Reliability Corporation's Critical Infrastructure Protection) down to the distribution level, extending it to municipal and cooperative utilities. If those actions don't come to pass, will failure to act at the federal level effectively charge states with actually getting the job done? State regulators delved into the issue at their National Association of Regulatory Utility Commissioners (NARUC) annual meeting in July.
Spending versus vigilance and a security culture.
As with top-down mandates, spending money also can have a somewhat narcotic effect on responsible parties. This is another perennial, seductive human foible. Spend money, job done. (R-r-right?) First, the "baked in, not bolted on" mantra added to product development cycles leads me to suspect that the renewed surge in security-related spending—as intelligence is extended down to the distribution system—may not yet be achieving what's intended. Holding vendors' feet to the fire over the "baked in" strategy is said by people I respect to be the path forward. Last year IDC Insights wrote that while cyber security spending was up, sharply, over the prior year, the development of a security culture lagged. I couldn't get a breakout of figures for the power sector and cyber security this year, but it wouldn't surprise me if the picture looked similar.
Smarter grids: degrading security?
Right now, distributed controls, sensors and intelligent electronic devices (IEDs) are being added to existing distribution infrastructure and these devices represent under-protected assets offering access to malefactors. A few simple steps in physical and cyber security could provide significant levels of protection. There's a forthcoming article in Government Security News by a respected industry figure on this issue; keep your eyes peeled and I'll call it to your attention when it's published. Sorry to be cryptic, but I can't steal someone else's thunder.
Cyber security for IT versus industrial control systems
Lastly (okay, that's four topics), utility executives must appreciate (as I'm sure most of them do) the distinction between cyber security for the IT systems that run the enterprise and industrial control systems that operate power plants and all the high-voltage gear down to the substation. As Joe Weiss, an ICS expert and principal at Applied Control Solutions LLC, told me in "Cyber Security and Control Systems," "IT problems don't kill people. Control system problems have killed people."
In that column Weiss contended, as did Peter Mozloom, vice president for cyber solutions at Modus Operandi, Inc., in "Cyber Expertise Lacking?" that "IT professionals don't understand ICS. Operations personnel may understand ICS, but not IT and its cyber security implications. That's one disconnect. Another: responsibility for the integrity of ICS at electric utilities tends to be splintered among various roles, in contrast to the chief information officer's clear mandate for IT cyber security, he said. Further, IT cyber incidents leave a forensics trail that can be reconstructed after the fact, while ICS incidents leave only physical evidence without a clear forensics trail."
Then there's the market, probably the most potent force for investor-owned utilities: no power utility executive wants to suffer a rogue blackout in his/her territory or see their stock price plunge or explain to their governor, public utility commission or a federal agency why they dropped the ball. Lost business, lost value, lost credibility all take their toll. However, that executive often asks: Where's the threat? Where's the evidence? What's the return on investment? Economists have a concept for investments that prevent business discontinuity and the term slips my mind right now.
"How to Think About Cyber Security" provides the basics about C.I.A., which stands for confidentiality, integrity and availability.
"In the News: Threats to Industrial Control Systems" detailed the alarming nature of a program named "Shodan," which identifies and "exposes" online devices, including industrial control systems in use on the grid.
"Cyber Security: Threats and Opportunities" summed up an EnergyBiz webcast from a year ago that featured useful insights.
Intelligent Utility Daily