Chasing mandates on security compliance may be driven by aversion to fines. But that approach can lead to faulty security measures and, more importantly, impair your security stance. Listen in on a discussion of "how to think about security."
As is often the case in utility security discussions, the focus tends to be on how to think about security, rather than specific measures.
The obvious point is that specific measures must be kept under wraps. The less obvious point is that the weak link in applying security measures does tend to be people, and how they think about security.
That's not to say that there aren't technical hurdles that can be discussed. I offer here a few insights from a good discussion I overheard last week on both security-related technology and the development of a security culture.
According to Patrick Miller, CEO, EnergySec, and a principal investigator for the National Electric Sector Cybersecurity Organization, data privacy, cryptography and software patching have all become difficult challenges as endpoints on the grid proliferate and the "attack surface" expands.
"Isolation remains a fantastic approach," Miller said in a recent webinar held by Pike Research. "But don't count on it."
(For one thing, isolation is increasingly impossible to achieve, due to digital interconnectedness.)
In the big picture of "turbine to toaster," "we're entering a state of 'hyper-embeddedness,'" Miller said. "We're adding too many devices, too fast.
"Innovation versus security is a big issue," Miller added. "Innovation takes us forward, but security falls by the wayside. It's not that it's impossible, it's just that we're moving too fast.
"Not all vendors are created equal," he cautioned. "Consider