State commissions can select from a toolkit of regulatory approaches to promote desired utility cybersecurity behavior. One approach is to allow the industry to selfregulate, and another approach...
A Voice for Smart-Grid Security
Who will oversee the industry’s cyber standards?
2009, word spread like wildfire through U.S. utilities about an upcoming story on CNN regarding a “smart-grid security vulnerability.” What would be said? How bad would it be? Would it kill project funding?
Many a manager and executive watched with bated breath through hours of programming for a 5-minute trailing segment that was, in many respects, anticlimactic. While implications and inferences were cheap, traceable facts remained as elusive as their sources. 1
The story propagated quickly via the news outlets. The few facts that could be found were twisted to the point that one outlet even issued a retraction in the following days. 2 Email recipients went berserk with inquisitions and speculations, while the industry groped for a handle on its first prime-time encounter with a purported cyber-security threat.
A few short weeks later, the Wall Street Journal published an entirely different story about cyber security and the grid. 3 While the article didn’t call out smart-grid technology in particular, the message was clear: The grid needs security, and a smart grid will need even more.
One of the oldest marketing tricks in the book is the use of fear, uncertainty, and doubt (or FUD). The tactic is particularly effective whenever there is a significant and visible knowledge gap between the target audience and practitioners of a complicated vocation. The only real countermeasure is positive education-oriented marketing and consistent public outreach.
The electric power industry isn’t considered easy to understand. Neither is information security. It’s therefore little wonder their combination requires knowledge so specialized it appears to lie somewhere between witch doctors and quantum physics.
To date, the utility security community has done little to lift the veil of complexity. When matched against the mature and polished machine of the mainstream media, engineers and scientists don’t stand a chance. The truth might well be that good solutions are at hand because competent people have been addressing the problem for years, but such stories don’t sell papers.
The general public just now is becoming aware that the industry wants to make the grid smart, and most people have no real idea what exactly that means. The off-base news stories were (and are) inevitable. The only real uncertainty is what technical errors they might make, and how they might shape public perception.
If anything beneficial has come from popular press coverage, it’s a reinforced focus on cyber security. No longer an afterthought, security gets top billing these days. Top billing, however, comes with a price—including questions and scrutiny.
While many utilities have been proactive on cyber security for several years, they also have sometimes struggled in obtaining sufficient rate recovery to fund their efforts properly. Accordingly, security experts developed a mature argument for why security should be an early and integral consideration. In the worst cases, practitioners had to figure out how to work security into mostly-baked solutions at the 11th hour. These were valuable survival skills in the days before security was fashionable, but they’re little help to security practitioners who suddenly find themselves in the lead and being asked what to do