What Price, Security?


Grid reliability depends on ‘reasonable business judgment’

Fortnightly Magazine - January 2008

The word “security” no longer means what it used to mean. “Security” once referred to comfort, stability and a sense of well being. It was a chicken in the pot, a crackling log in the fireplace and a well-funded pension plan. It was Linus Van Pelt’s blue-flannel blanket.

Now, “security” means gates, guards and guns. It means protecting critical assets with a multi-layered cyber and physical perimeter. It means exercising vigilance and caution, and accepting inconvenience as a matter of routine.

The price of security has gone up since September 11, 2001, and it continues rising as America faces growing threats from a range of ideological and economic opponents. As National Security Adviser Stephen Hadley said in a recent press conference, “Welcome to the real world.”

In this context, industry leaders are putting forth an unprecedented effort to implement new security standards for the electric power grid. These standards inevitably will bring costs and compromises, but the industry’s leaders understand the importance of their mission—to secure what arguably has become the most critical piece of America’s infrastructure.

Utilities and their customers will pay a significant price for security in the real world of the 21st century. Whether that price proves to be too high (or not high enough) depends on how the industry responds to the challenge.

Know Thine Enemy

In The Art of War, ancient Chinese philosopher Sun Tzu counsels military commanders, “Know thine enemy.” This phrase has become something of a cliché, but for the U.S. utility industry, Sun Tzu’s advice appears more pertinent than ever. The nature of the cyber security threat is changing quickly—and the stakes are rising.

In the beginning, amateur hackers would claim nerdy bragging rights by planting evidence of their intrusion—the electronic equivalent of a “Kilgore was here” graffito. Sometimes they played tricks on companies, destroying data and corrupting systems. Then hackers became more devious and dangerous, seeking to extract personal data to use in bank fraud or identity theft. And now, they pose a serious threat to reliability and business operations.

The most obvious and disturbing examples are terrorists, intent on disrupting service and spreading chaos. Other dangerous opponents include criminal extortionists and nation states, hacking utility systems in pursuit of economic or political goals. Some cyber attackers have subtler aims—to manipulate power prices, impede a competitor’s market access, or even to influence political trends. An incumbent candidate might suffer at the polls, for example, if utility service in his or her voting district becomes unreliable.

All these threats represent a clear and present danger to the security of America’s critical infrastructure. An effective defense will require utilities to apply world-class strategic thinking, as well as state-of-the-art technology and organizational excellence. To defend the grid against such threats, utilities must first understand the enemies they face, as well as their goals and their tactics.

But perhaps the greatest threats of all don’t come from outside the industry, but from within it—in the form of misguided strategies that set the wrong price on security, and ultimately might do more harm than good.

Overkill or Underkill

Without question, U.S. utility leaders are conscientious people, dedicated to maintaining reliable service. No self-respecting utility manager would knowingly expose the grid to any kind of threat, through either action or inaction.

At the same time, however, the industry doesn’t always meet strategic challenges with a thoughtful strategic response. It’s human nature. Human beings generally respond to change with a combination of fear, skepticism and complacency. The utility industry’s leaders are only human, and many of its companies and institutions behave like paranoid and stubborn people.

In the face of security threats, a fearful response might cause the industry to overreact, and freeze progress toward things like grid automation, advanced metering and demand-responsive pricing. In short, utilities might decide the price of security is to keep the grid dumb. Given the significant benefits of smart-grid systems—such as improved efficiency, reliability and customer service—that price would be unacceptably high for ratepayers and the environment. And while a strategy of “security via obscurity” might help some utilities meet security standards in the short term, their ability to meet customer needs would suffer in the long term.

On the other hand, a skeptical or complacent response might lead some utilities to underestimate the security threat. They might rely too much on easy technology fixes, and too little on strategic thinking and procedural diligence. Or they might pursue security standards as a letter-of-law compliance exercise, taking measures that ostensibly protect the bulk-power grid, while leaving many other critical assets vulnerable. Such approaches actually might worsen the risk, by engendering a false sense of security.

Ultimately, security standards can only point the industry in the right direction. Although the NERC critical infrastructure protection (CIP) standards impose compliance requirements on utilities, they can’t force companies to adopt any specific compliance strategy.

Precisely what strategies utility leaders choose will depend on their application of “reasonable business judgment”—a phrase NERC wrote into the standards to give utilities breathing room, and which FERC has asked NERC to remove because it could excuse utilities from making security investments that aren’t profitable.

The security threat doesn’t justify panic or paranoia, and it doesn’t require emptying the treasury to battle-harden every device on the grid. But it does require careful judgment and due diligence. With strategic thinking as part of planning, design and operations processes, utility leaders can meet changing security threats with a robust and adaptive defense.

Whether or not the “reasonable business judgment” language is included in the final CIP standards, utility leaders unquestionably will apply their business judgment to decide what price is appropriate for securing their particular assets. And the rough-and-tumble real world of the 21st century will decide if they’re right.