It was a privilege to be mentioned in Andy Bochman and Jack Danahy’s 13 April blog at http://smartgridsecurity.blogspot.com/ on a recent research note Gartner produced on smart grid security. I wanted to add to the conversation Andy and Jack have created with the blog, both for further clarification and hopefully a little education as well for the public.
I agreed with most of the things said in the blog, particularly the parts where it noted that the research note was not intended to address the “entire issue” of smart grid security in the energy and utility markets. Indeed, it wasn’t intended to do that. It was intended to introduce readers to the idea that we had a big problem on our hands, that the problem actually has the best hope of resolution not in the technical delivery of security products, but in the way in which energy and utility organizations themselves address it with policy, process, and practice, and make themselves capable of doing so.
I was a little surprised about the surprise at the title. “The Myth of Smart Grid Security” was intended to provide our readers with the idea that there wasn’t any formal smart grid security, that if there were any illusions they were– well, mythic. One dictionary defines “myth” as “a fiction or half-truth, especially one that forms part of an ideology”. It was my attempt to reflect that. In retrospect, I am not sure if the title worked to provide that message.
This leads me to another observation about the note. It was Paul Proctor’s and my attempt to step outside the industry and look at the nature of the problem of securing the smart grid as a people issue, as well as taking one example (advanced metering infrastructure) to show how that might be done. (In respect to AMI, Andy and Jack are right: we should be calling it “advanced”, not “automated”.) The operative word here is ‘outside’. I believe that it may be useful sometimes to stand outside of the industry, take off the glasses that we are accustomed to using when looking at this problem, and try to see the issue with fresh eyes. A friend of mine long ago once jokingly said “it is intuitively obvious to the most casual observer at the merest cursory glance” of what smart grid security issues there are and how to solve them. But actually no, it isn’t, not to everyone. It is because we spend so much time inside the problem that we begin to assume that people know too much about it. They don’t, hence the introductory approach taken by this research and other notes Gartner has done on the topic. Bringing awareness up to the same level of perception is important.
I actually do believe that much of the utility market (I worked for an electric utility for 16 years before becoming an analyst) is in denial about the scope and extent required to secure their efforts in improving the grid, wherever it may be— AMI, SCADA, customer information systems. It is a fundamental and foundational effort that will require education and awareness on a signficiant scale. Is it possible to do so? Sure, but that foundation must be laid down now. We’ll crawl before we walk, walk before we run.
I do thank once more Andy and Jack for the mention, and we’ve pledged to work together to share information and bring that awareness to light.
The Gartner Blog Network provides an opportunity for Gartner analysts to test ideas and move research forward. Because the content posted by Gartner analysts on this site does not undergo our standard editorial review, all comments or opinions expressed hereunder are those of the individual contributors and do not represent the views of Gartner, Inc. or its management.
Comments are closed
6 Comments
Earl, thank you for your clarification.
I agree with your comment that securing the smart grid has at its heart – people. It is the ‘human condition’ Arbnor, Bjerke (2008), which will hurt utilities ability to secure the new, and unfolding smart grid. This resistance to change even when compelling evidence exists that change we must will slow down securing the smart grid. Serious effort must be undertaken at the organizational development level to a) inform, B) educate, c) convince all utility employees as to the known risks and harms to security and privacy of the now smart grid.
I however disagree with you comment that the utility industry is in denial of the scope and scale of effort required to secure the grid. I have watched/worked with 80 of the brightest minds in the North American utilities for the past 8 months on the NERC Smart Grid Task Force as we craft a report on securing the reliability of the bulk power system.
I am not a utility insider, I am a communications expert on the topics of smart grid, electricity, risk, and risk mitigation. It is the unknown unknowns (Arbnor and Bjerke) of this paradigmatic shift and how people play a vital role in solving, mitigating, or eliminating risk to the bulk power system, that has a lot of people scratching their heads. We need consistent nomenclature and definitions, education in utility C suite of the threats and the impact of same, we need as mentioned education and change.
The industry through no fault of its own has been 99.9% reliable at producing and sending electricity one way for 100 years. Now they have to change, reorganize and move to the two-way flow of energy matched by two-way communications and enabled by two-way control. Risk in the now smart grid comes from the internet, communications and remote control (Institute for the Prevention of Terrorism 2005).
Does the industry have flaws when it comes to trying to scope and mitigate the known smart grid risks and harms – of course. But make no mistake the smart grid is today’s new ‘internet’. Consider for a moment the number of smart grid devices installed today, versus 15 years of growth in internet devices. No comparison, installed smart gird devices will soon exceed internet devices.
Smart Grid represents one of those changes to society so great that it has been compared to the invention of the facsimile machine, the internet, and email. Dealing with a tsunami of change this great needs time and sustained effort by all.
Gavan Howe PhD (expected 2014)
President/CEO
Howe Brand Communications/www.ebranders.com
As an outsider to the utilities business but an information security practitioner spanning two decades, I’d like to suggest that having the “brightest minds in the North American utilities for the past 8 months” working the problem is admirable, but is not sufficiently heterogeneous.
Information security has been proven strongest where wide open and diverse peer review has been applied. The areas where security has suffered failures, indeed has been most severely embarrassed, have been those areas where the stakeholders have felt a mistaken need to keep their mechanisms proprietary; the worst examples of this are in digital rights management (DRM), but there are many others.
Paraphrasing Kerckhoff’s Principle, security by obscurity is doomed to failure. The strongest approaches to smart grid security will be those that survive peer review conducted by the “brightest minds” from outside, as well as from within, the utilities business.
John
Hello Gavan,
Thank you for the comments. We can perhaps agree to disagree regarding the denial portion. I’m quite sure there are a large number of people within the energy and utilities market (including those on the task force that served with you) that know what problems they face– the issue is whether or not the decisionmakers within those utilities are also aware of them, and have the authority to do something about them. that is what i meant by fundamental organizational concerns– without the right decisionmakers with the right information, it becomes problematic. My point about “denial” is underscored both by the performance of many of the utilities during the critical cyber-asset review as part of preparation for NERC-CIP, where less than a third indicated they had critical cyber-assets worth security. That’s a flag.
My frequent contacts as an analyst with the energy and utility clients of Gartner also highlights a lack of urgency on the part of decisionmakers– not on the part of individuals within those utilities.
I hope you will continue to comment and contribute. i welcome them.
thank you.
Earl, I must admit that my first peer review of your note left me feeling a bit defensive. Perhaps as with Gavan, I don’t want the hard work of “the insiders” minimized. Besides, having come to Gartner from a utility not that long ago, I experienced some non-trivial organization changes necessary to establish new policies and practices. So some defensiveness is natural. A lot of work is being done and not everyone is checking in with Gartner.
That being said, I think your note is right on target, that the proof is in the money and decisions. The work of 80 experts is a great start, but it’s still just that. Smart Grid Security will largely still be a myth until C-level executives fund and implement the necessary changes. Thanks for making the shot across the bow and let’s keep pointing to the real issues.
Earl and Randy, thank you both for great posts. I enjoy your lively, frank, and articulate thoughts. Perhaps we argue on semantics: is the condition in C level suite one of ‘denial’ or, is it one of confusion of not knowing how, why, and where to respond to such a paradigmatic change to the utility business models? That being said we cannot ignore the poor ratings scored as you mentioned Earl. Is it perhaps worth digging deeper into the ‘why’ of such poor ratings?
My firm conducted primary research (telephone interviews) with the C level executives at the top 200 US based Electrical utilities 10 months ago and found confusion, and lack of consistency to be the operating paradigm when we asked two key questions: what does ‘smart grid’ mean to the participant, and what does ‘smart grid security’ mean to their specific utility operation?
Answering the first question showed us that there was no cohesive definition of what ‘smart grid’ meant to this target audience.
In answer to the second question on what smart grid security means to their organization, one answer was ‘it depends’.
By this they mean it depends on what type of utility operation they manage: their footprint, geography, regulatory environment and topology (generation, distribution, transmission, or all).
The more concerning answer agrees with both your points: the level of ‘awareness’ of smart gird risk, and harm due to cyber-attack was low, and even more diverse in response as this being a threat. An overarching worldview is that smart grid risk lies at the HAN/AMI level, which we know is not sufficient.
cheers, Gavan
i guess ultimately we talk about our perceptions of the data that we do have available to us, whether it’s our own experiences like Randy, yours above and mine. It looks like you and Randy are more aligned than I am with particular perceptions. I admit that I am not as close to the utility market now as you are, but I believe I have a fair sense of the culture of utilities from having worked for 3 of them. Their reaction to other significant events (e.g. Y2K, the major outages in the northeast a few years ago) led me to make the observations I did as much as conversations with the clients and vendors that create products for this space. Security vendors come to me constantly expressing frustration in their inability to make headway in the utilitiy space due to a sense of “this isn’t a problem”, much like the black knight in Monty Python’s Holy Grail movie where he has his arms and leg cut off and hops around saying “it’s just a flesh wound”.
We can perhaps agree to disagree about our perceptions, and agree on the core issues– awareness, communications, a common language, and an openness to discuss are prerequisites for this discussion if we are going to gain some kind of headway in addressing this concern in the utility industry.