It was a privilege to be mentioned in Andy Bochman and Jack Danahy’s 13 April blog at http://smartgridsecurity.blogspot.com/ on a recent research note Gartner produced on smart grid security. I wanted to add to the conversation Andy and Jack have created with the blog, both for further clarification and hopefully a little education as well for the public.
I agreed with most of the things said in the blog, particularly the parts where it noted that the research note was not intended to address the “entire issue” of smart grid security in the energy and utility markets. Indeed, it wasn’t intended to do that. It was intended to introduce readers to the idea that we had a big problem on our hands, that the problem actually has the best hope of resolution not in the technical delivery of security products, but in the way in which energy and utility organizations themselves address it with policy, process, and practice, and make themselves capable of doing so.
I was a little surprised about the surprise at the title. “The Myth of Smart Grid Security” was intended to provide our readers with the idea that there wasn’t any formal smart grid security, that if there were any illusions they were– well, mythic. One dictionary defines “myth” as “a fiction or half-truth, especially one that forms part of an ideology”. It was my attempt to reflect that. In retrospect, I am not sure if the title worked to provide that message.
This leads me to another observation about the note. It was Paul Proctor’s and my attempt to step outside the industry and look at the nature of the problem of securing the smart grid as a people issue, as well as taking one example (advanced metering infrastructure) to show how that might be done. (In respect to AMI, Andy and Jack are right: we should be calling it “advanced”, not “automated”.) The operative word here is ‘outside’. I believe that it may be useful sometimes to stand outside of the industry, take off the glasses that we are accustomed to using when looking at this problem, and try to see the issue with fresh eyes. A friend of mine long ago once jokingly said “it is intuitively obvious to the most casual observer at the merest cursory glance” of what smart grid security issues there are and how to solve them. But actually no, it isn’t, not to everyone. It is because we spend so much time inside the problem that we begin to assume that people know too much about it. They don’t, hence the introductory approach taken by this research and other notes Gartner has done on the topic. Bringing awareness up to the same level of perception is important.
I actually do believe that much of the utility market (I worked for an electric utility for 16 years before becoming an analyst) is in denial about the scope and extent required to secure their efforts in improving the grid, wherever it may be— AMI, SCADA, customer information systems. It is a fundamental and foundational effort that will require education and awareness on a signficiant scale. Is it possible to do so? Sure, but that foundation must be laid down now. We’ll crawl before we walk, walk before we run.
I do thank once more Andy and Jack for the mention, and we’ve pledged to work together to share information and bring that awareness to light.
Comments or opinions expressed on this blog are those of the individual contributors only, and do not necessarily represent the views of Gartner, Inc. or its management. Readers may copy and redistribute blog postings on other blogs, or otherwise for private, non-commercial or journalistic purposes, with attribution to Gartner. This content may not be used for any other purposes in any other formats or media. The content on this blog is provided on an "as-is" basis. Gartner shall not be liable for any damages whatsoever arising out of the content or use of this blog.