To research smart grid markets is to immerse oneself in a succession of fads.  Here at Pike Research we watch the fads come and go while utilities quietly go about their distribution automation projects.  Two years ago, smart metering dominated conference agendas.  Last year it was customer engagement.  This year data analytics is the buzzword du jour.

Smart grid cyber security has its fads too.  One topic dominates discussion these days:  Should security researchers publish control system vulnerabilities without notifying the system vendors?  And if that’s okay, is it equally acceptable to publish software to exploit those vulnerabilities without prior notification of the vendors?

Opinion is sharply divided on this topic – as if we are holding our own presidential election.  What’s not divided is vendors’ and utilities’ response to this activity, which has been very little.  One leading researcher, after releasing a boat-load of vulnerabilities, wondered aloud, “Where’s the response?”

The stated objective of these activities is not to generate PR for the researchers but to force vendors to take action.  From one site:  “The goal of Project Basecamp is to make the risk of these fragile and insecure devices so apparent and easy to demonstrate that a decade of inaction will end. SCADA and DCS owner/operators will demand a secure and robust PLC, and this will drive vendors to finally provide a product worthy of being deployed in the critical infrastructure.”

I got news for you guys: so far, it ain’t working, but we sure are exposing a lot of critical infrastructure to attack.  That’s the only provable outcome of these exercises, and it’s a problem.

Cyber security exists to defend critical infrastructures against attack.  A strategy that accepts a successful cyber attack for its success is self-defeating.   Some agree with that position while others that I immensely respect disagree.  So be it.  From my perspective this is like an arsonist wondering why firefighters don’t have better tools to put out the wildfires that he sets.

There’s also a human element: whom have we arbitrarily doomed to suffer the coming cyber attack?  Grandma’s dialysis machine?  Traffic signals in Los Angeles?  Potable water in a developing economy?  Unfortunately, we don’t get to pick who is attacked with those exploits.  Are we willing to throw grandma under the bus to make our point?

I choose not to support any of this.  If someone else can do it with a clear conscience, good for them, I suppose.  Unfortunately, all cyber security practitioners will be painted with the same brush.  If a few set fires, we shall all be presumed arsonists.  Think about it:  how many headlines do you read about security people doing their job?  “In other news today, nothing was successfully attacked” – that makes for super-compelling copy, right?  Ultimately, we shall have thrown ourselves under the bus too, and I don’t think that will entitle us to call ourselves martyrs.

The common rap against security practitioners is that we’re a bunch of techie nerd geeks that don’t have a clue about business issues.  I’m afraid that setting fire to our own industry may earn us that stereotype for good.