Navigant Research
Cleantech Market Intelligence
In Smart Grid Cyber Security, It’s Still Groundhog Day
Sometimes we need to stop and take stock of what we’ve accomplished otherwise we lose sight of the forest for the trees. And sometimes it’s best to remain firmly focused on the trees, to avoid seeing our own lack of progress. Unfortunately, smart grid cyber security falls into this latter category.
While researching the upcoming Pike Research market focus report, Industrial Control Systems Security I’ve been struck by how many research interviews this year sound just like the interviews for the predecessor report from 2011. At that time, I wrote a blog called “What’s Happening with ICS Security?” It’s a bit unnerving to see how many issues from that blog are still issues in this blog.
There are still very few standards for control system security and almost nothing enforceable. We still have NERC CIP, and it still applies only to transmission grids, not distribution grids. Compliance is still the overwhelming factor in driving cyber security investment. The data deluge is still coming – and let us offer thanks that that status hasn’t changed yet. Not even a few utilities still believe that their control networks are isolated and therefore safe.
Old and proprietary protocols are still prevalent. Utilities are still purchasing serial-protocol devices that cannot participate in modern networks. Some even defend this because modern protocols such as IP have many more potential attackers. To defend a single network that mingles old and modern devices is still nearly impossible, and I have yet to speak to anyone who claims that a solution exists. That one has the makings for a Nobel Prize.
There is some good news, though. Compared to 1 year ago, utilities are asking a lot more questions about cyber security of their control networks. Operations and IT teams are beginning to work together. Awareness of control system risk is increasing – although not consistently translating to budget for new cyber security products or services. Cyber security vendors that specialize in control systems consistently give me a much rosier assessment of the market. So it’s not all bad news. Still, a little more good news wouldn’t come amiss.
I have developed one worrying corollary from this situation. Moore’s Law has a two-year periodicity. If we have now progressed through the first year with very little change, does that mean that Moore’s Law does not apply to power grids? We all admit that utilities are different – but this was unexpected.
There are some significant new trees that one might be missing trying to take in a forest view. The ARRA grants came with cyber security requirements that are forcing the recipients to think about risk and security much more. Also, some state regulatory boards are requiring NERC-CIP and/or NISTIR 7628 be be used as guidance for electric distribution as well as gas operators. Cyber security is on the agenda.
I agree that there is much to be done, but I think the industry has made some progress.
As a member of NIST’s Smart Grid Panel, I can say unequivocally that utilities did virtually nothing to address ICS security under the ARRA funding. Inquiries were met with a “talk to my consultant” response. No one could tell me how much was spent on Cyber. The amount should be 5% to 10%. I am certain the only expenditures made were to the consuktants to provide “compliance” cover.
Thanks very much for your comments. Security is indeed much more on the agenda this year. That is a recurring theme from my research interviews.
Then again, my favorite research quote from 2011 was a frustrated systems integrator: “You must remember, asking questions is not the same as spending money.”
It feels an awful lot like IT security 10-15 years ago. “Security is our #1 priority… You have ten minutes for your presentation.”
Bob. See my article with Joe Weiss on ICS Cyber Security: http://www.digitalcommunities.com/articles/Industrial-Control-System-Security-a-Reliability-Issue.html
Nice to see your on it one more time.