Cleantech Market Intelligence
In Smart Grid Cyber Security, It’s Still Groundhog Day
Sometimes we need to stop and take stock of what we’ve accomplished otherwise we lose sight of the forest for the trees. And sometimes it’s best to remain firmly focused on the trees, to avoid seeing our own lack of progress. Unfortunately, smart grid cyber security falls into this latter category.
While researching the upcoming Pike Research market focus report, Industrial Control Systems Security I’ve been struck by how many research interviews this year sound just like the interviews for the predecessor report from 2011. At that time, I wrote a blog called “What’s Happening with ICS Security?” It’s a bit unnerving to see how many issues from that blog are still issues in this blog.
There are still very few standards for control system security and almost nothing enforceable. We still have NERC CIP, and it still applies only to transmission grids, not distribution grids. Compliance is still the overwhelming factor in driving cyber security investment. The data deluge is still coming – and let us offer thanks that that status hasn’t changed yet. Not even a few utilities still believe that their control networks are isolated and therefore safe.
Old and proprietary protocols are still prevalent. Utilities are still purchasing serial-protocol devices that cannot participate in modern networks. Some even defend this because modern protocols such as IP have many more potential attackers. To defend a single network that mingles old and modern devices is still nearly impossible, and I have yet to speak to anyone who claims that a solution exists. That one has the makings for a Nobel Prize.
There is some good news, though. Compared to 1 year ago, utilities are asking a lot more questions about cyber security of their control networks. Operations and IT teams are beginning to work together. Awareness of control system risk is increasing – although not consistently translating to budget for new cyber security products or services. Cyber security vendors that specialize in control systems consistently give me a much rosier assessment of the market. So it’s not all bad news. Still, a little more good news wouldn’t come amiss.
I have developed one worrying corollary from this situation. Moore’s Law has a two-year periodicity. If we have now progressed through the first year with very little change, does that mean that Moore’s Law does not apply to power grids? We all admit that utilities are different – but this was unexpected.