Navigant Research Blog

Industrial Control Security – What’s Missing?

— November 30, 2011

Earlier this month I spoke at the European Smart Grid Cyber Security and Privacy conference in Amsterdam.  My theme was, “What are people telling me in my research?” and the focus was industrial control systems.  I suspected that this would be well-received because that’s what people always ask me:  What are people telling you?  And I was right.

The answer, though, was “Many different things.”  I reviewed results from about 30 research interviews where I had asked the question, “What is the #1 worst problem facing Industrial Control System Security?”  My research subjects included utilities, systems integrators, cyber security vendors, industry specialists, and device manufacturers.  From those 30 interviews I received 23 distinct answers, ranging from “Too much Linux!” to, not surprisingly, “There’s no consensus.”

On the positive side, quite a good mix of well-tested and new breed technology has been installed into ICS networks, including ruggedized devices, identity management, role-based access control (RBAC), ICS-aware network security, unified threat management (UTM) systems, data diodes, set-and-forget technologies, application whitelisting, antivirus, lots of encryption, hardened operating systems, security event management, and hardware security modules.  That’s a long list.  In fact, when I ask the question, “What technologies for control system security are missing?” the answer is often: none at all.

Unfortunately, some really important things are missing.  In control systems it’s extremely rare to find a cyber security architecture.  For that matter, many control networks are not even mapped accurately, as they may have evolved over several decades.  Other than within defense agencies, I have not encountered any control systems with a true asset-based risk analysis – nor have the research contacts that I’ve asked.  Change management and patch management remain incredibly challenging.  And there is nothing yet like a NOC or SOC for a control network, though that cannot be too far away, since enterprise networks already do them frequently and well.

So if we combine the positives and the negatives, our present situation is about like this art installation of a deconstructed Honda Formula 1 car.  We’ve got great components, but we’re missing the glue.  There’s no way, yet, to make all those great components work together to achieve the desired result.

A recent special report in the Financial Times characterized cyber security as “a war marked by fatalism and denial.”  That’s unfair given the amount of hard work being done by so many talented and committed professionals in control systems cyber security.  But yet – we present the impression of having very little in place.  This month’s hacks against water utilities are yet another stain on our record.  And it is our record we’re talking about here – not some government agency, not some control system vendor.  The public only discerns that cyber security isn’t protecting the infrastructure – they are not interested in the details.  We succeed or fail together.

Until we can (a) glue together these great components into solutions that really are end-to-end, and (b) stop viewing the problems as someone else’s, we should resign ourselves to more gloomy headlines.  And executives continuing to ask what exactly they are getting for their security dollar.


Rio de Janeiro’s System of Systems

— November 17, 2011

At the IBM Smarter Cities forum in Rio de Janeiro last week, I had the chance to go behind the scenes and take a first-hand look at Rio’s smart city project. My main impression is that the project represents one of the purest emerging examples of a smart city project that is simultaneously developing smart solutions on multiple fronts – natural disaster management, public safety, health, utilities, to mention a few – and is starting to achieve a true “system of systems” – nirvana in smart city terms. This level of integration and interoperability across city agencies – and the successes Rio has had so far – bodes well for the smart city opportunity not only in emerging markets but worldwide.

The City of Rio de Janeiro has accomplished this by deploying smart technologies ranging from broad, continental-scale weather tracking down to mobile device-enabled notification systems for potholes and burnt-out streetlights. The centerpiece, of course, is the Rio Operations Center, which features Latin America’s largest screen and dozens of stations that provide visualizations of real-time data feeds. Within the center, 35 city agencies work together to synergize their responses to city events. (One interesting detail is that the operators wear uniforms modeled after NASA that create a sense of camaraderie and homogeneity across the historically separate city agencies, which creates something of a spectacle.)

To provide an example of how this works: If heavy rains cause flooding in a specific portion of the city, the operations center coordinates teams that notify citizens ahead of time via text message, close down the streets, mobilize ambulances, and shut down electricity distribution systems in the neighborhood to prevent electrocution. These processes are all pre-determined via standard operating procedures (SOPs). On the city side, bringing all these agencies under one roof helps break the silos that perennially plague the smooth delivery of city services. And, on the citizen side, it certainly helps that Brazil’s mobile device and networks are exploding, providing the platform for vigorous smart city app development and citizen involvement.

But technology is only one part of the winning recipe for a smart city. One persistent barrier echoed many times at the event is that smart city projects often rely heavily on the vision and initiative of specific mayors and administrations, which typically face four-year election cycles. The timetables required for certain types of infrastructure – particularly those involving high-tech and high initial capital expenditures – don’t always fit neatly into mayoral terms. Indeed, Rio’s mayor, Eduardo Paes, who spoke at the event, described the challenges of making progress on the project despite his uncertain future as mayor. Selecting smart city technology measures that optimize in terms of high net-present value, ease of deployment within a tight timeframe, and high PR benefits for the mayoral office seem to be emerging as the most pragmatic smart city solutions that address this challenge.

What differentiates Rio from other smart cities is the added challenge of managing its favelas – shantytowns perched on steep hillsides throughout the city that have historically received little in the way of city services or regulation – and integrating them with Rio’s urban fabric. These areas are among the most vulnerable to disasters such as mudslides as well as important symbolic testing grounds for Rio’s ability to serve even its poorest citizens as scrutiny of the city mounts in the lead-up to the 2014 World Cup and 2016 Olympics. From the perspective of a smart city, the favelas also provide opportunities for infrastructural “leapfrogging,” installing smart systems that could catapult these portions of the city to levels found in the rest of the city using state-of-the-art technology.

All in all, though, the event provided a clear picture of the concrete progress that’s being made on the smart city front and, in particular, the unique opportunities afforded by cities in emerging markets.


IT and Operations Meet in Smart Grid Projects

— November 1, 2011

The evolving relationship between information technology and operations technology in utilities is a hot topic in current smart grid discussions.  The worlds of IT and OT teams have historically been distinct within utilities.  IT has been primarily focused on business process and customer management systems, while operational systems for managing and monitoring power networks have been the domain of operational teams, with only limited input from the IT department.  That situation is changing for a number of reasons.  

The role of IT in the rollout of smart meters, including the deployment of MDM and new customer management and billing applications, has enhanced its standing within the business.  It’s also becoming evident that realizing the benefits of smart meter deployments – such as flexible pricing, improved customer understanding, and the deployment of new services – requires a significant investment in IT.  These developments are driving organizational and cultural changes as IT and OT teams learn to work together to meet common goals.  The need to define and deploy new IT systems to support the smart grid is driving greater collaboration between IT and OT and is also providing a set of common objectives that can bring diverse teams together. 

I had a chance to explore these issues at the recent Distribution Automation Europe conference in London.  At the conference, several distribution network operators – including ESB Networks in Ireland, Helsingin Energia in Finland and Stedin in the Netherland – presented on the work they have been doing on network self-healing systems to reduce the impact of network failures.  There were also overviews of automation programs for MV and LV networks from SP Energy Networks in the UK, Vattenfall Finland, Alliander (the Netherlands) and Endesa and Gas Natural Fenosa and in Spain. 

I was keen to understand how an audience largely made up of distribution power engineers saw the role of IT.  As I listened to the speakers, it became evident that IT is having an impact on distribution network management at three different levels.

The first, and most obvious, impact is via the deployment of new IT systems to support increased levels of automation and intelligence in the network.  Many of the projects described at the conference covered engineering solutions requiring little or limited IT support.  However, as these trials move into larger scale deployments, IT will have a vital role in monitoring and managing a more automated network.  Deploying distribution automation and other smart grid technologies requires consistent, accurate and accessible data on the state of the network.  Several speakers alluded to the fact that this is driving investment in new or upgraded distribution management systems (DMS), as well as new outage management and asset management systems. 

The second and less tangible influence that IT is having is on the way engineering solutions are designed and deployed.  Utilities and grid operators must move away from a traditional project-by-project view of network engineering improvements to a platform perspective more familiar to IT projects.  The smart grid requires an architectural approach in terms of standardization and the use of common communication and integration platforms.  The increased adaptability required of distribution networks also means that “loosely-coupled” integration will become more important at the network data level, allowing new applications and projects to share data in a rapid, cost effective and yet secure manner.

The third level of impact is organizational.  The importance of improving cooperation across IT and operational technology (OT) functions within utilities was evident in the discussion following my own presentation on smart grid IT.  How will IT and OT work together in future, I asked, and how can the historic barriers between departments be overcome?  Even in the smallish group of utilities present, several paths were being explored for IT/OT collaboration, including bringing IT innovators into the operations team and giving the CIO a greater role in helping define a smart grid strategy. 

These discussions about IT/OT relationships in Europe echoed similar conversations we have had with North American utilities during the research for the new Pike Research report on Smart Grid Enterprise Architecture.  This is an area that is gaining growing attention in utilities around the world as they adapt to the requirements for successful smart grid deployments.  How the relationship between IT and OT evolves will be one of the shaping factors for the utility business of the future.


European Smart Meter Projects: Steady Progress Through Choppy Seas

— October 7, 2011

I spent the week at the Metering, Billing/CRM Europe conference in Amsterdam, the largest gathering of suppliers and utilities focused on the development of smart metering in Europe.  The event provides an excellent opportunity to assess the progress of the European energy industry with regard to smart meters and smart grids.

This year’s conference had perhaps less of a buzz than last year, but this seemed to reflect a lack of surprises as much as anything else.  The temperature of the event is really set by how European utilities are progressing on their smart meter plans, their experiences with current projects and their plans for the future.  The general message from the utilities can be summarized as “Steady progress, choppy seas ahead.”  Financial crisis in the Eurozone hung like the autumn clouds over the conference hall, but it seems to have had little impact so far on the smart meter and smart grid programs in Europe. 

The announcement by the French government that it is going ahead with the rollout of 35 million meters provided a welcome message of confidence in the potential for the smart grid to be a key factor in the future development of European industry.  We also heard positive messages from the two major projects in Spain, led by Iberdrola and Endesa respectfully.  Together these will account for another 30 million meters.  Before the conference I’d also heard more about the impressive work EDP is doing in Portugal on its smart grid pilots; it will also be stepping up its meter deployments in the coming year.  Meanwhile, the U.K.’s government’s project to deliver smart meters to 27 million homes in Great Britain continues in its unique fashion, with initial tenders now let for the communications infrastructure (split into three regions) and the central information management component.  Germany is also making slow progress towards a national program and is seeing some initial results from its E-Energy projects and other pilots.  Other parts of Europe continue to progress at different rates, with the Nordic countries, for example, now beginning to show benefits from early deployments.

The Netherlands, where the conference was held, has had a bumpy ride to smart meter acceptance.  Initial attempts to legislate for compulsory smart meters in 2008 led to a backlash against what were seen as draconian penalties for non-compliance and concerns over data privacy.  Now it too seems to be on the road to a widespread mart meter rollout, albeit a cautious one with a strong emphasis on consumer rights and privacy safeguards.

There were also interesting examples from across Europe of innovative integration of renewable energy resources, demand management applications, and preparation for the growth in electric vehicle numbers. 

So there was a general feeling of steady, if not accelerated, forward movement.  Inevitably this is too slow for many impatient suppliers, but it has to be seen as a positive message given the broader economic outlook and the well-known potential stumbling blocks to large scale meter rollouts.  Delivering those large scale deployments, while managing customer expectations and concerns, is the obvious short- and medium-term challenge for the industry.  However, the biggest hurdle to realizing the broader European smart grid vision will not be met for a couple of years.  As the current and planned smart grid pilots come to an end, the move to large-scale deployment of integrated smart grid technologies will need a new approach to financing network improvements.  Everyone hopes that, at that point, the current economic crisis will be long resolved, but even so the European Commission, national governments, regulators and utilities will face tough decisions on investments, funding, and tariffs.


Blog Articles

Most Recent

By Date


Clean Transportation, Electric Vehicles, Policy & Regulation, Renewable Energy, Smart Energy Practice, Smart Energy Program, Smart Grid Practice, Smart Transportation Practice, Smart Transportation Program, Utility Innovations

By Author

{"userID":"","pageName":"Smart Grid Infrastructure","path":"\/tag\/smart-grid-infrastructure?page=12","date":"3\/27\/2015"}