April 26, 2011

Smart Grid Cyber Security Week

We’re making this smart grid cyber security week on the blog
– a topic we’ve been dabbling in for the past year or so. Our own exploration
has primarily taken the form of research and discussions with DOD officials,
though the need to scope our work has prevented us from doing an entire project
focused on this topic to date.  

Part of the reason we’ve never made this a subject of a
full-fledged research effort is that we could never really get our arms around
what was happening. What’s the status of deploying a tolerably secure smart
grid? Does the government (and in particular DOD) need a major course
correction? Is there a need for think tank-style policy analysis? We couldn’t
really answer these questions clearly enough to develop a full project.

A few factors drove this difficulty. For years, DOD-focused
discussion could be characterized as many heads of hair on fire. We saw tons of
arm-waving, sky-is-falling near-hysteria within different parts of the
Department of Defense on the cyber vulnerabilities of smart grid technology.
We’ve spoken to a range of people at bases and Combatant Commands about this
issue, and received a very broad range
of different perspectives on the nature of the threat.  Perhaps most important, we consistently spoke
to DOD folks who were working energy security issues who had little to no
contact with those working this issue in other federal agencies.

However, when we spoke to those representing other parts of
government, the private sector and utilities that are more directly read into
how cyber security is being bolstered for the grid, we tended to hear a far
more nuanced and less frightening take.  Likewise
in our personal research. There seemed to be a healthy level of attention and
concern, but no alarmism and little sense that the problem was completely beyond
any control. In fact, utility and electricity sector representatives tended to
fear insider threats more than hacking from outside.

Today, we’re beginning to get a better sense of the ground
truth, ever-moving as it is. About a month ago we held a workshop on smart grid
tech and cyber security, with a great cross-section of experts. My main takeaways
were that there are real cyber threats in considering smart grid deployment,
but that there are many USG efforts underway to mitigate and manage the risks.
The holes that exist seem to be things like improving coordination within DOD
on grid security, ensuring interagency communication, and setting consistent
standards for DOD contracts that include smart grid and electric infrastructure
work (and hopefully standards more rigorous than for anywhere else).  

To be sure, a lot has happened in just the past year or two
since we began talking to people about this issue. The Commerce Department’s
National Institute of Standards and Technology (NIST) has developed smart grid working and advisory groups
to focus on interoperability standards and other key issues. The government has
conducted major risk assessments and identified areas in need of research and
development. The GAO conducted an assessment last fall focused on improving electric sector cyber
security standards
, noting that the Federal Energy Regulatory Commission (FERC)
does not yet have all the mechanisms and enforcement authority it would need
for effective oversight of private industries following recommended cyber
security guidelines.

Many burning questions remain, and seem to be even more
urgent after our off-the-record, this-meeting-never-happened meeting on smart
grid cyber security. On balance, where do things stand, including as compared
to cyber security or insecurity for other sectors?  Does the nature of government involvement and
regulation of the electricity sector make an appreciable difference in
successes or failures to date? What lessons learned are floating around out

I see two key dangers in taking too long to answer these
questions. The first is that there is plenty of room for threats to be inflated
or seen as immitigable. Indeed, it’s with an increasing frequency that I’m
hearing people suggest that keeping the antiquated grid in place without
modernization is somehow the right path. (It is not.) I think these folks took World
War Z
a bit too much to heart. The other danger lies in the situation we
found ourselves upon trying to navigate this issue: that there is so little
clarity to the nature and scale of the problem that solutions are bound to be
incredibly ineffective while wasting massive stacks of cash.

We’re hoping that grid week here on the blog will help
inform you and kickstart a better dialogue on the topic. Stay tuned as CNAS
releases a relevant cyber security report in early June,
and as we’ll continue to point to related legislation that may see the light of
day in the coming months.