Being a pioneer is not a new thing for California. We can thank California for equal rights, organic food, and much more. We can also thank California for being the first state to enact laws guaranteeing the privacy of data for its constituents, with the formation of the California Office of Privacy Protection in the year 2000.
I can remember when it happened. I was a CIO of a retail company in California when some of the first reports of major violations started to hit the airwaves. The CEO of the company started asking some questions, and I thankfully had the answers he wanted to hear. I had long considered data privacy and important issue, so I took the extra small steps to make it happen. He was pleased, and I think I got a raise.
Interestingly enough, the protection of data has always been THE most important consideration for those who practice the art of IT Security. Information Technology really began as a means of securing financial data, and in the old days the IT department did not fall under the guidance of a CIO, but was a sub-department of the office of the CFO. Once paper was replaced by bits and bytes, protecting the bits and bytes became a very important job, and IT Security became a cottage industry.
Fast forward to the new game in town - Smart Grid Security. Things are a bit different now. While the protection of data is indeed still important, it is NOT the primary focus. Smart Grid Security is focused on making sure that security breeches do not cause the system to slow down or (most importantly) stop functioning altogether. It does not take a lot of thought to understand why this is the way it is. Someone knowing how much electricity Mr. Jones is using and for what is not nearly as devastating as someone having the ability to shut Mr. Jones' electricity off. So one would surmise that the focus of vendors should be on availability and sustainability, and the rules of the game (i.e NISTIR-7628) certainly seem to point that way...
...but wait a minute. Let's examine NISTIR-7628 for a moment. This is where things start to get a bit interesting.
The September 2009 draft of NISTIR-7628, in section 3.2, discusses impact levels of 3 areas where security is an issue. From the document:
3.2 IMPACT LEVELS
The IAC impact levels are low, moderate and high. The levels are defined in Federal Information Processing Standards (FIPS) Publication 199, Standards for Security Categorization of Federal Information and Information Systems, February 2004. Following are the definitions for confidentiality, integrity and availability, as defined in statute and a table that defines low, moderate, and high impact.
CONFIDENTIALITY - “Preserving authorized restrictions on information access and disclosure, including means for protecting personal privacy and proprietary information...” [44 U.S.C., Sec. 3542]
A loss of confidentiality is the unauthorized disclosure of information.
INTEGRITY - “Guarding against improper information modification or destruction, and includes ensuring information non-repudiation and authenticity...” [44 U.S.C., Sec. 3542]
A loss of integrity is the unauthorized modification or destruction of information.
AVAILABILITY - “Ensuring timely and reliable access to and use of information...” [44 U.S.C., SEC. 3542]
A loss of availability is the disruption of access to or use of information or an information system.
A table below this section of the document categorizes the impact of security breeches, placing Confidentiality in the medium impact category.
...yet things change a bit with the release of the February 2010 version of NISTIR-7628. From the document, section 3.1:
3.1 CYBER SECURITY OBJECTIVES
In general for IT systems, the priority for the security objectives is confidentiality first, then integrity and availability. For industrial control systems, including power systems, the priorities of the security objectives are availability first, integrity second, and then confidentiality.
Availability is the most important security objective. The time latency associated with availability can vary:
␣ 4 ms for protective relaying; ␣ Sub-seconds for transmission wide-area situational awareness monitoring;
␣ Seconds for substation and feeder supervisory control and data acquisition (SCADA) data;
␣ Minutes for monitoring non-critical equipment and some market pricing information; ␣ Hours for meter reading and longer term market pricing information; and ␣ Days/weeks/months for collecting long term data such as power quality information.
Integrity for power system operations includes assurance that: ␣ Data has not been modified without authorization; ␣ Source of data is authenticated; ␣ Timestamp associated with the data is known and authenticated; and ␣ Quality of data is known and authenticated.
Confidentiality is the least critical for power system reliability. However, confidentiality is becoming more important, particularly with the increasing availability of customer information online.
As the document continues on, the impact level table becomes more granular, and discuss the impact by logical interface, confidentiality coming in 3rd place (as the opening statement indicates).
So what am I saying here? I am trying to make an important point. The protection of data privacy is not a primary consideration at the Federal level (or so it would appear from the February 2010 document), and I have to agree that this shift in thinking certainly seems to make perfect sense when you consider the impact of the system shutting down when compared to the impact of a breech in confidentiality. However, California, remember has their own privacy laws that, essentially, make privacy a PRIMARY consideration. In fact, I believe that is why the September 2009 document put confidentiality higher on the priority list.
So one can perhaps safely surmise that vendors have been forced to build privacy into the systems they are deploying in California in the absence of any solid standards from the Federal government. I say this because, as anyone who has been following the development of smart grid standards is keenly aware, the standards are currently in a state of flux (as can be seen by simply comparing versions of NISTIR-7628).
So even if the final standards place confidentiality dead last in consideration, with California leading the way AND having their own rules to follow, it stands to reason that vendors are going to have to build privacy into their systems, or potentially face elimination as they attempt to grab a piece of the pie. It also stands to reason that privacy will become a much bigger consideration as the deployment grows, and as data management becomes a cottage industry (i.e. 3rd party companies providing services to consumers based on their usage data).
As the saying goes "As Goes California, So Goes The Nation"...like it or not!