Tuesday, February 2, 2010

Auditing Smart Grid Security

In my quest to better understand Smart Grid security initiatives, I have managed to gather quite a bit of useful information regarding emerging standards, layered security, and real world deployment of security in the Smart Grid. It is still a work in progress, but it is progressing, and a lot of smart minds are fueling that progress. This is all very good.

What seems to be missing, and perhaps remains as a great opportunity for those making the "land grab" on the smart grid is a cogent auditing and control methodology specifically targeted towards Smart Grid security. What I am talking about is a set of auditing requirements similar to what we see with the FDA.

Okay! Granted, the FDA is not perfect. They are not even close (in the opinions of many, I am sure). Nonetheless, the rigorous auditing procedures that health care organizations who fall under their requirements must adhere to does indeed serve two very important purposes. The first purpose is in forcing organizations to follow best practices and keep very good records (some better than others, I am sure). The second is instilling confidence in consumers globally. Did you know, for example, that FDA clearance/approval in the USA essentially guarantees clearance/approval anywhere else in the world?

At the heart of this process is a set of great auditing procedures that have been hammered out for last 100 plus years the FDA has been in existence, and many organizations have made a cottage industry out of providing auditing services for the organizations that need to fall in line. Organizations such as the American Society for Quality (ASQ) have created certification programs for auditors for the health care and essentially every other industry.

...but I am trying to get to a point with all this. I am trying to deal with a somewhat significant challenge. The standards being proposed by the NIST Interoperability Document Version 1.o alone encompass somewhere around 75 different standards. This can serve to create quite a bit of consternation and confusion for some, but bear in mind that there are literally hundreds (if not thousands) of standards used in the health care industry to "secure" our well being. Rather than focus on what specific standards are followed, auditors look at the big picture created during an audit, and determine if it passes the sniff test. If it does not, then its back to the drawing board.

This is not a joyful occasion for anyone involved (including the auditors), but it does lead to better products and systems (as well as annoying bureaucratic messes). Yet what makes this work is properly designed and well-vetted auditing guidelines and procedures.

We do not, unfortunately, have 100 years to iron out the inevitable wrinkles of Smart Grid security deployment, but we do have quite a few great auditing professionals (quality professionals, in fact) hard at work every day, and many are still looking for work in this down economy. With a 100 years of well documented procedures in place for the FDA, one could indeed surmise that the application of the same (or at least similar) methodologies could SIGNIFICANTLY curtail the development of a workable Smart Grid security auditing procedure.

...I'm just saying.

No comments: