What struck me as interesting, however, was a point that was raised by Dr. Fred Cohen, who delivered the keynote address on the 2nd day of the conference. His presentation focused on the lack of (and need for) security expertise in the ever expanding cyber world, and some proposed solutions (which included a bit of self promotion, since Dr. Cohen is currently operating a school specializing in security related academics). Something he said struck a chord in me, and while I have been aware of the situation for quite some time, I have been pondering it quite a bit the last several days. What Dr. Cohen did was posed a question to the audience, asking how many attendees were CEO's (or top level executives) of either AMI vendor organizations or utilities. Nobody raised their hand (and, in fact, nobody at that level signed up to attend the conference), and Dr. Cohen proceeded to point out that until management at that level takes an active role in dealing with security, we will continue to witness a shortfall in security.
Okay, in all fairness this was the first Smart Grid Cyber Security Summit, and CEO's are busy people, and who the heck am I anyhow? Yet his point still rings true in the security world.
The fact is that CEO's simply do not participate in the cyber security ecosystem at any appreciable level, and that leads to the obvious question "Why should they?"
In a word...MONEY!
A CEO's job, after all, is to make sure the organization's income level goes up and the amount of money leaving the company does not go up faster than what is coming in. That is the essence of what being a successful CEO is all about. If the company is publicly traded, then it is all about keeping the stock price from falling. No matter what anyone tells you, that is the name of the game, and always has been, and always will be.
So that brings us back to security. One of the most difficult expenditures to justify to a CEO is the cost of security. Trying to demonstrate a return on investment for security is next to impossible. Security is simply not considered a feature a customer is willing to pay for. Rather, it is something that customers expect to be part of "the package". Customers of AMI vendors, for example, want a decent meter at a low price that also happens to be secure because there are enough people "out there" making enough noise about Smart Grid security to get their attention. This noise includes the government, bloggers, the media, security "hobbyists", security professionals, and privacy proponents...to name just a few. While this may be enough to get the attention of decision makers, it is generally not enough to get decision makers to dedicate any more resources than necessary to divert the attention from their organizations to someone else's. If a top level decision maker believes the attention is (or may) negatively impact the bottom line, more resources are generally expended. Now I have to say that I may be painting the corporate world with a very broad brush, and I am sure that there are some high level executives that want to do the right thing because it is the right thing to do, but their ultimate survival depends on keeping the company cash flow positive and profitable. Stockholders simply do not reward any other behavior.
...and security can be very expensive. It is especially expensive if it is poorly done, and really amounts to a waste of time and money in such cases. If it is not part of the design, it can mean lost revenues due to customers going to a competitor, or it can amount to outright devastating losses in the event of a serious malicious attack. Imagine an AMI vendor that installs 20 million meters and it is later determined that the meters are vulnerable to a very serious security related threat that requires an outright replacement of meters. I am not talking about something theoretical, but rather a vulnerability that turns into a real world exploit. An attacker does not need to, for example, shut down power to millions of people in order for the exploit to prove effective. A few thousand is plenty (maybe even less). It does not take a massive failure of all systems to negatively impact the reputation (and market cap) of a company.
Just look at what happened to both Toyota and BP. It only took a few failures for Toyota to lose billions in market cap, and 1 major failure for BP to lose so much market cap that it dramatically impacted the retirement accounts of millions of British citizens. If a major publicly traded utility should become the victim of such unfortunate circumstances, what potential economic impact could this translate to? The answer is really a big unknown.
It seems prudent, at this point, for CEO's (and other top level executives) of organizations involved in the Smart Grid to become a bit more involved in actively participating in the world of Smart Grid security. One utility representative at the conference mentioned that the high level executives literally pour money into security when they discover that they are about to be audited by NERC, but other times are not so willing to open the coffers. This really does not make sense, and is not indicative of due diligence. If high level executives had a better understanding of the ecosystem, and the concerns of stakeholders, and the dynamic environment surrounding Smart Grid security, then they could make better and more informed decisions on where and how to dedicate resources. It comes down to being proactive rather than reactive.
I am planning to hold another Smart Grid Cyber Security Summit in the near future. I will make sure to reach out to the CEO's of utilities, AMI vendors, and other stakeholder organizations involved in building the Smart Grid. I am hoping they will view this as an opportunity to become part of the solution.
...because otherwise they may indeed be part of the problem.