I was enjoying lunch yesterday afternoon with my family when my iPhone sent me a push notification from CNN that the US had mounted an attack on Libya. My brow immediately became furrowed at this news, since we are all keenly aware of the billions we are spending on wars today, and Libya now represents more opportunities to spend untold billions fighting yet another war (spare me the correction for using the term "war").
At my recent Smart Grid Security East Conference, I had a great panel with representatives from the US Department of Energy (DOE), The Federal Energy Regulatory Commission (FERC), and The North American Electric Reliability Corporation (NERC). I called this the "Super Panel", since we had all the major Federal decision making organizations on stage at once discussing Smart Grid security. I asked a simple question "From a distribution perspective, meaning the part that deals with Smart Meters and the consumer, who is in charge of security?" The answer was the same across the board. The Federal government is not in charge. It is up to the States, meaning the Public Utility Commissions.
I then brought up a point that I continuously keep bringing up whenever anyone will listen. State PUCs do not have any resources to address security. The California Public Utility Commission, which is one of the largest in the country, has no staff dedicated to Smart Grid security, and very little in the way of knowledge of security. I know this because I have spent quite a bit of time working with the CPUC (voluntarily) in the past year. Some of them are eager to learn, to be sure, but they are a long way from being able to make decisions that will adequately address security issues.
I brought this up to Bill Hunteman, who is the Senior Advisor for Cyber Security for the US Department of Energy (and a very wise man), and he told me he is well aware of this issue, and the DOE is well aware of this issue, but (for now) there is nothing they can do about it, because they simply do not have the funding to address this issue. I asked about where the funding needs to come from and he (and the rest of the panel) told me that it has to come from Congress.
This seems simple enough. Congress likes to spend money to fight wars, and we are being attacked on a constant and consistent basis on the cyber front, so what's the problem?
I am not sure what is going on here. Mr. Hunteman also mentioned (on another panel) that the Federal government is considering pulling some of the DOE funds they had allocated for addressing the Smart Grid, which was in response to a question I had asked regarding the likelihood that Congress would release additional funding to address cyber security for the Smart Grid. This made me feel more than a bit concerned, since we are currently addressing the security of our critical infrastructure through the voluntary efforts of a bunch of people who are essentially only doing so in hopes of future opportunities for commerce. Make NO MISTAKE ABOUT IT!
Congress and our President have authorized somewhere close to a billion dollars a day for our ongoing war efforts. I have heard estimates of between $700 million and a billion a day. If we took 1 billion dollars out of the budget for fighting wars, that would mean that we could give each state $20 million in financial resources to address cyber security. I know that the California Public Utility Commission could certainly use the money.
This past week the big security news was about a compromise of RSA's SecureID system. This is used extensively in both enterprise and government, and has caused a great deal of concern in the security industry. We are still not sure how severe the damage was, but we nobody I know in the security world is particularly surprised that the exploit occurred. We EXPECT exploits of this nature to happen, and we KNOW they are only going to get bigger and more sophisticated.
It is really only a matter of time before our critical infrastructure is hit with the mother of all attacks, and when that happens I am not sure Congress and Mr. President are going to be able to offer anything to us.
Again, just my opinion.