Sunday, April 3, 2011

OpenSG And How Utilities Are Missing Out In Smart Grid Security Opportunities

Industry groups are often a good thing for the industries they exist for.  Industry groups allow member organizations to converge and discuss ideas, and hopefully come up with a unified way to improve stakeholder positions.

In order for an industry group to create value for the industry it serves, it is important to have a lot of participation by stakeholders.  It is also important to make sure that stakeholder participation is not skewed to serve one (or more) stakeholder categories over others.

This brings me to OpenSG.  For those not familiar with OpenSG (Open Smart Grid), it is a subcommittee created under the UCAIug (UCA International Users Group) to facilitate the creation and adoption of standards, methods, and guidelines for Smart Grid deployment.  This is a utility industry group, and the intended outcome of the work being done under OpenSG is to come up with a consensus based set of standards and guidelines for all utilities deploying Smart Grid.

Under the OpenSG umbrella, there exists an SG Security Working group, and I have been involved with this group for approximately 1 1/2 years.  In this time (and before I threw my hat in), there has been a lot of progress, and one can view some of the output by going to  One of the more notable pieces of work output is AMI Security Profile 2.0.  This document was used by NIST (among other documents) to assist in the creation of the vaunted NISTIR 7628 document, and is currently being utilized by some larger utilities (such as PG&E) as a guideline for AMI security deployment.

I could go on and on about the task forces under the SG Security Working Group (such as the newly formed Embedded Security Task Force), but this is a blog posting, and keeping it short is important.

Okay, so let me tell you what concerns me.  The OpenSG SG Security Working Group is quite vendor heavy, and utility light.  Sure, we have great participation by some of the "big boys" (e.g. PG&E, SCE, Southern Company, Virginia Dominion, FPL), but we have nowhere near an adequate quorum of utilities participating in OpenSG.  When you consider there are over 2300 investor owned utilities in the USA, as an industry group I would suggest that at least 50% (or 1150) of those utilities should be ACTIVELY involved.

Why is this important?  Well, if it is not already obvious, because utilities probably have a better idea of how their industry works than the vendors do.  Every stakeholder that makes up any industry group is there for one reason, and that is to discover and create opportunities for commerce, or protect their current business model and bottom line (and hopefully make it fatter).  This is normal human nature in the business world, so spare the daggers.

In a vendor heavy environment, the industry group is obviously skewed in favor of the stakeholders who do not have the most at stake.  Security decisions made by utilities are decisions that are going to have far reaching impact for a long time.  While some may find comfort in the fact that large utilities are participating with vendors in making decisions for the industry (and regardless of participation in OpenSG the decisions made by the big boys will affect every utility), it is not wise to assume that what is good for the big utilities is good for the little guys as well.  There is a SIGNIFICANT difference between the security management and deployment capabilities of a utility with 5000 employees and one with 20 employees (or even less).  If vendors and large utilities decide on something like (as an example) a utility managed PKI system for key management, and products are designed to work with such a system, then a small utility may be a bit hampered in their ability to comfortably deploy.

I am not saying that the SG Security Working Group is not cognizant of this.  We certainly are and discuss it regularly.  However, without DIRECT input from the ACTUAL stakeholder organizations, we are forced to make educated guesses, and rely on extrapolation and conjecture in our decision making process.

Utilities who are preparing to deploy Smart Grid technologies have lots of questions and more than a few concerns about security.  There are a lot of very brilliant people working in OpenSG that are happy to freely share a wealth of information about Smart Grid security, and we can all learn from more participation.  We are still at an embryonic state with respect to Smart Grid security, so a little participation is sure to gain anyone who participates a lot of expertise over a short period of time.

Come on in.  The water's fine.

No comments: