Saturday, June 4, 2011

A Utility CEO Who Is Talking About Security

Wow!  It truly amazes me to hear that the CEO of a large utility is speaking up about the importance of cyber security in the Smart Grid.  Tom Fanning of Southern Company has made the news in the past few days with his declaration that "cyber security issues must be resolved before a so-called smart electricity grid can be fully built" and "Southern Co. hires hackers to identify vulnerabilities" and "the power company gets attacked frequently."

Okay, now let's be fair here.  Southern Company is not the only utility that cares about security, and they are not the only utility that hires hackers to identify vulnerabilities. They are, however, the ONLY utility I am aware of where the CEO has decided to come forward and speak out about their security posture publicly.

Why is this so significant?  Simply put, this is a declaration at the highest level in an organization that security has not been relegated to a lower position.  It is a declaration that "the buck stops here" with respect to security.  You got my respect, Mr. Tom Fanning!

So what else has Southern Company done to back this security stance?  Well, let me tell you.

Southern Company is the FIRST utility I know of in the entire USA to force a vendor to CERTIFY the security of their product through a third party.  Yes, you heard that correctly, they essentially told their AMI vendor (SENSUS) that if they wanted to do business with Southern Company, they had to submit to the Wurldtech Achilles Practices Certification (APC) process.  SENSUS went through this process, and achieved Bronze Level Certification.  The Wurldtech Achilles Practices Certification is a certification program originally designed to certify vendors for the Gas and Oil industry, and the requirements are outlined in a document known as the WIB, which is a set of security evaluation requirements originally initiated in The Netherlands by Wurldtech and Royal Dutch Shell.  Wurltdtech worked with Southern Company to scope a set of certification requirements that could be applied to the electric industry, and SENSUS immediately went to work.  The rest is history.

Wurldtech did not stop there, however.  Nate Kube of Wurldtech and Ted Angevaare of Shell Oil worked with standards veterans Dennis Holstein and Tom Phinney, who have submitted the WIB requirements to the International Electrotechnical Commission (IEC) as a proposal known as IEC 62443-2-4.

Upon learning about this, I decided to get involved.  I have been working closely with NIST, OpenSG, and the DHS ICSJWG for the better part of two years in trying to get some baseline security standards in place for the Smart Grid.  When I learned about what Southern Company had done, and that it had led to a proposed international standard, I knew this was significant.  I immediately communicated this information to Marianne Swanson of NIST (who is currently chairing the NIST Smart Grid Interoperability Panel Cyber Security Working Group), and she asked me if I would be willing to take the lead in aligning the IEC requirements with the NIST IR 7628 security requirements.  I agreed to do so, and was immediately joined by several of the most active members of the NIST CSWG in building this task force.  I was also selected as a member of the US Technical Advisory Group for TC65 (the working group for the IEC 62443-2-4 proposed standard).  Since then, I have managed to engage several large AMI vendors, silicon producers, security product vendors, and consultants in the process.  According to Ward Pyles, Security Analyst at Southern Company, and Nate Kube of Wurldtech, several other utilities in the USA and overseas have now become involved in the process.

What is so significant about this is the fact that it took the EXTRAORDINARY leadership of Southern Company to plant a stake in the ground, and demand that their vendors go the extra step towards assuring that a security baseline had been met.  What we all must understand is that the utility is the customer to the Smart Grid product vendor, and the vendor WILL build security into their products if the utility demands it, and forcing a vendor to certify to a third party audit is the only true assurance that a baseline is being met during procurement.  It is still critically important for a utility to perform their own security validation (which Southern Company does), but knowing what the baseline is up front saves the vendor, the utility, and the rate payer (you and I) a lot of time and money.

I hope other utilities follow the lead that Southern Company has established.

No comments: