Sunday, April 18, 2010

The Grid Reliability and Infrastructure Defense Act- Better Late Than Never

As I have discussed many times in the past, security is primarily driven by compliance.

Wait...let me back up for a moment.

While many organizations (and particularly those who are involved in The Smart Grid) are indeed elevating security on the priority scale of "things we gotta do", we can be certain that any organization that has felt the pain of an attack will do more to secure their deployments than one who has not had the displeasure of being "owned" by an attacker. While some may argue that this is not the best way to get security into a system, I will argue that it is indeed the most effective driver of security. It is human nature to react to known dangers rather than proactively defend themselves against them. Moreover, we tend to proactively secure ourselves only if the known threats are directly experienced. Simply knowing someone who has been mugged in "the city" is not enough to get most people to become exceedingly aware of their surroundings, after all.

So with the Smart Grid we are in a situation where vulnerabilities have been discovered, and many more have been theorized. While nearly everyone who is involved in Smart Grid is indeed paying attention to security, turning that into "action items" remains a bit nebulous. Utilities who are actively deploying AMI (such as PG&E and SCE) are indeed focusing what I believe are tremendous (and competent) resources on Smart Grid security, and others are paying close attention (as I have gathered from various Smart Grid groups I am involved in). Vendors have created cyber security specific positions and departments. Security consultants are now specializing in smart grid security consulting. The US Government has several groups addressing the issues (FERC, NERC, NIST, DHS, DoD) in various capacities, and the list goes on and on.

The reason I say this is all a bit nebulous is because so far we have been lacking an authoritative mandate for Smart Grid security. Sure, NERC has been working on compliance and auditing standards (NERC-CIP 002-009), but neither NERC nor any other entity has the CLEAR authority to "lay down the law" as far as Smart Grid security is concerned. Each individual state has the power to halt Smart Grid deployments (I would surmise) for any reason whatsoever, but at a national level it is still very laissez-faire. The unfortunate negative consequence of this is that states (such as California) have adopted a bit of a "hurry up and wait" mentality about security (despite the fact that California doing this with voting machines was an epic disaster). This is never a good thing, because if (and when) security issues manifest themselves, the typical response is to halt progress until a resolution is reached (again, such as happened with voting machines). This is, to say the least, very irresponsible, because as far as the Smart Grid is concerned we NEED to have it deployed NOW in order to deal with the ever increasing demand for electricity. Consider electric cars, for example. Exactly how do we expect to manage load if California has millions of electric cars plugged in and charging on a hot summer day? Our current system can barely manage the load with no electric cars on the road, with high peak air conditioning usage days leading to power outages. We NEED the Smart Grid.

I was happy to see an article on that spoke of the House passing the Grid Reliability and Infrastructure Defense Act (GRID) which seeks to up the ante on FERC to take control of security issues affecting the Smart Grid. I am not generally fond of Congress passing laws that serve to penalize those who do not comply, as this generally leads to more consternation and less solution (in my opinion). So I was happy to see a section of this bill which seem to instead focus on providing resources to entities that are deploying the Smart Grid. From the bill:

COST RECOVERY.—If the Commission determines that owners, operators, or users of the bulk-power system or of defense critical electric infrastructure have incurred substantial costs to comply with an order under this subsection and that such costs were prudently incurred and cannot reasonably be recovered through regulated rates or market prices for the electric energy or services sold by such owners, operators, or users, the Commission shall, after notice and an opportunity for comment, establish a mechanism that permits such owners, operators, or users to recover such costs.

Now I know this is not very specific, but it does seem to address perhaps the biggest concern businesses involved in Smart Grid deployment may have in addressing security - COST $$$$.

It is not a law yet, and it may indeed go through some changes (perhaps not for the better) as it makes its way towards becoming a law, but I have high hopes.

...and hope springs eternal.

No comments: