Tuesday, March 9, 2010

Getting Started and Smarter

“There are two mistakes one can make along the road to truth...not going all the way, and not starting."

- Prince Gautama Siddhartha, 563-483 B.C.

It is clear that the Smart Grid has developed a form of its own momentum, and it is a momentum expressed in dollars (planned, if not spent). Many of the projects are just beginning, and much of the funding is yet to be disbursed, but there are important steps that can be taken now. These are steps that will be much harder to apply once the projects hit full speed in their deployment, and there is a need for some thought before urgency begins to trump security.
Whether one looks at the security components of the SGIG planned investments totalling $3.4B, or at the results from Pike Research which call for $21B to be spent on cybersecurity over the next 5 years, it is obvious that the context for these decisions will be broader than any single initiative, and that security will need to hit the ground running when these funds begin to flow. Forward-thinking Smart Grid security planners are looking for things that they can begin working on now, in the relative calm before increased funds and expectations accelerate and super-heat any plans for securing their new efforts in the Smart Grid.

As 2010 was getting started, I was asked by Forbes.com to create a prescription for better security in the new year. My advice was geared to a general market request, and not focused here, at the Smart Grid, but some of the same recommendations that will help a bank or a retailer to be better protected can channel this new wave of investment in secure directions. Because some of this is going to take some space to describe, I'm going to break this up across two entries. This first will focus on the "Why and What", and the second will address the follow-through.

Understanding Motivations

There are not a great many people who will argue that the Smart Grid does not have to be secure, but there are multiple underlying reasons what that security is or is not going to be a priority. The very first step in thinking about how to secure new Smart Grid projects is to understand why that security is important to your organization. It is important, at this stage of planning, to remain focused on the core question of "Why", and not get wrapped up in what it means to be secure. Motivation may be a need to fulfill all security deliverables as specified in a grant request, or it could be a recognition that rate payers in a region are particularly sensitive to privacy concerns. As an example, we wrote back in September of 2009 about NISTIR 7628, and its emphasis on the integrity of data and services. A utility would consider this direction an important driver of security, but it would only rise to the top if compliance with likely NIST guidelines was going to be the primary measure of security success within that organization.

This is not a distinction without a difference, because the coming investment and crisis of time and resources will force some pretty hard decisions, and internalizing the organization's motivation (compliance vs. profitability, adoption rate vs. energy savings, etc.) will prevent whipsaw decisions in the face of conflict.

Another area to examine is the group of individuals who will be driving Smart Grid initiatives, those that will be looking to measure successes and challenges. In some cases, the motivation can be defined simply by a sense for the downward facing pressure that is applied. At some point, however, someone has been driven by a concrete need that they are looking to fulfill, and that organizational dynamic will have much to do with ensuring sufficient support, resources, and visibility. Understanding where this critical connection is made will help to inform frequency and style of reporting, champions necessary for planning and budgeting, and the right place to go when things change or slip. In this way it becomes clear that motivation has three faces: the motivation behind the program, the motivations of the individuals supporting it, and the motivation to prioritize security among a variety of competing areas.

Determining what needs to be secured
It will be impossible to have any sense for the state of security in the new Smart Grid environment unless time is taken to inventory and understand its many components. As with any type of security, the first step that will generate a reusable artifact is this inventory. There are different approaches to take. In the actual practice of improving security, all of these approaches must be balanced, but in performing the unweighted analysis of areas requiring protection, it is helpful to limit the view to a single perspective. While fleshing out the actual plan, priorities, balance, and integration of approaches will be critical, but this is more about identifying areas, and less about articulating security strategies for those areas. Here are the three of most common lenses:

  • Data Oriented
    In a data oriented view, the security approach is driven by consideration of the types of information that will flow into and through the system. The inventory will contain elemental-level identification of data from customer meters, from other providers, rate settings, internal financial systems, customer interaction portals, etc. Each of these elements is then tagged with security characteristics. These include privacy, lifespan, destruction methodology, communications required, online storage capability, and any other security-impinging implication of internal or external requirement.
  • Function or Service Oriented
    A different view, and one that can be more suited to integration efforts of existing systems, focuses on the action functions or services that the new systems are intended to provide. In this model, the security of new systems that are to be developed are first understood through their specifications. Items to include are lists of all existing systems that are touched, and all platforms that will be integrated in the planned infrastructure. Each of these connection points should be assessed for existing of appropriate security characteristics such as authorization, encryption of data in transit and storage, auditing and logging requirements, and expectations of platform stability and security.
  • Threat Oriented
    Longtime security devotees and practitioners have traditionally favored a threat-based approach. This involves an inventory of the active risks that will confront the system once it is deployed. At a high level, these include areas of exposure to external hacking, internal attack and data theft, malicious code, data corruption, and the breaches of ancillary but connected systems. Each of these risks is noted, as is the area of the system that is likely to be impacted. This inventory is later balanced by likelihood of actual breach, and appropriate mitigating controls can be applied.

    I like this methodology least among the starting techniques because it tends to be a limitless list, expanding with each creative turn of the listmaker's mind. Given the newness of IT security in the pantheon of concerns around the Smart Grid, and given the disparate skill sets that describe Utility security professionals and their IT-soaked cousins, this list will naturally be incomplete. A second negative about this approach is that it is one step removed from actual knowledge of what to do to address the issues. Any threat can typically be addressed from multiple perspectives, and divining which approach to take for each vulnerable area is always more time consuming than starting with a good asset (data or service) inventory security model, and only then applying a threat-based technique to look for holes.

Understanding the extent to which security is going to be a priority, aligning effort to the underlying motivation for that direction, and then mapping out areas of necessary consideration and investment, will help to frame a successful security strategy. There is significant exploration and investigation work here, but it can create a much more comprehensive backdrop for security decisions, and will absolutely improve the manageability of the project once in action.

So far, we have been looking at the initial exposition stages of the security plan for Smart Grid initiatives. There has not been consideration of the next steps to take in drilling down to forms of action, that will be done in a later entry to the blog. This does not mean that completing these tasks in not valuable in their own right. The artifacts that will emerge will be a living list of areas to watch, and can be used as anchors for new efforts, consistent reporting, and measures of progress. The discussions that take place during their creation will serve to raise awareness and sophistication of understanding among many parts of the organization, and that will grow organically as these efforts mature.

Photos courtesy of:

No comments: