Tuesday, August 3, 2010

Mid 2010 Snapshot: Utilities in Security and Compliance Double Bind

If you're not the head honcho for security at a medium-to-large utility company in the USA these days, you should consider yourself fortunate that, regardless of your profession, your life is much less complicated than theirs. If you are in such a position, you have my sympathy, and depending on how you're managing, my respect.

Seems to me you are in a damned if you do, damned if you don't situation. On one hand, you must do everything you can to keep the processes in place that have kept the customers' lights on 24/7/365 over the past decades of your career. Moving too far too fast with new technology or methods puts that number one metric at risk. On the other hand, in order to put your organization in position to pass its NERC CIP compliance audits and avoid fines and other negative fallout, you're having to substantially upgrade and update the security controls on some of your most important systems.

Like the oft-referenced complex challenge of repairing an airplane in flight, you face the dilemma above in a time of unprecedented change in an industry ill equipped organizationally to make fast changes. For example:
  • In a sector largely insulated from competition, deregulation (in some regions) now adds that factor to the mix. And some of the competitors are from another planet, culturally speaking (see: Google, Microsoft, etc.)
  • AMI and Smart Grid initiatives are encouraging you to connect systems that were once protected, in part, through isolation
  • Business models look like they're in position to turn inside out and dis-intermediation is a real possibility
  • The FERC/NERC CIP cyber security regulatory regime is moving fast; you're given a scant 2 years to turn your ship in the right direction (impossible for some), and rumors of more stringent and burdensome standards coming abound
  • And last but not least, what about the GRID Act? Its passage looks like a near certainty. You only thought you had compliance problems before !!!
Just writing this list makes me gets me all worked up. Time to turn to the timeless wisdom of the Ramones; "I wanna be sedated". OK, better now.

So, in this climate, should you err on the side of doing too much? Moving your org rapidly towards better security and compliance but adding an unknown amount of reliability risk even as you seek to reduce it? Or lean towards preserving the steady state status quo and do too little, and risk getting slammed by fines ... or worse (Stuxnet anyone)? Often there's a middle path you can construct that gives you a nice balance of risk and reward, but I'm not sure that's the case here. But whatever you choose, the rest of us on this blog appreciate the tight spot you're in and will do as much as we can to make your world a little simpler.

No comments: