Foreword by Robert P. Lockhart

“Utility cyber security is in a state of near chaos.”

Those words, published in November 2011, earned me 15 min of fame that I would rather not have had. Picked up by news agencies worldwide, translated into several languages, and regularly misquoted as, “Utilities are in a state of chaos”—those 10 words were somehow far more alarming in Google results than they had looked on my laptop. But they were accurate.

If anything, the situation has deteriorated since then. Experts tell me during interviews that they see little innovation in cyber security. One vendor, perhaps in a moment of confession, said, “At every Smart Grid security conference for the past three years, I have seen the same vendors giving the same presentations.” A few innovative start-ups buck the trend, with novel approaches based upon operational knowledge. But the majority of Smart Grid cyber security offerings are recycled financial or health care security offerings with new glossy brochures.

Meanwhile, Smart Grid security standards progress slowly, when they progress at all. One insider described standards-building meetings as poisonous. Once the domain of a few cyber security experts, standards working groups now count membership in the hundreds. Vendors attend to protect their turf. Utilities send lawyers to limit the scope of their commitments. The outcome is no shock: NERC CIP v4, which does nothing more than add 16 clauses to the definition of critical cyber asset, will end up taking nearly 5 years from conception until it is enforceable. Standards are the whipping boy of the industry but they are important nonetheless. Vendors tell me that without standards, they are not sure what products they should build. Likewise, absent standards, utilities are not sure what to buy. But many utilities define their security program as bare minimum compliance with enforceable regulations, which is far removed from actual protection.

To summarize, innovation is on sabbatical while standards advance glacially. Those who would attack our grids must barely be able to believe their luck. While we argue about scope and vote on terminology, attackers—subject to neither standards nor laws—sail full steam ahead. NERC CIP v5, aimed at current threats, will most likely become enforceable 7 years after Stuxnet was created. Waiting for standards is not a plausible strategy to protect Smart Grids.

But there is hope. Despite all the doom-saying, a majority of my research contacts agree that today we have sufficient security capabilities to protect a Smart Grid. The barrier is not a lack of products but a lack of approach. Security budgets remain elusive, often because there is no clear path from investment to protection. I have never met a utility that is against security, but I have met quite a few utilities that do not understand how to get there. Decision makers may not know what goes into a security architecture but can sense something missing in many proposals for security programs.

The missing link is how to apply what we have today to create a secure Smart Grid. Part of my research analyst job is to attend industry conferences—lots of industry conferences. As a rule, vendor-sponsored conferences are the most interesting, because the discussions are nearly all “applied”—real-world problems to solve. The steady diet of theory at general industry conferences is of little interest to those at the coal face. A real-world problem requires application of real-world capabilities. In glossy brochures—like any other fantasy—everything and everyone is perfect. In the real world, often the best choice is actually the “least worst” choice. And that is the heart of applied cyber security, and the hope for securing our electric grids—not theory, but application of real-world security to real-world problems.

The first order of business is to focus on what matters. For all the huffing and puffing about smart meters—their vulnerability to attack, their capture of personal information, their perceived (and disproven) health threats—they have not been the target of major attacks. The most worrisome attacks have been aimed at the control systems that manage transmission and distribution of energy. Hostile nation-states and organized crime consistently target energy supply, not energy demand. There are many possible reasons why attackers have energy supply in their crosshairs and understanding why it is of little value. It is less important to understand the attackers’ psyche than to know with confidence where the next attacks will be aimed.

Despite the record of attacks, smart meters remain the most often discussed topic in Smart Grid security. This may be because smart meters are easy to understand and easy to talk about. They are by definition modern IT-enabled devices, with well-known computing and networking capabilities. By contrast, control networks usually include thousands of devices that we charitably call legacy but are in fact just plain old—with a long service life remaining. How to secure a control network with a mix of ancient and modern devices—that is a real-world application of Smart Grid cyber security.

All things considered, utilities are on their own. In this book, Raj and Eric write directly to the audience that will secure our power grids. In the trenches, cyber security is one of the least glamorous professions imaginable. The day-to-day existence is a nonstop battle for funding, straining mightily against daunting technical challenges, and planning implementations to a degree of detail that is beyond anyone’s ability to imagine. All this for a solution that will be no better than tolerable. There is no such thing as absolute security; the real world of security is an endless sequence of choosing the most palatable option in the absence of a desirable option. It is hard work and success is usually achieved anonymously. But it is enormously important.

Who controls the grid, controls the economy. Each utility has a role to keep that control in the right hands. The time to act is now.

Robert P. Lockhart

Senior Research Analyst, Navigant Research