Cyber Week in Review: May 19-23, 2008

The Week (May 19-23) in Review I thought Dale Peterson’s weekly review was a great idea so I have decided to do my own: Two major events occurred on either side of the country the same day - Congressional hearings on cyber security of the grid and Connectivity Week (Smart Grid) in Santa Clara. The hearings were about the industry and NERC’s inadequate response to cyber security of the bulk electric grid (transmission and central station generation) while Connectivity Week was about the Smart Grid (opening up the distribution system). I encourage everyone to read and listen to the transcripts from the Congressional hearings (http://homeland.house.gov/Hearings/index.asp?ID=143). It is not often you hear Congress threaten to hold NERC in Contempt of Congress for lying. Other items of interest were the dichotomy between Congress (NIST is the gold standard- why isn’t it being applied) and NERC (we don’t want to do it) and to have FERC ask for emergency powers to regulate cyber because it so different than traditional reliability issues. I don’t believe this will be the last time you hear Congress question industry on the adequacy of securing the electric grid. As for Connectivity Week, it was interesting to hear the Automated Metering Infrastructure (AMI) suppliers talk about how secure they were until you started asking the tough questions they couldn’t answer. In private, they would concur they have not secured the demand side management aspect of the meter. An interesting sidelight was the lack of generation and industrial users. If the Smart Grid is really intended to integrate the entire grid including residential, commercial, and industrial users, it is not working. Discussions are on-going on how to get generation and industrial users to be a part of this effort. I had an interesting discussion was with a very influential (Public Utility Commission) PUC Commissioner. The NERC CIPs exclude distribution yet distribution often directly communicates with transmission. Consequently, distribution can be an entry point that can compromise the bulk electric grid. Since the PUCs “regulate” distribution, there are now discussions ongoing about how PUCs should be involved. This same discussion extended to how cyber security of the Smart Grid should be addressed. I also saw a copy of a recent report on how North American and international utilities were addressing cyber security. The report addressed different approaches for reducing cyber vulnerabilities in operational networks. What was missing in identifying the different approaches was explicitly identifying control systems policies and procedures. Considering that most control system cyber incidents are caused by inappropriate policies, procedures, testing, and technologies, I find the results of the report short sided. Joe Weiss