Tuesday, April 13, 2010

Gartner Weighs in on Smart Grid Security

When I saw the title of the Gartner Group's recent short analysis of our space, titled "The Myth of Smart Grid Security", I was taken aback, mainly because there is so much written in the press about the worries of Grid insecurity. How could smart grid security be a myth, when there is little or no consensus that such a thing even exists in the first place? Andy and I spend much of our time here on the blog simply working with folks to realize that there are changes brewing that require something new and unique that one can call "Smart Grid Security", and we almost never encounter anyone who is implementing a trial, or researching new interfaces, or driving policy change, that doesn't already consider the Smart Grid to be in pretty desperate need of some shoring up. With that in mind, I was naturally curious about what Gartner had to say about the space.

For those of you who may not be familiar, large analyst firms, like Gartner, do much to pull the followers in the market along, taking information from the market, from their clients, and from vendors, and synthesizing projections about where a technology or trend is likely to go. They create lessons from the leaders that will help to drive less painful and better informed decisions by those who will come after. Their involvement in this space, Smart Grid Security, is a good indicator for all of us, because it means that people are becoming aware enough, and concerned enough, to spend their time and money asking questions of Gartner about what Smart Grid security means.

As I mentioned, I was uncomfortable with some parts of the report, starting with the title, so I had a conversation with one of the study's authors, Earl Perkins. Earl and Paul Proctor had created this report as an interim and limited view of the space to raise awareness as they continue to perform research for a more complete analysis to be delivered in the future.

For those of you who have not yet seen the report, it breaks up into two fairly distinct parts. The first section is directed at organizational responsibility, changes, and concerns. Who in a utility organization cares about security? Where should security direction come from? What behaviors could be setting utilities up for failure? The second section of the report drills down on issues related to AMI, ( which Gartner insists on referring to as "Automated" Metering Infrastructure, in spite of its importance to many issues beyond automation ). This section talks about a variety of threats, steps to take and avoid on the path to implementing advanced metering, and how to deal with generic concerns like acquisition, incident response, and authentication and control of meter functions.

While there is some of the hyperbole that characterizes most early analysis of a new space, particularly a security space, there are some good points to take from this report. For readers of this blog they may seem like things you have heard before, but the credibility of a Gartner report may help to bring more attention and focus than your own research, or information you may find on our blog. Andy and I are always looking to inform you with good questions as much as answers in this early stage, and the Gartner guys ask some important ones, such as this:
"Have we established a cross-functional organization that knows the issues, requirements, priorities of smart grid security? Have we funded those organizational changes?"
This type of roll-out and investment may seem several steps away for early adopters of the Smart Grid, but this type of report is not approaching Smart Grid Security from the leading edge, but with a goal of informing those slightly later arrivals who will be trying to systematize all the advancements that we are seeing. Organizational and budget issues will, for those groups, be harder to unwind, and will require more lead time, than the technical choices and challenges of the early days.

In the end, though, I did come back to the title, and to some of the statements within the report that gave me pause. It wasn't until I spoke with Earl that I understood the fundamental disconnect. For us, and for most of you that read the Smart Grid Security blog, there is a clear understanding that we need to do something new and special to ensure that the Smart Grid is secure. From that perspective, any "Myth" about Smart Grid Security would be a reference to a false sense of confidence in all of the new effort that is being applied at utilities, NIST, NERC, and other places, in terms of impact on actually creating a Smart Grid. The eye-opener for me from this conversation was that for many of the utilities that speak to Gartner, the Smart Grid is expected to be secure, whatever that means. The report was geared to a Gartner audience that is just now entering into the Smart Grid space, and that first must take the lesson that we have been speaking together about all along, that the Smart Grid will only be secure if we make it that way.

While the report may be brief, and is not intended to cover the breadth of infrastructure and infrastructure risks that we are now already considering, it is a good first step. In the late 90's, the attention of Gartner and other major analyst firms brought internet security concerns and information to CIO's who were just starting to get involved. A Gartner report can be an important artifact for those who may be trying to get a slower-moving organization to progress, who need to ask for headcount or budget, or for those who have been looking for a sign that the mainstream is catching up to the Smart Grid Security message.

We welcome them to the party.

Photo Courtesy of flickr

No comments: