August 17, 2010 By Larry Karisny
This article -- courtesy of Muniwireless -- is an edited conversation with Mike Ahmadi, cyber security consultant and conference chairman of the two-day Cyber Security Conference and Expo that took place last week in San Jose, Calif. Ahmadi offered his insight and reflected on panelists' presentations regarding where we are and where we need to be in smart-grid security.
Ahmadi: Security is a very dynamic environment, and keeping current with what is going on in the world of security is no small task. First of all, despite what anyone may tell you, security is about economics. Ultimately the biggest driver for any organization to secure anything is to prevent getting hit in the pocketbook.
Karisny: Scott Borg, director and chief economist, U.S. Cyber Consequences Unit addressed calculating the value of smart-grid security compared to the expense of a power-grid security breach. What points did you find most important?
The most striking point? The economic models he and his associates created showed that 3-4 days without power is essentially inconsequential from an economic standpoint. Any organization can recover from this relatively short plunge into the "Dark Ages." As you approach the fifth day, however, things change quickly. There is a precipitous drop in economic activity, and by the seventh day the economy is at 30 percent capacity. This was quite startling to many in the crowd, and emphasized the importance of not underestimating the consequences of a prolonged failure in the grid.
I would strongly suggest those who are interested in a comprehensive look at how the Smart Grid will shape the security market to purchase Pike Research's excellent report. According to their research, there will be opportunities for security component manufacturers, security software vendors, identity and authentication management solutions, and consulting services (just to name a few).
The media has bombarded the public with articles warning of cyber-security threats. How would you assess hype from reality, and what points did your best practices panel make for threat scenarios we should really expect in the next few years?
The news media is indeed driven by sensationalist and entertaining stories, and this can, at times, lead to those who a story targets being a bit upset, which can create a cascading effect. Elinor Mills of CNET stated that when she hears information about AMI security flaws, she tries to get information from the vendors, but they either do not respond at all or deliver somewhat canned responses. Robert Former of Itron stated that his employers have instructed him to not share information without prior approval from his organization in order to avoid bad press. What was suggested (and well received) was for vendors and other stakeholders to build a relationship with members of the media in order for them to better understand each other, and that this would perhaps lead to less sensationalism. Hopefully this will pan out, but only time will tell.
Matt Carpenter of Inguardians asserted that the biggest threat will probably come from organized crime syndicates who will use the threat of exploits as a means of extortion. While the panelists acknowledged that random hackers may cause some trouble, they will probably not be as troublesome as some have postulated.
I find it interesting that the conference ended focusing on the concern of potential of bad press or worse press sensationalism. With the importance of moving forward in addressing real smart grid cyber security issues, we need to get beyond government and business political properness and start addressing the real task at hand: