Take Your Pick

In the recent TechNewsWorld article by Richard Adhikari "Study: Electric Grid Needs Full-Time Cyberguard," I was quoted as saying "We would welcome a single authority." At the end of that sentence, I also said "whomever that may be: DOE, DHS, etc." Note that I wasn't favoring any agency over another. The discussion was in reference to a recent report released from MIT, "The Future of the Electric Grid."

It is certainly true that the legislative, regulatory and overall policy sands are shifting. The existing bulk power system security regulations (NERC CIP) are changing. Multiple federal agencies are competing for control over the authority for grid security. The Distribution system, with its deep relationship to the consumer side of the grid modernization (smart grid) push, is hotly contested between the State Commissions and the feds.

All of this confusion has a numbing effect the utility executives. They are traditionally risk averse to begin with, and the policy forecast essentially indicates a 70% chance of storms ahead. The unintended consequence is that many organizations will only do the bare minimum required to be compliant with today's regulation. It is difficult to justify dedicating resources to future efforts with the significant possibility that things could change and that money may have been wasted.

With all of this churn, yes, I do think that some focus and harmonization in the policy landscape would be a good thing. Who can do this best? Well, the jury is still out on that one. I think all of the proposed agencies have their pros and cons. Ask me again in a year or so.

14 Seconds

I'm still a nobody (so I don't really qualify for a full 15 seconds) but I've been getting some media hits lately. Everyone told me, and I believed them to a certain extent, that everything you say can be twisted. I've dealt with many people who do just that and I have always felt that the truth will surface no matter what. Truth is like data. It wants to be free.

I sincerely make every effort to be balanced in my statements/positions and always say the good with the bad. My personal belief is that there's always good to be found. At times when I can't see it immediately, I try to drop the ego or emotion and look a little deeper. Invariably, it's there. With this in mind, I decided to dust off my personal blog and use it as the future platform to correct any misstatements, quotes taken out of context or just add the "whole story" where necessary.

So, let me start with the recent set of articles about various SCADA security topics (http://goo.gl/Kty17, http://goo.gl/KcvCh and http://goo.gl/txIDp). It is true, those statements are mine, and I did provide them in email interviews. They're actually pretty close to the mark, but I'd like to add a few of my other statements that were omitted, just for context...

"All of the above (and more) lead to a state where many are forced to operate with aging infrastructure extended beyond its lifespan. Note however, that many staff at municipal utilities are actually remarkably dedicated and resourceful people. They have to be, given the circumstances." 

"The threat is somewhat exaggerated, but it is still very real. The vulnerabilities are underestimated."

Please understand that I'm not casting aspersions on the Municipal Utilities of the world. Some are further along the security maturity path than others, but I have worked with many of them and I find them to be amazing people and amazing organizations.