Friday, October 19, 2012

Security guru Richard Clarke, industry practitioners weigh in on cyber threat


Washington loves a good acronym, and when it comes to cyber security, Richard Clarke has a great one: CHEW.  The renowned national security expert who served three presidents as senior White House advisor spoke last week at ABB’s Western Utility Executive Conference in Pebble Beach, CA, and outlined what he sees as the four main threats in cyber security.  They are, in order: crime, “hacktivism, "espionage and war.

On this last element, Clarke made the point that cyber war was not merely scrambling databases in some faraway computer system, but using digital means to affect the same ends as conventional war, namely “blowing things up.”

That may have sounded a bit hyperbolic, but Clarke offered numerous examples not only of potential threats but of cyber attacks already carried out.  So far, these have been limited to less explosive, but no less effective, results such as the presumably Russian effort to wall off Georgia’s access to the internet and disrupt its banking system during the 2008 South Ossetia war.

Indeed, Clarke noted, breaches are happening every day and he expressed particular concern over the power grid as “the first target everyone talks about because everything depends on electric power.”

He also spoke plainly about what he saw as a widely held impression in Washington that the power industry is “resistant” to dealing with the cyber security issue, seeing it as an invitation to burdensome regulation.

Clarke’s remarks were followed by a panel discussion led by Industrial Defender CEO Brian Ahern that included DTE Energy Division Information Officer Mike Carlen, Commonwealth Edison Vice President of Information Technology Mark Browning, and FirstEnergy Vice President of Distribution Support Steve Strah.

Ahern began by seemingly confirming the Washington consensus, at least in retrospect, by noting that the early days of his company were spent evangelizing the importance of cyber security to a power industry that at the time did not see it as something broken that needed to be fixed.  That was then.

Stuxnet, in particular, served as a wake-up call and now Ahern finds a much more receptive audience in the utility C-suite.  This was borne out by unanimity among the panelists in terms of a) recognizing the threat of cyber attack is real and b) making a financial and managerial commitment to addressing it.

“The cost of doing nothing is far too much,” said FirstEnergy’s Strah.  “Presented with relevant facts regarding cyber security incidents, from a risk management standpoint, we have to take it seriously.”

To be fair, what resistance there is in the industry can be chalked up to the challenge of simply getting a large entity like a utility to embrace change.  This is culture shift on a massive scale, and it will take time.  However, regulators have a role to play, too.

NERC’s current cyber security regime, for example, requires some parts of the utility’s network to be secured while others are not.  That could be problematic.  Ahern said he expects NERC will soon extend its Critical Infrastructure Protection (CIP) requirements beyond the generation and energy management systems it covers today to include all aspects of utility operations.  In the meantime, though, utilities will have to manage their compliance with an evolving standard.

Compliance and security are two different things, however, and as DTE’s Carlen stated, “Security trumps compliance.” 

“We will be compliant,” he said “but being compliant does not guarantee you are secure.”

The three utilities represented on the panel are therefore moving forward aggressively to propagate a culture of security, not simply compliance, across their organizations.

Still, that won’t be enough, according to Clarke.  Given how reliant all industries are now on third party software, he encouraged the executives in attendance to look beyond their own companies and apply the same rigor to their supply chains as they do to their own operations. He described the need to build security into the development process from the very beginning, and cited the financial services industry as one sector that has done this with some success.

Clearly there is much to do on all sides, but government and industry would be well advised to adopt a cooperative approach when it comes to cyber security. 

“Government should be rewarding the private sector for investments in cyber security,” said Ahern, and he pointed out the importance of safe harbor protections so companies can share information about attacks as well as best practices without fear of legal retribution. 

Leveraging each other’s experiences, he explained, is the best roadmap to a more secure power grid.

Tuesday, October 16, 2012

“Where’s the Big Data?”

Chris Lemay from Ventyx, an ABB company, provides some additional input to the comments I posted in August regarding “Big Data.” He touches on the three “Vs” of Big Data: velocity, volume, and variety from an electric utility viewpoint. Some of the industry experts extend the discussion to four “Vs” or even five “Vs” by including the Variability of the data which is the inherent fuzziness of the data in terms of context and meaning. The fifth “V” is Value which is quite important since Big Data becomes an academic exercise if no value is created.

----------------------

In his August post, Gary pointed to the growing trend of utilities investing in Big Data. It’s probably healthy, however, to have a dose of skepticism around all the hype. After all, even 10 million of today’s smart-meters will take a decade to generate over a petabyte of data. Looked at objectively, the sheer volume of data generated by the smart grid is dwarfed by what financial and retail market players experience. That’s where the other aspects of “Big Data” come in to play: velocity and variety.

If you’re familiar with utility control room operations, you already know about data velocity. The electric grid is real-time; supply and demand need to be kept in balance at all times. Traditionally, we’ve managed with a limited amount of SCADA and a healthy contingency margin on supply. However, the intermittency of renewables and moves to shift peak consumption are driving a need for smarter management of the end-to-end grid. Better control systems are needed to manage a greater variety of supply sources, including distributed generation. In order to make more optimal use of the available capital resources, we also need more accurate and more granular predictions of demand, so that supply and demand can be managed together. Although the volume of data exchanged between the various devices on a modern grid may be modest by “Big Data” standards, the requirements for speed and accuracy of analysis are very demanding. 

Utilities are also very familiar with data variety. This is especially true if you wander out of the control room and into the field. The data utilities have about their assets is so varied and scattered that gathering it all together for a complete picture of the health of each asset is a daunting task. The first problem is that most utilities have many silos of information. One example is that information collected by operations about assets isn’t usually available in the maintenance department and vice-versa. Through consolidation, many US utilities also have geographical or organizational silos of information that make it difficult to get a consistent view of asset performance in different parts of the enterprise. Another source of data variety is a by-product of the fact that most grid assets have a long lifetime relative to the IT assets collecting and storing the data today; it is likely that there is much less data available on assets commissioned 30 years ago than those installed in the last decade. Furthermore, as sensors on assets and in the grid are added or upgraded, they produce a richer variety of information about these long-lived assets. Utilities need IT systems that are flexible enough to handle these changing sources of data, and are also extensible so that they can also handle less structured data such as observations recorded by technicians in the field, and even images taken of assets over their lifetime.

Writing in the October 2012 issue of the Harvard Business Review, Andrew McAfee and Erik Brynjolfsson state that they are “convinced that almost no sphere of business activity will remain untouched by this movement.” Although the “Big Data” needs of utilities are somewhat different than those of other industries, I believe it would be na├»ve to think that the increases in data volumes, velocity and variety will not transform their business practices in a significant way. Putting in place the new technology and adopting the new processes to take advantage of this revolution in data acquisition and processing is just one more component of the smarter grid.
---------------

Thursday, October 4, 2012

Virtual tour of ABB's Smart Grid Center of Excellence

The ABB Smart Grid Center of Excellence (COE) located in Raleigh, North Carolina, provides utilities a single point of contact to leverage ABB's proven expertise as a worldwide Transmission & Distribution (T&D) Operations Technology (OT) and Information Technology (IT) system provider. The COE displays many of the products and solutions from ABB's smart grid portfolio and allows utilities to get engaged with live functional demonstrations of cutting-edge smart grid technologies.

Watch the virtual tour below to see what the ABB Smart Grid Centre of Excellence has to offer. For more information about the COE or to schedule a live tour, visit the COE web site or contact us at sgcoe@us.abb.com.