15 Percent of Vendors, Utilities Not Testing for Grid Security

Seriously?!

The word of the hour at DistribuTECH 2012 was 'interoperability.' That’s no surprise, since more than half of the utilities' responses to a KEMA survey during the event indicated that they had selected their smart grid technology based on performance and interoperability.

But just a few paragraphs down in the early findings from the survey of more than 100 vendors and utilities, it's reported that, while nearly half (46.8 percent) had tested the security of their systems, 15 percent indicated they would not test security capabilities. “Cyber security awareness is low; it is important,” KEMA said of the findings, “but not a main concern.”

In many ways, the findings are nothing new. A GTM Research Report released last August, The Smart Utility Enterprise 2011-2015, concluded that “GTM Research expects a great deal of uncertainty over industry security to prevail over the short, medium and long term.”

To overcome that security uncertainty, GTM Research said a nationally coordinated response is necessary, but that utilities also shouldn’t wait around for the feds to act.

The threat is not idle. In December, Greentech Media reported on utility cybersecurity vulnerabilities that were exposed by an independent SCADA security researcher. Problems at one Southern California utility took just one day for a cybersecurity firm to find.

Fixing the problem was costly for the utility, whereas asking the right questions upfront would have saved millions. For the 38.3 percent of utilities that said they had not yet tested the security of their smart grid systems, now (or actually before they invested) would be the time.

Besides the millions of dollars that it could cost a utility to correct for holes in its armor, having a robust cybersecurity plan is also a customer relations issue.

Take a look at any variety of smart meter rollouts, and the security of the data comes up again and again and again. Whether it’s people worried about burglars or pedophiles, the issue of smart meter data, privacy and security are constant fodder for blogs and opinion pages.

But some of the consumer backlash and real-life exposures of security threats are making utilities perk up. GTM Research expects the market for cybersecurity products to grow significantly, from $120 million in 2011 to $237.6 million in 2015, the second largest segment of a utility’s operational growth behind distribution automation.

Security has also become a talking point for vendors. Cisco is pushing its full suite of security offerings for integrating field area network platforms with legacy SCADA systems. On the consumer side, Opower released “Data Principles” that outline its security and privacy commitments.

Although smart meter data privacy garners the headlines, it will actually be the issue of securing legacy devices that will be even more difficult for utilities. And even with the North American Electric Reliability Corporation Critical Infrastructure Protection (NERC CIP) standard, it won’t be enough.

“Compliance is largely a policy and documentation exercise, while security is an organic and robust business process enabled by technology,” Chet Geschickter warned in GTM Research’s recent Enterprise report. “To overcome the regulatory risk,” not to mention consumer backlash, “the industry must be proactive and rigorous in its pursuit of cybersecurity.” Step one to being "proactive and rigorous" on security is to not have 15 percent of vendors and utilities ignoring the issue completely.