The New York Times recently reported that there had been “86 reported attacks on computer systems in the United States that control critical infrastructure, factories and databases,” compared to 11 attacks in the same period a year earlier.  Data came from the U.S. Department of Homeland Security (DHS).  I’ve spent a week trying to decide whether or not this matters.  Even with such small numbers, a 781% year-on-year increase must indicate something ‑ but what?

Are there really more attacks or have companies simply realized that that there is no shame in being attacked?  Like temptation, being attacked is not a sin.  Does anyone believe that our critical national infrastructure (CNI) would not be attacked?  From my research it seems likely that some critical cyber assets (CCAs) are attacked 86 times per hour.  If this is a cultural shift by CNI asset owners, that’s promising.  It’s incredibly tough for the DHS to do anything about attacks that no one has told them about.

Alternatively, do companies now have better mechanisms to detect attacks?  Perhaps.  No new capabilities have been released in the past year that would obviously have increased detection eight-fold.  Then again, deploying a detection tool where there had formerly been none can make a huge impact.  This matters: undetected attacks have a higher success likelihood than detected.  Increased detection should portend decreased success.

Or perhaps there are simply more people attacking?  That is possible too:  the DHS has warned that hactivist groups are now more likely to attack the CNI.  That would spike the number of attacks in a hurry.  On the plus side, hacktivists tend to use mass distributed tools that are more easily defended than a hostile nation-state attack.   Cyber security recently enjoyed a Schadenfreude moment when it was discovered that an unknown hacker had tricked many hacktivists into downloading a compromised version of their attack tool.  The compromised version also contained the ZeuS Trojan Horse, designed to steal the hacktivists’ banking credentials.

There may also be other causes but still there remains the question, “How big is an attack, anyway?”  What am I measuring when I count the number of reported attacks?  The answer – an attack is about the same size as a piece of string; it can be any size at all.  This blog has previously discussed the dangers of metrics without thinking deeply about what is being measured.   If the number of attacks had only increased from 11 to 12, we could truthfully say that there had only been a 9% increase in attacks and feel really good about things.  And yet – that that one additional attack might have been Stuxnet, discovered a year after it had completed its mission.

So what does this all mean?  Does it matter that reported attacks are up eight-fold?  Absolutely.  Even if we can’t be totally sure of the cause, it’s a reminder that we need action now.  Regarding the Cybersecurity Act of 2012, currently in the U.S. Senate, Representative Jim Langevin (D-RI) recently wrote, “we must not allow the perfect to be the enemy of the necessary.”

When politicians feel more urgency than industry appears to feel… what does that mean?

I’ve had it with technology.  I’m through!  Why can’t things just work?  Isn’t it easier to make something work all the time than to dream up hundreds of cases where it won’t work?

Today my HP printer refuses to talk to my laptop.  This is the same printer I’ve used for four years, and the same laptop that has been sending print to it for over a year (but only after HP saw fit to release a Windows 7 driver for a printer already on sale globally).  I have not changed anything recently on either laptop or printer.

But today, nothing.  Nada.  Zilch.  And why?  “The document cannot be printed at this time because of a problem with the printer configuration.”  Of course.  I change the printer configuration every week because it’s so much fun and so easy to do.  Especially a 345MB driver that cannot seem to be patched, only downloaded and re-installed.  I’m down with that.

This vignette captures in microcosm how traditional IT must change to successfully support smart grids.  Can you imagine discovering that you can’t have a cup of coffee tomorrow morning because your coffee maker cannot interact with the power grid?  Multiply coffee maker by kidney dialysis, and things get serious in a hurry.  But IT seems to have no such worries.

Before I’d even finished fuming at my printer, I came upon an excellent article by Christine Hertzog, of the Smart Grid Library.  After reading a recent study from MIT on the future of the Electric Grid, she comments that the study is missing several key concepts.  First and foremost:  resiliency.  I agree completely: resiliency is the keyword for smart grids.

Systems must be designed so that they find a way to keep working even when things aren’t working perfectly  – not bail at the first sign of trouble.  Utility Operations have understood this for over a century.  IT service level agreements (SLAs) just aren’t good enough for smart grids.  The power has to stay on no matter what.  Who could imagine that, 130 years after the first large scale electrification of a city, we may be voluntarily signing up for an arrangement that no longer guarantees resilience?

Last week a vendor disputed my analysis of their product with a note that read in part, “I don’t think you’ve seen our current messaging on smart grids.”  That’s the problem we face:  bullet-proof reliability has been moved out of the engineering department and into the marketing department.  But crisp market messages won’t keep the lights on and the dialysis machines running.  I’m all for strong established vendors entering the smart grid market, as anyone could tell from my Pike Pulse reports.  But please give us stronger products, not just stronger web pages.

And finally… thank your lucky stars that I am a cleantech energy researcher.  That way you don’t have to endure a rant about my obstinate swimming pool pump.

This time of year I often wake up thinking, “What city is this and where am I sleeping tonight?”  Last year I attended 15 smart grid conferences – probably five more than I needed to.  The trick is to find the ones with useful and unique content, and with a wide range of attendees.  Unless I pay attention to what I’m doing, I’ll see the same speakers giving the same presentations several times in quick succession.  That’s a depressing use of time away from home.

Here are some of my strategies for selecting conferences to attend.  They may work for you as well:

• First, obviously, understand why you attend conferences at all.  For me as a research analyst, good networking is paramount.  Your needs may be different.
• Have one or two Old Faithful conferences – events where you trust that the host will attract useful speakers, topics, and attendees.
• Government-sponsored events can offer interesting speakers who may only be approved to speak at their events.
• Attend some vendor-sponsored events.  The typical attendee at a vendor conference has little use for abstract discussions.
• Do not attend too many conferences with similar speaker lists.

Some of the conferences I’m looking forward to in the next couple of months:

• GridSec, March 27-29 in Irving, Texas (Dallas area).  Somewhat of an ‘old home week’ for me – a good place to catch up with many industry colleagues.  I will moderate two panel sessions.  Also this is the one conference during 2012 that I can attend without boarding an airplane.
• ABB Automation and Power World, April 23-26, Houston, where I will lead two cyber security sessions.  This will be my first time attending an ABB conference.  I plan to spend a lot of time with my mouth shut, learning.
• Industrial Control Systems Joint Working Group (ICS JWG), May 8-9, Savannah, Georgia.  Hosted by the U.S. Department of Homeland Security (DHS) and perhaps the only cyber security conference where you’ll see the FBI speak.  Registration is free, so if you live in the U.S. it’s a chance to see your tax dollars at work.

If you attend any of these events please find me and let’s have a chat.  You can always see which conferences I or the other Pike Research analysts will be attending on our Industry Events page.  If you haven’t already checked out that page, I will warn you – there is a lot of information.  Primary research is our currency, and, like any currency, we want as much as we can get our hands on.

The European Union has intelligently chosen to start building smart grid cyber security from the ground up, looking first for smaller local successes rather than one EU-wide attempt to boil the ocean, security-wise.  Where they can use existing documents, such as U.S. standards, they do so.  One European utility voluntarily submitted itself to a NERC CIP audit and pronounced itself pleased with the resulting baseline:  “It’s the best yardstick available,” An official told me at a recent workshop. Again the attitude of extreme pragmatism shines through.

The conference, the European Union workshop “Cyber Security Challenges of Smart Grids,” capped off a project launched last summer by the European Network and Information Security Agency, ENISA, that aimed to take stock of risks to smart grids, understand existing national initiatives, pilot projects, and standardization initiatives, and develop a set of recommendations for the 27 member nations of the European Union.  Input has been drawn from a wide range of stakeholders, with over 50 responses received and 23 interviews performed.  A number of sources from outside the European Union (including me) were asked to respond.

Seated at the round table in Brussels’ Centre Albert Borschette were security officers from European transmission and distribution operators, security product managers from control system vendors, systems integrators, ENISA personnel, and related EU agencies working on similar initiatives.  There was a sense of urgency in the room; this was not a group of bureaucrats having a nice chat.  One member of the EU’s Energy Directorate-General said bluntly, “The days of duplicated efforts are over.  There are not the resources to do that anymore.”  Those are words I’m more accustomed to hear in private industry.

ENISA has what might seem a Sisyphean task ahead.  Not only must it coordinate the approach to smart grid cyber security across a domain of nearly 500 million people, but the agency also has to please (or placate) 27 sovereign governments.  While the EU continues to express – as it did at this meeting – admiration for U.S. government deliverables such as the NERC CIP reliability standards and the NISTIR 7628 documents, we should recall that here in the United States we only have to deal with one sovereign government.

Roadblocks remain.  The question of who is accountable for grid stability and security is thornier than you might imagine.  Is it the grid operator (and if yes, which one), the local or national government, the military, or someone else altogether?  And who gets to make that decision anyway?  The few times that dates were mentioned at all at the forum, the timeframes suggested to complete activities such as “discuss this” or “foster that” were mind-boggling.  With Stuxnet perhaps 4 years old, can a union of 27 nations create, agree, and implement a set of meaningful recommendations before the next Stuxnet?  Or before the next five Stuxnets?