In their recent report on Smart Grid Cyber Security, the Government Accountability Office (GAO) made some interesting observations (thanks to Andy Bochman of Smart Grid Security Blog for pointing this out). The Smart Grid is the way of the future in electricity management. It is needed, and is, frankly, the smart way to go.
That said, many experts worry about the vulnerabilities of a system that is based on gathering data from millions of wireless transponders on the electrical meters of houses and buildings. For all the efficiencies that can be gained, there are many weaknesses introduced if not executed with wisdom and technological savvy.
GAO lists several major challenges on the highlights page of the July 2012 report. The last four challenges partially address utilities and partially the larger industry ecosystem:
- A focus by utilities on regulatory compliance instead of comprehensive security;
- A lack of security features consistently built into smart grid systems;
- The electricity industry did not have an effective mechanism for sharing information on cybersecurity and other issues; and
- The electricity industry did not have metrics for evaluating cybersecurity.
There is much room for comment on all four of these, but the basic focus should be on the first one listed. There is a “default setting” on businesses and government entities that seems to drive them toward regulatory solutions. It is a harmful tendency in our modern world.
This issue is highlighted by the GAO comment. If you set a regulatory standard, everyone immediately moves to ensure full regulatory compliance. Who would not? Fail to comply and you get fined, or shut down. The problem is that in the fast-paced world of cybersecurity, by simply meeting the minimal standard of regulatory compliance, you are NOT really secure. Entities must go further and develop comprehensive security.
The recently defeated Cybersecurity Act of 2012 was based primarily on a regulatory framework. This aspect was softened in the pre-vote negotiations but not enough to assuage concerns of many. My criticism of this aspect of the bill was heavy.
I received a great deal of push back for my comments on this, one even asking me if I had suddenly started to believe cybersecurity was not important. My answer was that I most certainly did still believe in the importance of improved cybersecurity, but frankly, this regulatory medicine will, one, not solve the problem, and two, probably have exactly the effect indicted by the GAO report.
We must find ways to share information, to leverage the capabilities of the combined private and public sector enterprise, and to continue fostering innovation and creativity. If we can find the right vehicle to do all that, I believe the United States will continue to flourish.
Simply put, regulation is NOT the right vehicle.