The Wall Street Journal published an article this week titled “Grid Is Vulnerable to Cyber-Attacks.” It focused on a recently published report by the US DOE that very candidly admits to specific and significant vulnerabilities in our nation’s power grid.  The report is based upon data collected between 2003 and 2009 from 24 separate assessments of computer control systems.  The gaps highlighted in this piece are similar to those presented in numerous news reports over the last year, including a sobering 60 Minutes episode titled “Sabotaging The System.”

Public acknowledgement of these gaps by the DOE may surprise many, and media depictions of the potential ramifications of these gaps may cause many to break into panicked recitals of slightly modified Talking Heads lyrics “My God, what have ‘they’ done?” But this acknowledgement should by no means be considered an indication that information security professionals at the DOE and our nation’s utilities are asleep at the switch.  In fact, I suggest just the opposite is the case.

Over the last 18 months I’ve spoken to and met with a number of IT Security professionals from utilities across the country and most of them are on top of it.  At the core of their current security posture is the realization that our infrastructure will NEVER be truly secure.  That’s just the reality of it.  The move to “smart grid” technology by many utilities offers tremendous advantages in the areas of overall energy efficiency, cost reductions and increased reliability, but it also opens a whole new spectrum of threats to the infrastructure.  Realizing that there will always be persistent threats both outside and inside the network, utilities are focusing more and more on comprehensive and continual monitoring.  They recognize that every activity that occurs on their network is like the stroke of a brush on a large canvas.  When seen together, those strokes of paint yield an intricate, detailed and complete picture.   When considered separately or in chunks, they’re meaningless globs of paint.

Similarly, capturing log data from isolated bits and pieces of a network simply yields a big pile of meaningless logs.  You never get to see the full picture.  Utilities at the forefront of securing the grid are those that are deploying comprehensive log and event management systems that collect, analyze, report and alert on log data from virtually every log source in the enterprise; from network and security devices to servers, applications and even endpoints.  They’re persistently seeing the full picture, which means that when the picture starts to change, they’ll see it.  They may not be able to label the change or anomaly immediately, but they know enough to isolate it and investigate further.  And because they have all of the logs and the context in which they were created, they have unparalleled precision, insight and efficiency in their forensic investigations.

With NERC CIP mandates and pressures shaking security dollars from utility budget trees, more and more utilities are stepping up to the challenge and refusing to accept (to quote the Talking Heads again)”Same as it ever was.”