This week I attended SMi’s two day conference on European Smart Grid Cyber and SCADA Security in London. The conference was quite successful and covered a number of really interesting topics. There were some brilliant speakers which were definitely worth hearing; Patrick Miller from EnergySec, Steve Brunasso from California Water and Power, Justin Clarke from Cylance nad Jacob Ingerslec from CNA Insurance offered a lot of interesting information about the market for cybersecurity services in utilities.
Quite a few vendors that were present at the Oil and Gas Cybersecurity conference last October were here again – Waterfall, Fox IT, Cassidian, Spirent. A few more made an appearance this week – Siemens, AlertEnterprise, Cyber-Ark, Verizon, Symantec, Advantech, Norman, DNV Kema and Owl Computing Technologies. Siemens got a bit of a bashing at the last Oil & Gas, mainly due to their dominance in industrial control systems (ICS) and the number of exposed vulnerabilities (not to mention the one Stuxnet was built on). They countered for the SCADA Security conference and had a vendor stand this time around. Their presence sent a positive message about the company – they heard the grumbles and answered accordingly. They have undoubtedly put in massive effort not just to patch exploits, but to find new ones. In my opinion this hints at a possible (niche) market in more than just pen testing but actually active exploit hunting in ICS. The problem is there are no national authorities that actually do this – and this point was acutely raised by Mr Clarke. Those that do find exploits are often limited by law as to what they can disclose, even to the concerned vendors. There is a definite movement in the utilities sector that is focusing on cybersecurity – but it is constricted by tight budgets, legislation and national security.
There was a lot of talk about smart meters, but during the breaks, a few utilities company reps I spoke to said they actually wanted to know more about substations and security inside the grid. This is an interesting piece of insight that will help shape an upcoming ABI Research report on Critical Infrastructure Security for the Smart Grid. All in all, the conference offered a lot of food for thought, and some scary prospects regarding the massive delay in upgrading cybersecurity within critical infrastructures such as smart grids, traffic management and water system and the apaprent push for smart technologies within those sectors. The urgent message was undoubtedly that utility companies have to make security a priority before it's too late, and too costly.