The Power(less) Industry

The largest trade-show/conference in the United States for the Power Distribution Industry pretty much appeared to showcase one challenge: The Power Industry being quite powerless in the cyber domain.

It is true that the majority of the human populace lacks a basic knowledge of how (little) confidential the information they make available to the internet is. It is quite interesting how unevenly distributed knowledge is within this domain.

For instance, the development of RSA encryption scheme back in the 70s merely put together mathematical concepts from before its time (Euclid from the 4th century B.C, Euler from much later, and so on) to build one of the greatest yet simplest technologies to make information transfer extremely secure. The extent of thought, research and mathematical genius that went into building something like that is so shockingly mocked by, say for instance, Connie from accounting who thinks she is a genius for using a sticky note on her keyboard to store her company-account’s password.

No amount of RSA encryption or cipher suites are going to be of any use if such people continue to act in such a manner. If you had a restaurant, you could invest millions of dollars into disinfecting and maintaining the most sanitary kitchen, but if your sushi chefs continue to buy shady salmon from Mr Bobby down the street, your customers are going to flush your business down their toilets, along with possible tapeworm. And this, I think, gets at where the biggest misconception lies. The complexity of today’s computers and information networks seems to have created an illusion in the minds of so many of us that the system is somehow smart enough and inherently equipped to deal with even the most advanced adversaries in the cyber domain, failing to realize how dependent the entire infrastructure still is, on informed human operation and maintenance, especially where human action is involved.

Apparently, though, the Power Utility industry, in addition to not picking up on this fact, has also ignored innovating the non-human-element of the information security infrastructure, such encrypting the networks, creating robust infrastructure able to fend of DoS attacks, and preventing malicious operators from breaking in and taking control. For instance, until Stuxnet was identified, few nation states seemed to have been aware of the kind of damage possible via computers and networks. The spate of attacks originating from China and Russia makes it obvious that a lot remains to be done in this sector.

It is quite unimaginable that an industry that our society so heavily depends upon for its very sustenance, has been left languishing under such a primitive state of protection. Every other industry and major undertaking is heavily dependent on this Power Industry (granted, some, such as banking are probably more so than others like agriculture). A crippling attack can cause unimaginable human suffering, anytime.

Clearly, we’ve all a lesson to learn from where we stand on this today, it appears. Making sure that we, as humans, are aware of what the technological revolutions we are bringing about are capable of doing, seems vital to our survival.