This week, a couple of interesting items have come from Verizon (News - Alert) that are of note for the smart grid space. I have written about Verizon previously here, and being early days for smart grid, it’s still difficult to tell whether telcos are friend or foe for utilities.

 

First is the news item this week from Verizon Business (News - Alert) announcing a new set of IT security consulting services targeted at the energy market. Verizon has long operated an IT security practice, but this particular focus is timely and calls attention to the need for utilities to address security in the context of IP-based networks. Existing networks operated by utilities are not subject to the risks of IP networks, but they do have their share of inefficiencies. Verizon Business recognizes that utilities have limited experience with IP networks and is addressing the opportunity with this new practice.

 

There is also an important trigger event driving this, so this is not just another vertical that Verizon Business is trying to serve. Utilities are facing a compliance requirement from NERC – North American Electrical Reliability Corporation (which in turn is mandated by FERC – Federal Energy Regulatory Commission) – that must be met by July 1, 2010. The requirement is called CIP – Critical Infrastructure Protection – and is basically an audit program to demonstrate that utilities can accurately log the performance of their networks. From Verizon’s perspective this entails a host of security related issues, and meeting these compliance requirements will be a key focus for smart grid programs over the next six months or so.

 

Verizon enters the picture here not just because they serve large corporate customers – like utilities – but because of their extensive reach into our homes. Verizon Business certainly knows a lot about managing security for large scale enterprise networks, and that’s very relevant for the infrastructure side of the smart grid. The home environment, though, is equally important for smart grid, as utilities will for the first time have a two-way communication channel with residential subscribers. This is an entirely new scenario, and along with it comes a distinct set of security challenges around IP networks that utilities have no experience with.

 

In that context, the case for Verizon launching these new IT security consulting services becomes clearer. However, there’s more to the story, and that brings me to the second news item from this week. Earlier I mentioned that Verizon Business has been focused on security for a long time, and they issued a report the other day giving credence to this. ICSA Labs is an arms-length division of Verizon Business, and they have been doing third party testing and certification of security related products for 20 years. ICSA Labs has summarized their learning in this report, and while it is not specific to smart grid, they have an extensive track record performing the type of certification work that will come into play for meeting the CIP requirements.

 

The report is titled “Does Product Certification Matter?” and basically makes the case that security products rarely become certified on the first go-round of testing. Usually two or three rounds of testing is required, and vendors underestimate the time and cost required to get it right. As security – cybersecurity in particular – becomes a growing concern in the Internet world, testing and certification is as important as ever, especially since the number of threats is now so vast, and speed with which these threats can cause disruption or far worse damage.

 

For me, the main takeaway is that security is complex, and independent bodies like ICSA have a critical role to play in getting security products and solutions properly certified. The report provides several case study examples and detailed summaries of the most common types of security shortfalls or oversights. As such, it’s a good roadmap for what vendors need to do in advance to get their products certified on the first try. Time to market is vital in the Internet world, and there are important lessons learned here for vendors looking to address smart grid security issues.

 

Conversely, the report is relevant for utilities, as they will be the ones investing in smart grid security. The message for them is that the certification process brings a lot of value by helping them make better decisions about the vendors they do business with. Two vendors may offer similar, certified security solutions, but not all certification processes are created equal. The more they understand what goes into certification and how the solutions were actually tested, the easier it’s going to be for them to meet the CIP requirements.

 

Verizon Business and ICSA have made the report a public document. For those of you who want to track Verizon Business’s security focus on a more regular basis, you should also follow their Security Blog.