I gave the closing presentation recently at the Judgement Day 8 cybersecurity conference in Bratislava, Slovakia. It was an interesting forum, with presentations earlier in the day by folks from F-Secure, Checkpoint, IBM, McAfee, HP and Cisco. Of these, the presentation by Michal Remper (Cisco) was particularly interesting, a discussion of the “Hastily Defined Networks” that Cisco has provided in a number of crisis situations, including in the aftermath of Hurricane Katrina. At the end of his presentation, Michal summarized a few lessons from the Cisco experiences in cases such as this. Although he didn’t put it quite this way, one of the key lessons was that however hastily the emergency network has to be provided, it is vitally important to have it well thought through and well-defined before the emergency occurs. In fact, the lesson I came away with was that what’s needed is Not-so-hastily defined networks. But is that really possible? Are there disasters that we simply can’t plan for and that will always require the flexibility to create hastily-defined responses?
The session was particularly interesting to me for a couple of reasons. Above all, it was directly relevant to the thinking I’ve been doing about Smart Grid security and resilience, as we gear up for the EU Smart Grid project I’ve mentioned several times before, most recently in Speaking of Security – for Smart Grid. Because the first phase of the project focuses on risk management methodology, I’ve not only been looking back at existing risk management and risk assessment methodologies like ISO 31000 and the complementary Information Risk Analysis Methodology from ISF. I’ve also been thinking a lot about the black swan events that should be considered for Smart Grid, especially those events that we might not consider because we haven’t experienced them before. How do we assess the risk of such events? How do we manage such risks for critical international infrastructure where there are impacts and potential consequences, such as loss of life, that should be prevented, not just mitigated?
Kevin Knight has suggested that a plan for Managing disruptions in emergency situations should be applicable to all emergencies. But the Cisco experience suggests the opposite: that there are some kinds of emergencies, some kinds of risks that in their impact and consequences require fundamentally different strategies, plans and responses. When I lived in New England, we had power outages pretty much every year, when winter ice storms took down power lines or summer thunderstorms took out transformers. Those were certainly emergency situations, with important consequences in terms of life and death situations. But a cyberattack that takes out regional power capabilities is radically different across a number of dimensions: the predictability of how such an event will occur and how remediable it will be; the potential scale of impact, not only in terms of affected households but also in terms of the systems affected; the potential difficulty of remediation, depending again on the kind of attack and the impact across generation, distribution, control networks, monitoring capabilities and so on.
The presentation by Michal Remper suggested two insights that I hope to carry into our work on the Smart Grid project. First, we need to establish a risk identification and assessment methodology that enables us to reduce as much as possible the uncertainty of “unknown unknowns”, drawing on a longer historical point of view, on analogy from other industries and process, on both statistics and imagination, both analytics and narrative to create as complete as possible an understanding of all risks. Second, we must accept that there will nevertheless be unavoidable uncertainties and devise methods, processes, tools and organizational structures for the hastily-defined responses that we will inevitably need. Perhaps this knowledge and technology already exists and just needs to be identified and adapted for Smart Grid. But Michal’s presentation suggests to me that there is still substantial work to do on risk identification, assessment and management before we can construct the anti-fragile Smart Grid.