Cyber security will come to dominate all aspects of information communications technology at utilities in 2011 and 2012. I would love your ideas on what more UTC could do to help you with this.

The National Institute of Standards and Technology (NIST) has just released a final draft of its Smart Grid Cyber Security Strategy and Requirements. This will now drive future cyber security work at the North American Electric Reliability Corporation (NERC) on their Critical Infrastructure Protection (CIP) requirements in 2011. The NIST recommendations and political pressure from Congress will combine to force stronger cyber security protections in both the bulk power grid and the distribution grid.

Some large utilities with the wherewithal are already anticipating far greater cyber security requirements in their distribution grids. Many others are asking UTC what to expect next. The politics - including how federal cyber regulations will be pushed into what is traditionally the states' regulatory purview - will be resolved, and the new requirements will come.

If you look at the bulk power system as a well-protected medieval castle, the new distribution-focused cyber security requirements will be aimed at protecting assets critical to the core with a new set of outer walls/layers of protection that both encompass key assets and add to the protection of the overall grid/castle. Questions we all must answer will certainly focus on which critical assets need to be protected. What must be inside the outer wall, and what can we afford to leave outside?

Cyber security requires a different approach to protection than traditionally used in running an energy utility. In our core utility businesses, we look to what has gone wrong in the past and plan to prevent that from happening again. With cyber security, we must flip that thinking around to anticipate what new threats may come and then plan to block those threats.

To succeed, we must be forward looking, but at the same time, we must draw on utilities' deep-seeded culture of preparedness, recovery, and restoration. Just as we know that it is impossible to prevent a power outage, so too must we recognize that we will never totally prevent a cyber security breach. But we can plan to quickly isolate any cyber threat, recover quickly, and restore affected telecom and IT systems. In other words, if we catch a cyber-cold, we must make absolutely certain we don't get cyber-pneumonia.

As we look at the next couple of years, we are certain that you will be devoting more time and more money on cyber security, probably more than you are currently planning for. As we plan to do much more to support you with cyber security, your ideas and suggestions would be very helpful to our efforts. Don't be silent. Cyber security is too important for any of us to try and go it alone.

Let us hear from you.

(Adapted from upcoming column in UTC JOURNAL.)