One of our first areas of activity in SPARKS is to understand and make recommendations regarding effective risk management for the Smart Grid. A great deal of work has been done by government, industry and academia in defining best practices in this area. But are the results sufficient? Do they really address the issues that confront critical infrastructure organisations that are trying to understand and manage their risks, to find and address those weak links in their security strategy?
To some extent, having any risk management strategy is better than having none. But as Aberdeen analyst (and former RSA colleague) Derek Brink has pointed out in his discussion of qualitative and quantitative risk management approaches, your risk management strategy can be a problem if it creates a false sense of confidence. For example, a focus on a vulnerability-based approach can blind you to risks that stem not from technological vulnerabilities, but from social engineering or insider attacks by privileged users. A focus on an asset-based approach can be dangerous for critical infrastructure in which an attack may result not just in destruction or loss of an asset, but significant social disruption or even loss of life. And though a loss-based approach has the benefit of leveraging organisational experience in managing operational risk, but the rapid transformations in technology, process and organisational inter-relationships that are occurring in Smart Grid make it difficult to keep up with the range of possible loss scenarios.
Our goal in SPARKS is not to create a new risk management methodology. But it is important for us to understand what approaches are available, to help develop them further if we can and to provide guidance to help the Smart Grid community make the best risk decisions that they can. We look forward to sharing the insights – and perhaps arguments – of our diverse project team over the next several months, both here in our blogs and in the deliverables for the project.