A cyber attack has already caused a multi-city power outage, according to a report delivered by Tom Donahue, a CIA analyst speaking at an energy security conference in New Orleans last week. I just hope that people thinking about this are doing a better job thinking about real security than are those in building controls or those I have talked to at energy conferences.

Most control systems engineers seem drawn to what are called egg security strategies. An egg has a nice, crisp, esthetically pleasing security system called a shell securing a soft gooey inside with no barriers whatsoever. When this security system is subjected to the planned security stress, being sat upon in the nest, it holds up perfectly. When subjected to unexpected stresses, it fails completely and badly. Even the smallest breech of the shell will introduce infection that will fester and rot the internal systems.

Many banks used to think a hardened shell was fine to protect systems. Because all in-bank systems were inside their firewall, they performed few audits. They “knew” that all systems inside the perimeter were trustworthy. Secure in this knowledge, many ATM’s based on Windows NT 4 (or worse) were rolled out. No patches were ever needed.

One day some of these banks decided to issue lap-tops to loan officers. Perhaps they were styled as personal bankers, and expected to make sales calls on businesses in the evening. Perhaps they were supposed to take their work home. Inevitably, someone, sooner or later, went to some place they out not have on the internet. Or perhaps their son used it for an evening of gaming. In any case, an infected PC arriving on a completely unsecured, un-patched, un-defended homogenous network created many a memorable moment for bank IT staff. No money was stolen, but a lot of ATMs were off-line.

A better approach to security is situational awareness, not just a locked door. If what you want is a locked door, it will be far cheaper to not cut a door, but leave the wall intact. Of course, this may limit functionality. Far better, like the high-end hotel, to have a doorman always on duty, who recognizes who is staying in the hotel, and even holds the door open when they arrive. The doorman has an unpredictable variety of responses to a security incident. He may knock the intruder down, He may sound an alarm. He may merely bar the door.

Perhaps you are sure that no one will sniff your BACnet or LON off a network hub to get to your building systems. Perhaps you know of no way to use the open Zigbee you use for automated meter reading to get to your controls. Perhaps all your technicians always treat their diagnostic laptop in a secure manner, and so you can rely that everyone with physical access will always use a secured computer.

Building and grid operators may get away with this for a while. But when someone does get in with malice on their mind, the results will not be a minor annoyance. And it may well include a loss of light.