Friday, April 18, 2014

New England (and Connecticut in Particular) Showing PUC Leadership on Security

NARUC has been issuing cybersecurity guidance to the 50 US public utility commissions (PUCs) since 2010. And NASEO's been guiding other state government orgs.  California's PUC has been very active, showing leadership with its multiple publications on security and privacy. Until recently, PUC Texas had a true cybersecurity pro on staff.

But now I'm going to tell you about my part of the world: New England.  Last fall the organization that brings the six northeastern PUCs together, NECPUC, put out an RFP for security consulting for the six and some of their utilities. Won by EnergySec, I've heard only positive news about what that six month engagement has produced. In addition, the Massachusetts AG recently released an RFP seeking 3rd part evaluations of cybersecurity preparedness of the distribution companies serving the state.

Monday, March 31, 2014

Security Governance Ripples from Target Breach

You know the saying, if you want a different result, best not to keep doing the same thing. In this case, the result was the massive data loss breach involving loss of the records of 40 million customers at mega retailer Target.

In its wake, CEO Gregg Steinhafel stated that he is "elevating the role" of its chief information security officer and hiring outside the company to fill the position.  According to this NY Times article from early March, bringing on a new CISO will help Target centralize the company's security responsibilities.

And while the timing is coincidental, I owe Schweitzer Engineering Laboratories' Sharla Artz thanks for pointing out that Wisconsin based electric utility Alliant Energy Corp just made a similar move. For me, there are several promising parts to Alliant's announcement at the recent EnergyBiz conference that it had just:
Created an executive-level opening ... for overseeing cyber and physical security. The position was designed to bring cyber issues out of the weeds of the IT shop, where CEOs generally don't tread.
What I like best about this is:
  • The company didn't have to endure a huge security incident to justify this change to the org chart
  • The position is clearly not going to be buried in an IT silo, so it should have authority to set security policy across IT and OT
  • Reflecting a convergence that's happening in many energy enterprises, this new security exec will oversee both cyber and physical security
Hopefully we'll see more utilities make similar moves ... and soon.

Image credit: Michael Durham at

Wednesday, March 26, 2014

An Eerie and Early Visualization of the Internet of Things (IoT)

I've got a short story to recommend to you. It's cerebral without being overly literary. It's got action, though no cyber-physical grid attacks. There's no shooting. No lives lost. No outages. But is there ever a lot going on! In fact, I'm pretty sure it's a parody of sorts of what may be coming our way in the not-very-distant future.

Titled "Water,' it was published last year by author and futurist, Ramez Naam.

Here's what the ad-free, neural-implanted main character experiences walking down a street in NYC:
Civic systems chattered away. The sidewalk slabs beneath his feet fed a steady stream of counts of passers-by, estimates of weight and height and gender, plots of probabilistic walking paths, data collected for the city planners. Embedded biosensors monitored the trees lining the street, the hydration of their soils, the condition of their limbs. Health monitors watched for runny noses, sneezing, coughing, any signs of an outbreak of disease. New York City’s nervous system kept constant vigil, keeping the city healthy, looking for ways to improve it.

Wednesday, March 19, 2014

A Social Summary of SANS ICS Security Summit 2014

Since I went solo there's been less time for blogging but I hope to catch up a little with this mega post on the just-concluded, 9th annual SANS ICS Security Summit which took place in the Contemporary Hotel at Disney.

Where I can I'll include Twitter IDs, as for many of us, Twitter is how we stay abreast of what we find interesting and what we're thinking about in between real world meet-ups. (Note: I only include these when they're unique to the individual and not shared by a company or org.)

I won't cover all the talks because I didn't attend all of them, and I apologize to those presenters I don't cover here. Nor was I at "Game Night" (though I wish I was) which from what I heard later was a fantastic and grueling hack-fest that extended into the wee hours before champions finally emerged.

Wednesday, March 5, 2014

Energy Firms Not Ready for Cyber Insurance?

Or so says corporate underwriter and veteran cyber insurance provider, Lloyds of London, in a BBC article last week:
Any company that applies for cover has to let experts employed by Kiln and other underwriters look over their systems to see if they are doing enough to keep intruders out. Assessors look at the steps firms take to keep attackers away, how they ensure software is kept up to date and how they oversee networks of hardware that can span regions or entire countries.
Sadly, as the article goes on to say:
After such checks were carried out, the majority of applicants were turned away because their cyber defenses were lacking.

Tuesday, February 25, 2014

Where do Today's Electric Utility CEOs come from, and what do their Origins Mean for Grid Security?

I remember once thinking, naively perhaps, that most utility CEOs must have come up through the ranks, like generals in the military, with hands-on operational engineering experience garnering them the respect of their peers and subordinates along the way.

When I shared that concept last year with a 40-year industry veteran who'd done his time in generation and T&D, he schooled me saying that while that used to be the case, it's not the norm today.  He said more often you'll find someone with a finance background, often imported from sectors outside power.

Friday, February 21, 2014

Thoughts on "Risk and Responsibility in a Hyperconnected World"

Hat tip to Tim Dierking of Aclara for spotting and forwarding this January 2014 World Economic Forum / McKinsey report: "Risk and Responsibility in a Hyper-connected World." Tim pointed to a couple of excellent sections on cyber resilience and future scenarios which you'll find within, but I'm going to call out a different selection for your immediate consumption.

This below is taken directly from the McKinsey summary, which while not energy-sector specific, is right on the money, IMHO, on the culture, leadership and organizational dynamics aspects of what's needed to do security right in 2014+.  Here you go:
A CEO-level issue 
Given the trillions of dollars in play, the stakes are high. And given the range of social and business issues that cyber resiliency affects—for example, intellectual property, regulatory compliance, privacy, customer experience, product development, business continuity, legal jurisdiction—it can only be addressed effectively with active engagement from the most senior business and public leaders.