Thursday, September 30, 2010

Smart Grid Vendor Universe Charted

Thanks to David Leeds and his Smart Grid team at GreenTech Media (GTM) for building this novel and helpful view of the Smart Grid vendor world. In this end-to-end view, some companies are listed once; others have entries in multiple offerings categories.. (Click on image above for larger view) or follow THIS LINK to get more info on the report and see a larger, hi rez version of the map.)

I note the listing of primarily boutique outfits in the security column. I've had experience with all of them and can report that all are solid. It's been my experience that the bigger outfits with significant, more scalable security capabilities in other sectors are working on tuning their offerings to the energy space and are at varying stages of maturity in this effort. In coming weeks will try to ferret out more info from GTM and the other analysis firms covering Smart Grid security to get a more comprehensive view for you.

(Updated) Stuxnet Update IV: Targeted OT Attacks Risk Collateral Damage

Sep 30 Update: Stuxnet takes out an Indian Satellite? See Jeff Carr's article in


Hat tip to IBM cyber defenders and watchdogs Scott Warfield, Brooks La Gree and others for pointing out these several articles. All followed Ralph Langner's revelations that he and his small cyber forensics team in Germany seem to have found the smoking gun ... the code that tells you what Stuxnet is really after.

I won't ruin the surprise; you'll get your answer when you click on any of the following links. But I'll give you a clue: it's the SCADA/ICS (OT/Operational Technology) in a system that's bigger than a breadbasket. And sometimes it glows.

In ascending order of technical sophistication, here are some links to get you educated right quick:

PC World

One of the hundred questions I have is whether the folks who built this beast intended (or realized) that it would have impacts far beyond its initial target. And whether that mattered. Or if it was intentional and the scope is larger than it might at first appear. And what's next. And and and ....

And then there's this, from another Langner dispatch just in:
The analysis that Langner has conducted shows that it is not technically difficult to inject rogue ladder logic into PLC programs. It is important to understand that this vulnerability cannot be considered a bug, either technically or legally, so it should not be expected that vendors would be able to release a “patch”. 
Nice, huh? Stay tuned.

Photo credit: on

Monday, September 27, 2010

Blazing EV and V2G Trails at the Texas State Fair 2010

You know we try to keep it calm here, but what an incredible experience I just had !!!  Just returned from a week in the Lone Star State speaking in Dallas and Houston, then back to Dallas again, the second time for the Electric Vehicle (EV) Showcase just around the corner from Big Tex. Man, was it worth the flight back to Love Field, and not just for the fried butter and fried beer.

On the first day I got to meet spokes-model (and true product expert) Alicia, then take the Volt (they had three on hand) for a spin on a curvy test track. I loved the way it looked, sounded and handled. A well-informed Chevrolet-rep named Brian gave me plenty of good details before during and after the drive, and I felt that many others like me will feel comfortable welcoming this car, that on most days will consume no gasoline, into their lives.

Now's here's a few details from the Executive Panel on day two to give you a broader look at what's going on behind the scenes to pave the way for this (plug-in hybrid) electric car and others like it. A panel moderated by Texas Public Utility Commission (PUC) chairman Barry Smitherman included leadership from GM, IBM, Texas transmission and distribution utility Oncor, the Electric Power Research Institute (EPRI) and construction firm Beck. Here are some highlights of what they discussed:
  • EPRI is working three main focus areas at present: 1) understanding consumer attitudes and expectations re: EV's, 2) early preparation of EV charging infrastructure, and 3) ensuring adequate utility infrastructure, particularly distribution transformers
  • Texas is one of the initial wave of seven states for Volt deliveries in late 2010, starting in Austin then fanning out from there. In 2011, expect to see Volts available for sale in all 50 states
  • Oncor sees two critical EV roll-out success factors: 1) the practice of off-peak (night-time) charging, and 2) early (and I do mean early) notice to utility co's when an individual is considering the purchase of an EV
  • IBM is all about the information layer surrounding EVs and vehicle-to-grid (V2G) infrastructure and is looking at it 3 ways: 1) knowing how much energy from renewable sources is available at any time, 2) how utilities can have access to enough right info to know how much they need to spend on infrastructure, and 3) market and business-related IT that helps consumers as much as possible, particularly enabling ease of use, as well as providing national standards running from the charging points to the cars to the utilities themselves
  • To help move 18 Gigawatts of clean wind energy, the moderator noted that Texas is spending $5 billion to run high voltage transmission lines hundreds of miles from windy west Texas to its cities
  • Here's one I hadn't thought of before ... it's kind of subtle. According to EPRI, range anxiety is eased by the presence of charging stations outside the home and business, whether EV drivers use them or not
  • The electricity required to go a full 40 miles in a Volt costs about $1.10
  • Finally, the best part from national security security as well as environmental/climate points of view: most Americans drive 20 or fewer miles per day. The great majority drive fewer than 40 miles on work days as well as weekends. When these folks drive Volts, they are going to be using gasoline only rarely. Think about what that means when the number of Volts, Volt 2.0's and other EVs hit the roads in the millions and tens of millions
In keeping with this blog's security focus, are there going to be cyber security issues with these software-centric, wireless-enabled cars running on rapidly assembled IT and OT networks?  You bet, and we'll get to those soon. But for the time being, just wanted to note that it's a privilege to be alive at this moment, watching so many talented, creative, energetic and caring people pull out all the stops to help change our world in ways it sorely needs.

And I'll leave you with this nugget from a sign you pass upon entering the incredible Cowtown Diner in downtown Forth Worth:

     Never ask a man if he's from Texas.
     If he is, he's most likely already told you.
     If he's not, there's no use in embarrassing him

Photo: Volt dashboard power display

Tuesday, September 21, 2010

The Smart Grid for Intellectuals: Replay of Webinar for the American Intellectual Property Law Association (AIPLA)

Just did the intro piece on the Smart Grid for an audience of mainly patent attorneys interested in Smart Grid-related intellectual property (IP)  issues and litigation trends.

Titled, "Intellectual Grid: Intellectual Property Issues in Smart Grid Innovations" this 60-minute presentation won't be everyone's cup of tea, but for folks on either side of the Smart Grid IP technology (and maybe new business process) table, this may be quite helpful.

If you're game, click HERE to register and view.

Photo credit: "Brain Coral" by Laszlo Ilyes on

The Pulse Quickens as the Plot Thickens: FERC/NERC continue to Skirmish re: Grid Security Standards

Industry sonar and radar detect nothing but collision ahead as these orgs plow ahead on their respective vectors: FERC wants more security faster for utilities; NERC wants to hold steady with slow, incremental changes. There's some method to each approach, though they're clearly not compatible. I summarized thusly in this week's HuffPo article:

The case for going faster rests on a couple of basic facts and observations. Here are just a few:
  • Attacks on energy systems are increasing in tempo and sophistication (for those who haven't heard of it yet, the recently emerging Stuxnet virus has provided a real wake up call for industry in terms of attackers' advanced capabilities
  • Other industries/sectors have much more substantial security controls and governance already in place and have only benefitted from them
  • Emphasizing security early in the Smart Grid window will yield benefits including cost savings and much better efficacy
  • Oh yeah, and one more little thing: and our entire economy and the well being of our nation depend on secure and reliable power infrastructure
Nevertheless, there's a strong case for going slower:
  • Cultural challenges inside utility co's will hinder attempts to make them change too much too quickly
  • Regulatory impediments need to be resolved before the whole system can be secured. For example, the fact that the Feds only have jurisdiction over generation and high-voltage transmission assets, while policy for low-voltage distribution is left to the states, and there's little/no standardization of state policy at present) Security standards are still taking shape. NERC's CIP standards are still in their infancy, and NIST just released the 1.0 version of its "Smart Grid Cyber Security Strategy and Requirements"
  • Lastly, it costs money to significantly ratchet up the security posture of any complex system, not to mention the one that's been called the greatest engineering achievement of the 20th Century
People are pretty fired up by this (and IMHO: they should be). Be sure to check out the comments at the bottom of the article if you get a chance.

Photo credit: Rosmary on

Thursday, September 16, 2010

Smart Grid and V2G Weather Advisory: IBM Twitterstorm Coming

Many SGSB readers, though well versed and skilled in the ways of technology, might nevertheless say, "what the hell is a Twitterstorm?"

It's a fair question, and my simple answer is it's an online conversation and Q&A session between a bunch of folks, conducted 140 characters at a time. Maybe by haiku. This is no place for the verbose, and maybe because of that, it should be information dense and entertaining.

As the title of this post indicates, the central focus is on EVs, PHEVs and their interaction with today's grid and the emerging Smart Grid. The Smarter Planet folks at IBM are hosting it this coming Monday, September 20th, and you can see details HERE on how to join in on the fun.

Please make it if you can. No umbrella necessary.

Photo credit: LISgirl / Emily on

(BTW, for those of you unfamiliar with Twitter and Tweets, prior to this BTW note, this post consumed 651 characters not counting spaces. Twitter counts spaces. That's brevity.)

Monday, September 13, 2010

SGSB Origin Story: Why Focus on Smart Grid Security

I got a chance this week to explain how I got fixated on Smart Grid security, which ultimately led to the formation of this blog. Took a few words (some might say too few, others too many) to connect the dots from an early environmental impulse when I was still in the Air Force, to a fixation, decades later, on this sprawling, ill-defined, complicated, still emerging yet nevertheless absolutely critical concept.

Either way, HERE's the piece ... and while you're at it, see if it in any way explains what you're doing here.

Thursday, September 9, 2010

SANS Sounds Off on NIST and NISTIR 7628 1.0

Because it's a little hard to find unless you were already a subscriber to the online newsletter, here's a short piece from SANS NewsBites, Sep 07, 2010 edition re: the announcement that NISTIR 7628 1.0 is final.

For those not in the know, this SANS is not "without" in French. Wikipedia's description does the job:

The SANS Institute, founded in 1989, provides computer security training, professional certification through GIAC (Global Information Assurance Certification), and a research archive - the SANS Reading Room. It also operates the Internet Storm Center, an Internet monitoring system staffed by a global community of security practitioners. The trade name SANS (deriving from SysAdmin, Audit, Networking, and Security) belongs to the for-profit Escal Institute of Advanced Technologies.
The National Institute of Standards and Technology (NIST) has published "Guidelines for Smart Grid Cyber Security," a three-volume, 537-page report aimed at "facilitating organization-specific Smart Grid cyber security strategies focused on prevention, detection, response and recovery." The publication includes "high-level security requirements, a framework for assessing risks, an evaluation of privacy issues at personal residences, and additional information for businesses and organizations to use as they craft strategies to protect the modernizing power grid from attacks, malicious code, cascading errors and other threats."

Now you get three points of view from NewsBites contributing editors Tom Liston of InGuardians, John Pescatore of Gartner, and SANS own Allan Paller. Note, Pescatore, and, in particular, Paller, slam NIST pretty hard for getting the guidance out bass ackwards (burying the most helpful parts at the end of the report):
Liston: Unfortunately, "smart grid" is just the latest in a series of technologies that have been deployed with security as an afterthought. While I applaud any effort to better secure our infrastructure, it's a bit late to talk about "security strategies" at this stage of the game. The key question is whether some of the quite-sound recommendations can be retrofit into the existing deployment models. 
Pescatore: There is still an opportunity for better security to be built-in to the smart grid build out, vs. try to pretend a compliance regime like NERC/CIP will force it in later. Section 7 of the third volume has a good attack surface analysis that should be a starting point. 
Paller: John Pescatore's comment illustrates one reason that this NIST document and others like 800-53 are exacerbating the nation's cyber risk instead of helping to mitigate the risk. NIST buried the critical information (the attack surface) in the 7th chapter of the third volume (after lengthy, but non-specific descriptions of 197 separate controls in more than 350 pages).
Paller (cont): A central tenet of effective security is that offense informs defense. In other words, do the most important things first! That means guidance must start with, and be organized around, the attack surface; and guidance must be prioritized according to risk from each attack vector. Which of the 197 recommendations matters most? Which must be implemented first? How will we know that they were implemented effectively? If NIST doesn't know the answers to those basic questions, what are they doing writing guidance? For failing to prioritize the guidance, and for burying readers in information of little immediate consequence, NIST earns a grade of "D" on its new report.
Here's a LINK to third volume if you want to check out chapter 7. Begins on page 29.

I definitely support the editors' point that once again, we're seeking to add security after most of the horses have left the barn. Goes against the popular security mantras of the day: "Secure by Design, "Build Security In," etc. Though not sure how this could have played out otherwise.

I'd be interested in hearing a candid NIST response to this criticism. They worked fast and furious for a long time bringing 7628 together and there's a lot of goodness in it. I saw some of that process first-hand as an early (albeit very infrequent) contributor. In terms of how they structured it in the end and what they chose to emphasize, there was definitely a method to their madness.

Tuesday, September 7, 2010

Clock is Winding Down on NERC CIP 002-4 Mandatory Data "Request"

FYI: Utilities had until today, 7 Sep 2010 to respond to four not-so-simple questions/directives:

1. What is the number of elements in your Existing Critical Asset List?

2. For each element in the list above, use the criteria in the enclosed Attachment 1 (not provided here) to determine how it would be categorized. Each element on the list must be counted only one time. If a particular element could be qualified as multiple criteria, please choose the one that applies most to the element. The sum of the elements included in the answers to question 2 should equal the number of elements provided in the answer in question

3. Use the criteria in Attachment 1 to estimate the Critical Assets and each Critical Assets’ impact level that your Registered Entity would report for its share of the Bulk Electric System. Please count each Critical Asset only once. If a particular Critical Asset could be qualified as multiple criteria, please choose the one that applies most to the Critical Asset. It is understood that, given the time frame, this is a rough estimate and is not necessarily the exact number that you would report given enough time to perform a detailed analysis of your system.

4. Enter all of the NERC Compliance Registry (NCR) numbers that you are reporting on an enterprise-wide basis for.

Will be very interesting to see what comes of this activity. We should begin to get a feel for the version 4-driven increase in scope and complexity for NERC CIPS preparation, auditing and reporting pretty soon.

The NERC survey page can be seen HERE.

Photo credit: laffy4k / Chris Metcalf on

Saturday, September 4, 2010

An Early Glimpse of V2G in Texas ... and a Volt Test Track

State fairs are big. Texas is big. So the Texas state fair is a monster (see This year's version has something big in the electric vehicles/V2G space, with an Electric Vehicle Showcase (EVS) on Thurs and Friday, Sep 23 & 24. Here are a few of the details from the site:

Auto Show: Witness the evolution into the next generation vehicle. Visit with companies, agencies, and municipalities involved in the development of the electric vehicle and infrastructure grid in North Texas in the adjacent exhibit area.

Exhibitors: DFW Clean Cities, North Central Texas Council of Governments, Oncor, TXU Energy, Green Mountain Energy, Chevy, Electric Vehicle North Texas, US Green Building Council North Texas Chapter, and others.

Chevy Ride and Drive Test Track: A unique opportunity to drive an Chevy Volt, activate the charging cycle, and learn how electric vehicles will not only be high performance, cost effective and convenient, but will also help air quality in North Texas.

Oncor Mobile Experience Center (MEC): The MEC will be on-site to demonstrate smart meter technology and give attendees a real-time look at managing electric usage that includes electric vehicle charging at home.

Location: Chevy Ride and Drive Test Track Pennsylvania Ave. Entrance - Gate 1

Sponsors: GM, Texas electric utility Oncor, IBM ...

You can mingle with executives from these and other companies at a VIP Reception Thursday evening. Tickets available HERE. And for more info on the EVS, click HERE.  I'll be there and hope you can make it too.

Photo credit: Wikimedia Commons

Thursday, September 2, 2010

This Just In: The NISTIR 7628 Cake is Baked !!!

The final NISTIR 7628, “Guidelines for Smart Grid Cyber Security” is now available for download from the NIST Computer Security Division website. You can grab the three layers volumes:
HERE (Volume 1, Smart Grid Cyber Security Strategy, Architecture, and High-Level Requirements)
HERE (Volume 2, Privacy and the Smart Grid)
and HERE (Volume 3, Supportive Analyses and References)
But be forewarned: you'd better take small bites ... it's a big one!  By now, after so many rounds of incremental edits, we pretty much know what's in it. But give us a little time to digest this final version and we'll have some observational slices to share soon.

Photo credit: Kimberly Vardeman at