Thursday, September 29, 2011

Prepping for the Risk Management Process (RMP) Panel

In San Diego, Wednesday morning of next week I'll have the good fortune to be moderating a panel comprised of some of our industry's heavy hitters, including:
  • Marianne Swanson, CSWG Chairperson, NIST
  • Craig Miller, PM, National Rural Electric Cooperative Association (NRECA)
  • Lisa Kaiser, Security Consultant, DHS
  • Matthew Light, Infrastructure Analyst, Office of Electricity Delivery and Energy Reliability, DOE
  • James Sample, Director, NERC Critical Infrastructure Protection, Pacific Gas & Electric
As you may or may not know, a new document (in draft) which ties all of these organizations (and FERC and NERC and more) together has been released for public comment. Call the "Electricity Sector Cybersecurity Risk Management Process (RMP) Guideline" or RMP for short, it's viewable HERE and you can register to make comments HERE.

During the panel session, we'll be moving quickly through intro's and prepared Qs&As so that the audience will have ample time to ask questions of the panelists.

But here's an ultra short intro to the dock in case you won't get a chance to be there in person or to look at the draft yourself. One way I've heard it described is to say the RMP attempts to blend and extend traditional IT security with OT and thereby bridge internal utility stovepipes. That's ambitious for sure but most would agree, sorely needed.

The draft breaks out the following objectives right up front, presented here, with my color commentary in color:
  • "Effectively and efficiently implement a risk management process (RMP) across the whole organization" - So they're saying there should be policy that extends across the entire enterprise; that'll be new to most utilities.
  • "Establish the organizational tolerance for risk and communicate throughout the organization including guidance on how risk tolerance impacts ongoing decision making" - Figuring out how much risk is acceptable  and how much is too much is classic business case material. To do this you have to do some solid translation between cybersecurity geek speak and hard business requirements ... should be interesting to say the least, but definitely well worth the effort.
  • "Prioritize and allocate resources for managing cybersecurity risk" - Prioritizing with confidence becomes possible once you've got a defined and level playing field. This could be quite refreshing for execs who get this far.
  • "Create an organizational climate in which cybersecurity risk is considered within the context of the mission and business objectives of the organization" - Culture change 101, but much more difficult by far than technology change IMHO.
  • "Improve the understanding of cybersecurity risk and how these risks potentially impact the mission and business success of the organization" - Also sorely needed and well worth the effort: drawing solid line connections, where they exist, between cybersecurity and reliability. If it's not about reliability, or some of the lesser values like efficiency, or cost effectiveness, why bother?
OK, that's enough for now. Will try to take notes so I can write up the RMP panel session highlights here afterwards. Meanwhile, you can click HERE for conference website if you seek more info.

Monday, September 26, 2011

Smart Grid Security Social Metrics

For a bunch of tech geeks and policy wonks, the folks in our community sure do like to congregate and socialize. There are a spate of new conferences coming up, the most temporally proximate being next week's EnergySec Smart Grid Security Summit West in San Diego.

I'll be there speaking on security metrics, including the IBM-initiated Smart Grid Security Maturity Model (SGSMM) as well as the developing IEC 62443 2-4 standard. One way to think of these two projects is that the former seeks to look at security maturity from an organizational (i.e., utility) perspective, while the latter employs technical metrics to evaluate, and in some circumstances, certify, products, depending on their levels of security goodness.

Will also be involved in a panel comprised of the participant orgs in the Risk Management Process (RMP), including DOE, DHS, NIST, NERC, as well as NRECA and a CA utility. Among other things, we'll be talking about the draft RMP document, currently out for public comment. Click HERE for that.

But if San Diego is too soon, or too far away, or too comfortable for you, you've got three more options to socialize with Smart Grid security folks in coming months thanks to the London-based SMi Group:
Hope you can make one or several of these. They're definitely useful for working out some of our more intractable issues face to face. And they usually serve adult beverages at some point as well.

Thursday, September 22, 2011

2011 (exceedingly short) Energy Security Book List


There are two new books out in the last few months I want you to know about. Whether you have time to read them, even if I am successful in getting you worked up about them, well, that's another story. So again, it's only two books, which is probably one or two more than you'll be able to get to given your current workload. But here's why you should give them a shot.

Neither addresses cyber security too much, but I consider all of this part of the broader "energy security" domain, and as such, this info is part of the foundation one needs to understand the full context of our cyber security, privacy and compliance landscape, where it's been and where it's going.

The first one is by former Austin Energy CIO Andres Carvallo, called The Advanced Smart Grid: Edge Power Driving Sustainability. Co-authored with frequent technology writer John Cooper, this book is relatively short at ~200 well illustrated pages, and is a pleasure to read. I'm going to re-use some of the laudatory words I recently posted in an Amazon review.

Before they invite you to travel with them into the future, Carvallo and Cooper do a solid job of orienting the reader with concise summaries of where the grid came from, how it's evolved over time, and as accurately as possible, how it's doing in its current state. For the many immigrants who've recently moved to energy from other sectors (like me), this is a great grounding.

The authors then look past the current climate of activity, much of it initially fueled with government grants, to a phase where business drivers alone dictate what gets deployed next. Ultimately, they begin to unveil for us a blurry but emerging vision of "the advanced Smart Grid", that's predicated on pervasive IP networking, tons and tons of data, microgrids, EVs, virtual power plants, new business models and more.

I particularly liked this point when the authors did pause for a moment on security:
As a foundational infrastructure, the Smart Grid cannot afford to get out in front of its ability to remain secure.
That's right ... what a concise way of saying so much. For me, it was well worth the time, and depending on your background and/or day job, it might be for you too.

Book number two is from one of the (if not, THE) true giants of global energy thinking over the past decades, Daniel Yergin. Best known (to me, anyway) for his biblical telling of the history and future of the oil industry in The Prize, his new book, The Quest: Energy, Security, and the Remaking of the Modern World, expands in scope to consider all energy sources. Recently reviewed in the NYT, this excerpt seems apropos:
When it comes to assessing the world’s energy future Mr. Yergin is a Churchillian. He argues that we should consider all possible energy sources, the way Winston Churchill considered oil when he spoke to the British Parliament  in 1913. “On no one quality, on no one process, on no one country, on no one route, and on no one field must we be dependent,” Churchill said. “Safety and security in oil lie in variety and variety alone.”
... and one more thing, for which the a smarter grid is the essential precursor:
One of Mr. Yergin’s closing arguments focuses on the importance of thinking seriously about one energy source that “has the potential to have the biggest impact of all.” That source is efficiency. It’s a simple idea, he points out, but one that is oddly “the hardest to wrap one’s mind around.” More efficient buildings, cars, airplanes, computers and other products have the potential to change our world.
Sounds great, right? Well, the bad news for you travelers is that, from a weight perspective, is that it tops 800 pages, though if you get the ebook version it's as light as can be. Now reading it, or the majority of it, that's another story. If it's too much for you to consider, maybe you can wait and hope for a movie version. But I wouldn't count on it.

Happy reading!

Photo credit: Miamism on Flickr.com

Tuesday, September 20, 2011

This Week the Economist Loves and Hates the Smart Grid


I confess I typically love The Economist magazine. Its tempered and wide-ranging world news reporting and "tough love" takes on the US culture and economy form a nice middle path at a time when many media outlets have gone decidedly left or right.

But while it's unusual for me to find much fault with their news, the opinion piece in this week's issue "Reliability of the Grid: Difference Engine - Disaster Waiting to Happen", about the recent San Diego outage and the current state of the grid really rubbed me wrong.

By now you probably know the drill:
What is rarely mentioned in all the proselytising about the smart grid is that it adds a vast layer of hackable points to the network—some 440m by 2015, according to Lockheed Martin’s Energy and Cyber Services. Every smart meter in the home will be a hackable device. The same goes for all the routers at substations. As the saying goes, if you can communicate with it, you can hack it. Today, you can cut off the power to someone’s home by shinning up the nearest electricity pole and throwing a switch at the top. Once smart meters become widespread, you will be able to do that remotely, from the far side of the world.
Proselytising? Jeez. Security challenges are "rarely mentioned"? Yeah right. This blog's primary mandate is countering, in its own modest way, the overwhelming ratio of FUD based Smart Grid scare articles with ones that tell a fuller albeit less dramatic story. And thank you, large defense contractor, for adding fuel to the fire (not). The author of this Economist piece went back almost a year to find a FUD-soaked interview with a now departed Smart Grid security practice manager for the 440 million hackable points factoid. There's more I could say about this excerpt and the rest of the article but let's move on. This is supposed to be a short, readable post after all. Get in, get out.

In a piece dated one day later, September 17th, titled "Energy in Japan: Out with the Old" we get the counter argument for a Japan recovering from Fukushima :
Japan needs a smarter grid, with electricity prices that vary according to demand. Power should cost more when demand is high and less when it is low, giving people an incentive to run the washing machine in the middle of the night. It should also be simple for new producers of electricity—from clever start-ups to big industrial firms—to sell power back to the grid.
Nice, but oh so different in content and tone. So what's your ultimate recommendation, Economist? Should we freak out and do our best to scuttle all local, regional and national Smart Grid initiatives due to the looming horrors you describe in article 1? Or should we keep our heads on straight, and build out the Smart Grid for the sound economic reasons you give in article 2, while working overtime to ensure it's as safe and secure as possible? Inquiring minds want to know.

Photo credit: Steve Snodgrass on Flickr.com



Wednesday, September 14, 2011

Win Free Tix to EnergySec Smart Grid Security West conference

Last week I promised you a trivia question and here you go.  If you can respond correctly and quickly enough, you could save some significant money and attend this conference as I've got 3 free passes to give away. OK? Here you go:
Q: What animal will you typically find 11,000 million of per wooded acre?
Hint: the answer is in some ways quite relevant to our interests on this blog.

And don't despair if that doesn't work out for you. Because of the good relationship the SGSB enjoys with the organizers of this event, you can click HERE to get half off the regular registration fee, either for single days or the entire 3 day event, including workshops on day one.

Hope you can make it, one way or another!

BTW: you can reach me at andybochman at gmail dot com

Tuesday, September 13, 2011

The Normally Strong Grid's Self Inflicted Wounds


So only a few days ago you saw a post here about grid lessons from Hurricane Irene. Now we're back with another major grid event and I'm not sure what to call it other than the recent Arizona, San Diego and Mexico outage ... SanMexiZona outage perhaps?

Investigations are still being conducted, but what do we know so far? Well, a transmission maintenance issue impacted a substation in Arizona, and then:
  • Cascading failure reached into California and Mexico, knocking power out to millions
  • And caused 2 nuclear facilities to shut down
  • Navy and Marine bases turn to back-up diesel generators and kept non-essential personnel home
  • And many other types of trouble you'd expect from a black out in a large US city ensued, driving cost estimates into the hundreds of millions.
It's weird. In some ways the grid is a beast, capable of absorbing the worst insults and continuing operations largely unaffected. It virtually scoffs at earthquakes, raging fires, hurricanes, tornadoes ... and across the Pacific, even Godzilla stomping out of Tokyo Bay once in a while. Sure, some outages occur in the areas where equipment is destroyed. But the grid is usually a master of defense and containment.

But then a little thing happens during routine maintenance and a big chunk of the grid unexpectedly swoons. Amory Lovins and others on the 2008 DoD Science Board (DSB) task force on Energy identified the US grid as brittle and a threat to CONUS military readiness. Here's Lovins in 2010:
The US electrical grid ... is very capital-intensive, complex, technologically unforgiving, usually reliable, but inherently brittle. It is responsible for 98–99 percent of U.S. power failures, and occasionally blacking out large areas within seconds—because the grid requires exact synchrony across subcontinental areas … and can be interrupted by a lightning bolt, rifle bullet, malicious computer program, untrimmed branch, or errant squirrel.
Seems like some of the worst behaviors we see in the grid are avoidable. In addition to the many other benefits we often describe to regulators and general public with the Smart Grid build out, improvements to reliability have got to be high on the list, if not #1.

BTW - Try Googling "Errant Squirrel" - it's simply amazing how active (and errant) these critters have been!

Image credit: KUSI News San Diego

Thursday, September 8, 2011

The Importance of Context when discussing Smart Grid Security

Sometimes those of us who speak with the press end up finding that our intended meaning, stripped of context, can become distorted beyond recognition in articles which then spread more darkness than light. What follows is an open letter, just released, from former NERC CSO Michael Assante to you, and all the members of the community that seeks to keep the US and other global grids (as) safe (as possible) from cyber attackers.


I recently had an opportunity to learn about the importance of context. I tried to help someone understand the challenges of regulation and cyber security in the context of smart grid technology deployments and electric infrastructure, and learned once again how polarized this topic can become. Certainly many can appreciate the challenge of communicating with clarity on this topic, as it can be nuanced, highly-technical, process-laden, and mired in the details of a little-followed piece of history and U.S. federal and state law.

Let me begin by providing some of the context, or background, that explains why I work hard to help develop a better understanding of how cyber security impacts operational technology in critical infrastructures. As a boy I was fascinated with the engineering required to generate and deliver electricity. To me, the power system represented a grand achievement that demonstrated what dedicated men and women could accomplish.

My father worked for a utility and was rightfully proud of the public service his company delivered to homes, schools, manufacturing plants, and hospitals. He worked with impressive machines that excavated coal, and cutting edge control centers with analog light displays. But the thing that made the biggest impact on me was the dedication with which my father and his colleagues performed jobs, and their uniform sense of mission, as they clearly understood that what they did made people’s lives better. I was quick to appreciate the vision, investment, and effort that enabled vast natural resources like coal and hydro-power to be turned into electricity, which was then transported and delivered over vast distances to every household and business.

The success of the electricity industry in designing, building and maintaining an incredible system of systems, continues to inspire children and adults alike. It has grown to become a critical infrastructure that underpins modern society. The delivery of highly-affordable and reliable electricity has paved the way for the industrial and technological revolutions that have transformed global economies. It is ironic that over the last forty years of progress, we have also created a significant set of challenges that need to be addressed as a consequence of our continued innovation.

The rapid advancement and application of digital technology has improved electric system operations, reliability, and process efficiency. But it carries with it a heavy responsibility. We must now safeguard this increasingly ubiquitous element of the grid from those who would seek to disrupt technology and cause harm.

This dilemma of digital technology is that, like electricity, it enables great things but can cause great damage if not managed properly. There is one very important difference, though. The nature of electricity is understood sufficiently to prudently manage the risks it can present, whereas cyber threats are constantly evolving and are co-adaptive (the threat will consider the protections you have employed and find ways to circumvent or compromise them). This has led me to conclude that many of the difficulties we experience addressing cyber security come less from how the electricity industry behaves, and originate more from the complex nature of digital technology and the unique risks it engenders.

Many of you know that I have often shared my thoughts on the difficulties of managing cyber risk in the complex and vast systems that comprise power grids. There are a number of necessary constraints, such as the golden rule of “first, do no harm” (do not negatively impact system reliability and safety). Other challenges have more to do with state of industrial control system technology and the tough job of keeping up with the rapid changes in technology and the evolving capabilities of would-be cyber attackers.

NERC and the industry have pioneered the use of mandatory reliability standards as one tool to manage risks to reliability across the complex weave of entities that comprise the bulk power system in North America. I am confident that progress will continue to be made by NERC and the industry, but it takes time to learn what works well when dealing with the scale of the bulk power system and specifically, when trying to address the difficult-to-bound risk that comes from cyber threats. I, like many others, understand that we must continually evaluate the processes we use to develop and manage the CIP standards. We must consider the effectiveness of the standards requirements when compared to how digital systems are being compromised by current cyber attackers. Cognizant of the risks of unintended consequences, we need to fully understand the behaviors we are promoting by using standards that require strict compliance. Finally, we need to be mindful of the spirit and goal of the standards and the importance of providing enough flexibility so that utility security programs can adapt to best confront the threats they face.

I have had the pleasure of working alongside of some of the most gifted experts in power engineering and industrial control system security over the years. The power industry has a rich collection of experts often passionately inclined to work together as a community to solve complex problems. Their expertise is essential in determining how to best apply cyber defenses in the highly-specialized environments of power generation, transmission, and distribution. We would also, however, benefit from the experience and learnings of other industries’ cyber professionals who themselves labor to defend highly-targeted networks. I have grown to appreciate the adaptive nature of cyber threats and importance of maintaining a current understanding of how systems are compromised. NERC has engaged with the U.S. government to benefit from its understanding and should continue to look for opportunities to learn from government and cyber security experts from other industries bent on tackling this common problem.

Context matters in how we think about these problems, in how we frame our concerns, and in how we formulate new approaches so that we may attain the many benefits of new technologies while managing the risk. I am confident that we will begin to engineer away the worst consequences, continually find more effective practices and develop the necessary skills to better address sophisticated and ever changing cyber threats. This is a difficult task that will continue to require our best efforts, to include regulation. It is a task that demands a prudent approach as the effectiveness of our investments needs to be measurable and demonstrable. We must continue to innovate if we're to fully enjoy the many benefits of affordable and reliable electricity.

Michael can be reached at michael.assante@nbise.org

Wednesday, September 7, 2011

Conference Alert: EnerSec Smart Grid Security Summit West 2011


This conference series, the first ever dedicated to Smart Grid Security and Privacy, had a great start last year in San Jose and now returns to California with a head of steam after robust attendance and some very strong content earlier this year in Knoxville.

The lineup keeps getting stronger and this session promises a compelling mix of workshops on day 1, followed by days 2 and 3 with regulator and industry updates, round table discussions and lots of back and forth with what has been in the past a very energized audience.

You can expect a bunch of utilities will be present, and not just the big 3 from California, plus state regulators from CA and TX, fed folks from DOE, NERC, FERC and NIST.  Also, owing to proximity to one of the largest USN bases in the world, we'll likely see some energy-minded sailors present too.

Here's the basic facts for you:
  • Dates: 3-5 Oct 2011
  • Location: San Diego
  • Venue: Town and Country Hotel - click HERE to reserve a room
  • For more info and to register for the conference, click HERE
Next week I plan on throwing a few trivia questions at you. Correct answers may earn you a significantly reduced rate for the conference, or at the very least, hearty congratulations.

Photo credit: http2007 on Flickr.com

Tuesday, September 6, 2011

A Couple of Closing Thoughts on Hurricane Irene

Damaged power lines burned in Nag's Head as Hurricane Irene hit the northern Outer Banks of North Carolina.
Hurricane Irene fully cleared my city (Boston) last week, we've had nice weather since, and everyone (or almost everyone) in Massachusetts has their power back at the time of this writing. Folks in some other states aren't quite so lucky.

But before we file away the memory and move on to the next storm or cyber incident, check out this Irene-related online exchange between a residential customer and a utility executive doing his best to keep his customers as informed as possible:
Q: Why am I getting calls to see if my power has been restored when in fact it has not been? I have a 4 year old and 1 year old and you can imagine what it is like being without power. 
A: One of the reasons we perform call backs is because crews have made repairs in the neighborhood and surrounding areas, and we want to ensure that each house has been restored. Without requesting a call back when you report an outage, we wouldn't know the service to your house is still out. Please make sure to report all outages to 1-877-xxx-yyyy.
Sounds like a region ripe and ready for its residential Smart Meter deployments, doesn't it? I'd say it's well worth the extra time and effort cyber professionals need to develop a secure Smart Grid to relegate conversations like this to history.

And the image of the totally chewed up poles (from Nag's Head, North Carolina) really caught my eye. Aren't the poles supposed to be holding up the lines ... and not the other way around? As immigrants to the electric sector quickly learn: cyber risks are one thing; Mother Nature is something else entirely.

Photo credit: Nicholas Kamm of AFP

Friday, September 2, 2011

Newsflash! A Reasonably Balanced Article on Grid Security

First of all, kudos to Discovery News writer Eric Niller for penning a relatively fair and balanced piece this week on Smart Grid Security, with a decent, non-alarmist headline to boot. He quotes me a fair amount, but enough about me, it's two of the other quotes I'd like to address.

First, here's one I don't like, attributed to a large and otherwise highly reputable security firm:
One of the more startling results of our research is the discovery of the constant probing and assault faced by these crucial utility networks. Some electric companies report thousands of probes every month ..."
As you know I'm not a big fan of using words like startling in this context, especially in describing phenomena that are not at all surprising, let along startling. Of course utilities' networks are being probed. And it's a good sign they've got the systems and processes in place to be aware of it. 

Go ahead and plug a new PC in and turn on its wifi radio. Within minutes, if not seconds, even with good security controls enabled, that machine is going to come under some serious scrutiny. It's a fact of life these days. Bothersome? Yes. Annoying? Definitely. Startling? Not in the least. Get real, above-mentioned report writer for large and otherwise highly reputable security firm.

This one I like better. It's a straightforward statement from a straightforward person:
What we are doing is laying a new digital infrastructure over the very reliable and sturdy bulk power system. This digital infrastructure provides a lot of new attack vectors into the electrical system that didn't previously exist.
That's NERC CSO Mark Weatherford speaking, and as you can see, he balances the comment about new attack vectors by reminding the journalist (and thereby, the readers of this piece), that underpinning all the new Smart Grid stuff  is a very robust legacy system. A system that's delivered increasing volumes of reliable power to hundreds of millions of customers for a long, long time.

Overall, pretty good work, especially when so much of the popular press delivers, on a daily basis, heaping helpings of unmitigated FUD. You can read the whole piece HERE.