In no particular order, here are a few notes I took organized by speaker:
Jeff Gooding - Southern California Edison
- Very interested in standards
- Vendor certification would be desirable, though preferably nothing as heavy as the Common Criteria
- Finds it takes approx 2 years for an IT security generalist to get up to speed and be competent in the operational technology (OT) arena
Ward Pyles - Southern Company
- (Partly tongue in cheek, partly not) said Southern Co. doesn't talk security anymore. Rather, it's all about reliability ... doing what's required to keep systems operational and available.
- To do this, he/they use a different, more business oriented vocabulary
- Also, working with vendors towards certification
- Security is much more a people than an technology issue
- Would like to see more standards baked into products at time of manufacture
- Like Ward, increasingly uses reliability versus pure security in conversations across the business lines
- Spends significant amount of time pushing vendors to deliver secure solutions
- Wishes he could spend less time on vendors (above) and more time working with his people
Christopher Peters - Entergy
- Security pro's must be good communicators and tailor language to fit their audiences
- Bridging silos is one of his main jobs
- Having a CXO as a boss is very helpful in accomplishing the above
Stephen Mikovits - San Diego Gas & Electric
- Very thankful for CPUC's order that CA IOUs generate 10-year forward looking Smart Grid deployment plans, including a major emphasis on security
- This really helped SDG&E as well as the other utilities by giving them a platform to communicate security requirements and recommended actions
BTW - I was working pretty fast. If you spot any typos or inaccuracies here, please let me know and I'll update the post asap.