Wednesday, November 23, 2011

Security Scare Tempest in a Water Pump

There's an adage that goes something like this: think before engaging mouth. Though sadly I'm not always successful, I try to adhere to a modified version of the same principle: wait a while before posting on breaking (and especially alarming) news.

This approach paid off again, as the facts are now officially available. Here's what you need to know about the recent, widely-reported water utility control system attacks ... from the US Industrial Control Systems Cyber Emergency Response Team (ICS-CERT):
After detailed analysis, DHS and the FBI have found no evidence of a cyber intrusion into the SCADA system of the Curran-Gardner Public Water District in Springfield, Illinois.
and furthermore ...
There is no evidence to support claims made in the initial Fusion Center report – which was based on raw, unconfirmed data and subsequently leaked to the media – that any credentials were stolen, or that the vendor was involved in any malicious activity that led to a pump failure at the water plant.  In addition, DHS and FBI have concluded that there was no malicious or unauthorized traffic from Russia or any foreign entities, as previously reported. 
So what can we/you do?
At this time, there are no specific recommendations other than to ensure you are following security best practices. ICS-CERT recommends reviewing Improving Industrial Control Systems Cybersecurity with Defense-in-Depth Strategies.
So it's time to once again to get back off the ledge and go back to work. Thanks to various Big Blue and other industry colleagues who helped keep me up to date on this. For the full ICS-CERT note, click HERE.

Photo credit: Tim Parkinson at

Monday, November 21, 2011

European Smart Grid Cyber Security through American Eyes

You know, there are ways in which the EU Smart Grid Security & Privacy standards process mimics the structural problems that have so far stymied solutions to the EU budget crisis:
The initiatives are not harmonized. For example, the Netherlands’ approach to smart meter data privacy would be illegal in Germany because it forces a choice between personal data privacy and energy efficiency. Yes, the much loved opt-in has been outlawed in Germany.
See that? This is from Pike Research security analyst Bob Lockhart, who had the pleasure of attending the  recent European Smart Grid Cyber Security in Amsterdam. Bob's been keeping a close eye on security standards forming and evolving in North America, and we've both talked and wondered out loud about how things were going in Europe.

Well, it's seems like they're not going as well as they could be. Here's Bob again:
There is an entire document in the NISTIR 7628 series – Volume 2 – devoted to Data Privacy, an issue of great concern to European nations and their citizens. Someone suggested why not start with NIST’s cyber security guidelines, overlay European Data Privacy guidelines, and call it done? I am still trying to work out why that is not the answer. Instead there are ... five other efforts, all of which freely admit that they love the NISTIR documents, creating ... or recreating a new set of smart grid cyber security [and privacy] guidelines.
Bob goes on to talk about the need for urgency and haste, but you can just tell nothing's going to happen fast on that side of the Atlantic. And we thought things were slow on this side!

C'est la vie.

You can read his full post HERE.

Friday, November 18, 2011

He's Baaaaaaack: Jack Danahy on a Courtroom Drama that could Radically Upend the Cyber Security Apple Cart

Just Judy's not working this one, but my colleague, and once and future energy and security blogger Jack Danahy is on the case.

Now new, improved, and more succinct than ever, he writes:
In reading the case of Gaffney et al vs. Tricare Management Activity et al, the question arises: "Is there a price to be paid for the loss of personal, private information of individuals, when it appears that due care may not have been taken for its protection?" With 4.9 million individuals affected, and sought damages of $1,000 per injured party, the potential $5B outcome of this case could very quickly reshape the landscape of investment in security measures.
There's lots of good food for thought in this one. You can read it all, HERE.

New Smart Grid Security Book coming from Sorebo and Echols

This is the first new book on the topic in over a year, and as you know, a lot has transpired over the last 365. Awareness of Stuxnet, Night Dragon and other control system-targeting Advanced Persistent Threats (APTs), for example.

I didnt' have too much exposure to the previous one, but at first glance can tell you that Gib and Mike bring a heaping helping of hands-on industry experience to the table. Prove it, you say? Alright then:

Gib built and has been running SAIC's grid security team for quite a while. He also has been a leader on multiple security standards working groups. And Mike was Security Compliance Manager at the Salt River Project, a big power and water utility in Arizona and a security officer at the Western Area Power Administration.

The title is: Smart Grid Security, an End-to-End View of Security in the New Electrical Grid, and it's coming out on Dec 12 (just in time for Christmas!). You can read more about it and get an order started on Amazon HERE.

I should be getting a copy soon myself, and will do a short review on the SGSB as soon as I am able.

Friday, November 11, 2011

GridEx 2011: NERC CyberSecurity Exercise is Upon Us

Practice makes perfect ... or at least makes you better.

I mentioned this back in July HERE, now thanks to Dave Dalva of BAH, I can tell you a big exercise is coming up this week, starting tomorrow:
The grid security exercise, scheduled for November 15-17, will test NERC’s and the electricity industry’s crisis response plans, and validate current readiness in response to a cyber incident. The exercise also will serve as an opportunity to enhance collaboration and strengthen industry security processes and capabilities.
Follow this LINK to a bulletin on the exercise as well as a compilation of some of the best grid security presentations I've ever seen, from NERC's recent conference in New Orleans (see Presentations tab at bottom of page).

Results and findings should be available around mid December, and I'll be sure to post material that's cleared for public consumption.

Thursday, November 10, 2011

GridWise Global Forum (GGF) - Privacy Panel Perspectives

Couldn't tweet this one as I was on the panel, but yesterday (day 2) we had an excellent session expertly and amiably moderated by David Leeds of GTM called: "Smart Grid Data: Insights, Privacy or Both."

Excellent fellow panelists included:
  • Lee Tien, Electronic Frontier Foundation
  • Vesa Koivisto, Fortum Corporation (Finland-based utility)
  • Elias Quinn, Colorado PUC (former consultant)
  • Daniel Cleverdon, DC PUC

Here are a few take-aways for you:

When California's Privacy and Data Security decision came up (as we all knew it would) Dan Cleverdon said (and I'm paraphrasing here) that "every state PUC is all over it, and they'll deviate from it at their own peril."

It's great to have a precedent, isn't it?  California, as it has so many times before, has done its homework and is blazing a trail on data and privacy for the US. So far the consensus seems to be they did a good job, so as Dan said, a state will have to justify itself when it heads in a different direction, as some likely will. This is good process I think.

Lee Tien cited a long established example of trust between an organization and the public: the USPS has been carrying and delivering and not reading your mail for over one-hundred years. It's been done before and it can happen again with the utilities.

Vesa Koivisto described the way electric bills have been presented to customers in Finland, with 11 monthly estimates followed by an end-of-year adjustment (up or down). Pretty familiar, right? He contended that this wasn't a great way to establish trust and that if utilities could simply provide their customers with timely and accurate billing information, that would go a long way towards establishing a better relationship and trust. Great point.

Well, that's good news then, because thanks to AMI and Smart Meter deployments, this is the experience many customers are enjoying today, and many are getting even better visibility than that. Before you can have a trusted relationship you have to have a relationship, and accurate bills are a big step in the right direction.

Prompted by a lead-in by David and a question from the audience, we had a mini debate about how much of an individual's personal information is already exposed via social media, online transactions, smart phones, cable television, etc. and how much more could be revealed by Smart Meters and home area networks (HANS). We kept it civil and decided to research this question in more depth as a team, and maybe produce an infographic that could be useful to the industry ... and to the public.

Lastly, in my opening monologue I pledged to share a couple of information governance best practices from other sectors, and while I recalled one: frequent auditing (internal and external) of privacy policy and controls, I blanked on the second. Well, now it's come to me: the other one was about practicing for privacy-related data breaches. Make the whole organization get a visceral feel for what it would be like, and pressure test policies, procedures and technical security controls to see how they hold up in the heat of a (simulated) real world event. Practice makes perfect, as the saying goes.

All-in-all it felt like an educational and entertaining 90 minutes. The panelists, myself included, seemed to think we covered some worthwhile ground (credit goes to the moderator), and from the GGF audience feedback I got, it seemed they liked it too.

Monday, November 7, 2011

Getting Smart at GridWise Global Forum this Week

This just in from the SGSB social media desk - I'll be at the Reagan building in DC starting tomorrow armed with MacBook Air, Twitter and Blogger to both speak at and cover this year's GridWise Global Forum (agenda HERE).

Will be paying particular attention to the opening keynote moderated by IBM Energy & Utilities sector GM Guido Bartels with DOE Secretary Steven Chu and Uzi Landau, who runs Israel's Ministry of National Infrastructures (Tues at 12:45 pm ET), and the following panels:
  • "Guarding the Grid: Smart Grid and Grid Vulnerability" (Tues at 4:30 pm)
  • "The Technology Horizon: Future Trends and Potential Disruptions" (Wed at 8:30 am)
  • "Smart Grid Data: Insights, Privacy, or Both" (Wed at 10:30 am)
  • "Smart Grid and the Regulatory Landscape: Evolution or Revolution" (Wed at 1:30 am)
Two of these sessions will be broadcast live (and free) by our friends at Greentech Media. Follow THIS LINK to tune in at the appointed times to "Guarding the Grid" and "Smart Grid Data."

BTW: will using the #IBM@GridWise hashtag for denizens of the Twitterverse.

Wednesday, November 2, 2011

State Exemplar Colorado gets Well Deserved Cyber Security Leadership Attaboy

Sorry, but I was a little slow on the uptake on this one.  Not an exemplary blogger, am I, that's for sure.

But self flagellation aside, want you to know that there's at least one US State out there that's done what myself and others have been urging for large utilities. Namely, appoint and empower a CSO or CISO with enterprise-wide policy setting and enforcement authority.

For Colorado, that's Travis Schack, who's at the helm as CISO. It's important to note that Colorado didn't have to make this position, it chose to. That's right, and it neither regulator nor competitive pressure that drove this decision. Colorado has a CISO because it thinks its operations require, and its citizens deserve one.

Weird, huh?

Well check this out, from Travis's own blog, and you'll see that he's asking questions near and dear to our sector right now. Of government agencies he asks:
... do you have a data classification process in your organization? Do you know what systems process, store, and/or transmit each type of data within your organization? Do you know who has access to each type of data, where is the data being accessed from, when is the data being access, and what is being done to your data?
Ahem and Amen. Nice job, Colorado. And thanks to the Center for Digital Government for shining a light on these folks.