GridSec Texas Wrap-Up: One More Time with Tweets

Here's a few of the tweets from myself and others from GridSec day 2 to give you a tapas-style version of what when down:

• Erfan Ibrahim: a mosaic of entities hold liability for grid security, but customers usually know/interact with only one. #GridSec
• At #GridSec, Darren Highfill says we're already paying for security, we're just not calling it that, invoking Russian Roulette metaphor.
• Both keynoters said cyber security maturity models (like DOE's bldg now) & business metrics might reduce likelihood of legislation”#GridSec
• Brese & Gunther both said cyber security maturity models (like one DOE's bldg now) & business metrics might reduce likelihood of legislation
• At #GridSec just asked DOE's Robert Brese & Erich Gunther what would utilities have to do to put Congress more at ease re cyber security ... 
• Recommend using Gunther's #GridSec preso 4 coaching security folks on thinking/speaking in language that's understandable to business folks 
• Enernex CEO Erich Gunther kicking off #GridSec day 2. Echoing yesterday's theme of connecting security w/ safety for better business comm 
• At #GridSec good presentation on offensive cyber security aka Active Defense. Discussing Hactivism, Cybercrime, Cyber Espionage, Cyber War 
• Strong messages from speakers @ #GridSec on importance to move from geek speak to business speak so those C level folks get #ICSsecurity 
• Several presentations at #GridSec are finally linking security to safety. #ICS http://www.us-cert.gov/control_systems/icsjwg/presentations/spring2010/08%20-%20Walter%20Sikora.pdf is a preso given a couple years ago 
• #gridsec You can stop the Stuxnet artifact, but private industry does not have the means to protect against nation-state adversaries 

What was different this time? Well:

• Without any prompting, I heard metrics, and especially business metrics mentioned quite a lot this time
  There was much discussion around control system security. In fact, one guy who attended the "Beyond AMI" panel yesterday said it was exactly because it wasn't about AMI. Duh!

• As I said in a previous post and tweets above, linking security and safety was a common theme this time around
• Lastly, we had more utilities here this time than ever before. Seems like a no brainer, but without their real-world, pragmatic "what works" insights, this effort wouldn't be half as worthwhile

Sad to see it come to a close, but close it always must. Re-connected with all the old folks, and met many new ones, and that was great. Didn't get to say anything like a proper good bye to folks so it looks like au revoir until October back on the west coast when we do this again. Andy

GridSec in Near Real Time - A Tale of the Tweets

This must be some type of social media sin, but I 'm building this post almost entirely out of Tweets I did from yesterday's GridSec conference. In reverse chronological order, they were:

• Attending Chris Blask's great ICS security panel. Good to see more attention to control system security at the conference this time#GridSec
• "Beyond AMI" panel co's include Waterfall, Cisco, McAfee, GE and AlertEnterprise at #GridSec
• At #GridSec, attempting Tweeting-while-moderating. A high wire act. But Beyond AMI panel off to good start with experts from 5 companies.
• #GridSec Infra security panel seems to concur that appropriate info sharing is security goal #1 for next few years
• #GridSec talk on sad topic: utilities won't report any attack that could earn them a compliance penalty, so helpful info doesn't get to help
• In the Security Infrastructure panel, ERCOT speaker said one key focus area needs to be situational awareness. #GridSec
• From #GridSec - linking security and safety in budget talks.
• Rea#GridSec conf. First session is CXO perspectives with Vermont Electric's CEO David Hallquist bringing his usual candor, energy and insight
• Tweeting from #GridSec conference this week http://bit.ly/HhIyj1

Have to keep this short for now, so only commentary I have on the above is that unless you have comprehensive situational awareness, (one speaker's suggestion), then information sharing isn't that big a priority, as you have little to share. Utilities, and any organization for that matter, have to know what's happening with their systems in order to detect, hopefully thwart, and also report this info so others can be on their guard.

Day 2 begins soon ...

Tweeting from GridSec conference this week

Howdy from Dallas. This is the evolution of Mike Ahmadi's Smart Grid Security East and West events, which have been running twice a year since the fiest one in San Jose in 2010. Will shoot to summarize key messages in a post when it's over, but also will blurt out the occasional tweet on the fly using the #GridSec hash tag on Twitter.

Woolsey Ominous at GigaOm re: Smart Grid Security

I'm a fan of former CIA Director and energy security "Green Hawk" James Woolsey and find myself on the same page at least nine times whenever he voices ten opinions. But at a recent energy tech conference he weighed in pretty heavily against electric utilities taking security challenges nearly seriously enough.

Two links coming at you. In this one, from the SmartPlanet blog, the primary impression seems to be that Woolsey wants to move the US as quickly as possible to more distributed forms of generation as a means of diversifying and decentralizing our sources of power.  Hard not to agree there's goodness in that idea; it's the matter of expeditiously implementing that type of change on a large scale that's a grand challenge.

But in this post, from conference host GigaOm, it sounds more like Woolsey has an ax to grind against the utilities. This is a paraphrase I'm sure, but the point gets through:

Right now they’re more concerned with adding fun new features, but it won’t be so fun if the electric grid goes down for a few days.

"Fun new features" doesn't sound like the goal of any utilities I've been in contact with. Not even close. I assume that's his attitudinal short hand for modernization activities a la the Smart Grid. But nobody I've talked to is doing anything for the fun of it: not Smart Meters, not AMI networks, not distribution automation, not demand management, not efficiency.

Woolsey's been known to call the Smart Grid "dumb" and belittle new capabilities as if they were gadgets for consumers (e.g., saying people can turn down their AC with their phones on hot days, for instance, and then China-baiting by saying somebody in Beijing or similar can also reach your AC the same way).

To me this sounds like another voice in the growing chorus for more Federal regulation along the lines of the 2012 Cybersecurity Act. NPR had decent, relatively balanced feature on the looming legislation this morning, HERE. And we discussed the pro's a little and the con's a lot of this type of action on an SGSB post a few weeks ago, HERE.

I'm sure most would agree that improving the overall security of the electric system is desirable and doable. For example, perhaps adding a few carrots to the menu that's currently comprised of sticks might foster some better results.

While I'm confident their intent is constructive, IMHO, I'm not sure government is equipped to bring about the types of change Woolsey, CSIS's James Lewis, and many others think (or hope) they'll achieve through legislation. It would be great to see more utilities start taking the lead on this topic and control their own destiny, versus having it set for them.

Webcast Alert: NESCO on PKI for AMI, Smart Grid and ICS Networks

For those unfamiliar, NESCO = National Electric Sector Cybersecurity Organization (NESCO). And NESCO is running an upcoming webinar on Public Key Infrastructure (PKI) in the context of modernized (and modernizing) grid systems and networks, including control systems.

Here are the details you need:

• When: Tuesday, March 27, 2012 at 10:00 AM - 11:00 AM ET
• Link to Register: Click HERE
• Associated NESCO PKI white paper is HERE

For more about NESCO, including how to get involved, click HERE

I'm getting a little tired of these all-capital HERE links, but let's do one more before calling it a night:

Click HERE to find out how New England fans feel about Tim Tebow joining the Jets today.

Wishful CERAWeek 2012 Energy Sector Security Thoughts

Had the great pleasure of participating in CERA's 31st annual energy conference last week in Houston. I was only there for one day, Wednesday, as I participated in a security panel that evening.

Earlier, the lunch keynote presentation was delivered by Royal Dutch Shell CEO Peter Voser, who addressed environmental and community concerns about the new natural gas recovery technique called fracking.

He suggested that the best approach was for the the industry to be as up-front and transparent as possible, and cited his own company's self-policing policy called the "Tight sands/shale oil & gas operating principles", posted on Shell's website for all to see.

Essentially, Voser asserted that Shell's safety, environmental protection, and community partnering policies around fracking were not just a sound strategy for getting "out in front" of a potential PR problem, they were simply good business.

It struck me that perhaps here was a model here for electric utility self policing re: cybersecurity and privacy. Maybe if  more companies in our sector would get out in front of cybersecurity fears and concerns with clearly broadcast policy and messaging, Congress and other oversight orgs (NERC, for example) would feel less compulsion to legislate additional layers of compliance requirements.

As my colleague Matt F pointed out, it may be too late to stop the 2012 Cybersecurity Act from becoming law. Utilities would have had to start their self-policing campaigns much earlier to stay Congress' hand. And with the recent mock attack on NYC, demonstrating, among other things, that current regulations like NERC CIP version 3 don't cover distribution networks, it looks like a fait accompli.

All full of speculation and wishful thinking here, but I definitely have a sense that this could have played out differently. And who knows, maybe the utility security self-policing idea, if it caught on and went wide, could begin to obviate and undo the need for the legislation, and lead to its eventual repeal.

Balu Ambody on Smart Grid Security Gains at IBM's 2012 Pulse Conference

I'm still back in unusually warm Boston, about to head to Houston to join a cybersecurity panel at CERAWEEK on Wednesday.

But want you to know that a smart guy I've shared the stage with before, AMI vendor Sensus' Director of Information Security Balu Ambody, will be giving a talk on Smart Grid Security at the MGM Grand tomorrow.

It's part of IBM's huge annual "Pulse" conference, and if you happen to be there, you can bee-line it to his session armed with the following info:

• Session ID: BSI-1714
• Title: "Smart Grid Security" 
• Day/Time: Tuesday 3/6/12 at 14:00-15:00 Pacific Time
• Venue: MGM Grand Conference Center, Room 306
• Abstract: An introduction to smart grid security challenges, followed by a discussion of Sensus' use of IBM's security solutions to enhance the security of their smart meters and smart meter management system

Photo credit: Kevin Hutchinson on Flickr.com

Smart Grid Security Conference Alert: GridSec 2012 Coming Soon

Here we go again, with what appears to be the best line-up yet. Noticeably, there's going to be significantly more utility representation this time.

It already started moving in this direction in the last conference or two (San Diego, Knoxville) and hopefully we'll be able to move the center of security discussion from AMI and Smart Meters to securing increasingly automated substations, control centers, SCADA and control systems, and the various juncture points between IT and OT networks.

As usual, I'll be on a panel or two, and moderating some as well. 

Here are deets for you, as well as the means to get a discount if you have yet to register:

• When: 27-29 March 2012 (the 27th is a workshop day)
• Where: the Irving Convention Center in Irving, TX
• Site URL:  http://www.gridsec.com/2012/

Discounts of various sizes are available depending on what kind of work you do. Go HERE and use this code BVAYVN

Photo credit: David Kozlowski on Flickriver.com

High Impact Cyber Security Legislation Looming for Utilities

My previous post referenced a recent preliminary report documenting how companies from all sectors are moving slowly to elevate security matters to the CEO and Board of Directors level. And hardly a day goes by where I don't suggest having more than a few empowered CSOs in our industry might start to turn the actual cyber security strategy tide as well as signal a culture change to all the grid's many stakeholders.

Like Congress for example.

Congress in 2011 seemed pretty sure that utilities and their regulators needed a few additional sticks to goad them into tightening up the overall security posture of the grid. That was the GRID Act, and when it passed the House but didn't get a Senate vote, the stage was set for a sequel.

And so here it is: the cross-sector Cybersecurity Act of 2012.

If you're a utility with too much on your plate today what with modernization initiatives, aging workforce and aging equipment issues, PUCs starting to impose new rules on how you handle and protect customer data, NERC CIP version 3 looking like it's going to morph into a much more burdensome version 4 or 5 soon, the last thing you need is another oversight agency asking you to demonstrate compliance with new regulations.

Well, that's exactly what the DHS-centered new act is. And if it passes in anything like its current form, utilities are likely to like it about as much as you'd think they would. According to Jody Westby writing in Forbes ... not much. For example:

With overtones of Sarbanes-Oxley, the bill also requires the owners of these systems to either certify annually to DHS and their sector agency whether they have implemented security measures to satisfy the performance requirements or submit a third-party assessment. Even if a company subject to the provisions of the bill can obtain an exemption by demonstrating that it is sufficiently secured or in compliance with the risk-based performance requirements, it must undergo this process every three years.

I recommend you read her whole Forbes article, take 4 Advil, and call me in the morning. Or better yet, email, if you think Westby is making a mountain out of a legislative molehill. Or vice versa.

Electric Sector Not Alone in Moving Slowly re: Security Leadership and Governance

This CMU report came to me yesterday via Ernie (he's everywhere) Hayden. At 3 pages, it's short enough to consume with one cup of coffee, and its cross-sector findings jump out with alacrity:

• "Today, cyber attacks have moved to a new level: corporate data is at a higher risk of theft or misuse than ever before, and the systemic nature of recent attacks has alarmed both industry leaders and government officials around the world. These issues now require active oversight by boards and senior executives"
• New SEC guidelines require public co's to disclose cyber risks that "materially affect products, relationships, services, relationships with customers or suppliers ...."
• CISOs and CSOs report that they "cannot get the attention of their senior management and boards and their budgets are inadequate"

The first two points I already knew, but that last one is a wake-up (for me, at least). Clearly, in other sectors, simply designating someone as a CSO or CISO isn't a cure-all for security governance. In fact, much depends on to whom the CSO/CISO reports, and clearly, whether the board sees security and privacy as strategically importance or not.

There are signs of slow progress worth checking out, as well as concluding recommendations. I'll give you one of them here:

• "Establish the “tone from the top” for privacy and security through top-level policies"

Yes, that's leadership and culture change. What Lou Gerstner says in his account of how he turned around an foundering IBM in the early nineties, was by far the hardest thing he tried to do. Also the slowest. Also something that can't be changed by a CEO.

Lou said (and I'm paraphrasing here) that he and other senior execs could help create an environment that would promote or allow for change, but that ultimately it was up to the employees themselves to make it happen. Yet it was also, in retrospect, the biggest difference maker of all his initiatives.

Stay tuned, a more detailed version of this report will be made available shortly.

Photo courtesy of bradipo on Flickr.com