Thursday, March 29, 2012

GridSec Texas Wrap-Up: One More Time with Tweets

Here's a few of the tweets from myself and others from GridSec day 2 to give you a tapas-style version of what when down:
  • Erfan Ibrahim: a mosaic of entities hold liability for grid security, but customers usually know/interact with only one. #GridSec
  • At #GridSec, Darren Highfill says we're already paying for security, we're just not calling it that, invoking Russian Roulette metaphor.
  • Both keynoters said cyber security maturity models (like DOE's bldg now) & business metrics might reduce likelihood of legislation”#GridSec
  • Brese & Gunther both said cyber security maturity models (like one DOE's bldg now) & business metrics might reduce likelihood of legislation
  • At #GridSec just asked DOE's Robert Brese & Erich Gunther what would utilities have to do to put Congress more at ease re cyber security ... 
  • Recommend using Gunther's #GridSec preso 4 coaching security folks on thinking/speaking in language that's understandable to business folks 
  • Enernex CEO Erich Gunther kicking off #GridSec day 2. Echoing yesterday's theme of connecting security w/ safety for better business comm 
  • At #GridSec good presentation on offensive cyber security aka Active Defense. Discussing Hactivism, Cybercrime, Cyber Espionage, Cyber War 
  • Strong messages from speakers @ #GridSec on importance to move from geek speak to business speak so those C level folks get #ICSsecurity 
  • Several presentations at #GridSec are finally linking security to safety. #ICS http://www.us-cert.gov/control_systems/icsjwg/presentations/spring2010/08%20-%20Walter%20Sikora.pdf is a preso given a couple years ago 
  • #gridsec You can stop the Stuxnet artifact, but private industry does not have the means to protect against nation-state adversaries 
What was different this time? Well:
  • Without any prompting, I heard metrics, and especially business metrics mentioned quite a lot this time
    There was much discussion around control system security. In fact, one guy who attended the "Beyond AMI" panel yesterday said it was exactly because it wasn't about AMI. Duh!
  • As I said in a previous post and tweets above, linking security and safety was a common theme this time around
  • Lastly, we had more utilities here this time than ever before. Seems like a no brainer, but without their real-world, pragmatic "what works" insights, this effort wouldn't be half as worthwhile
Sad to see it come to a close, but close it always must. Re-connected with all the old folks, and met many new ones, and that was great. Didn't get to say anything like a proper good bye to folks so it looks like au revoir until October back on the west coast when we do this again. Andy