Monday, November 26, 2012

Thoughts on the Explosive MI6 OT Breach in Skyfall


Have you seen the new 007 movie yet, the third of the series that features Daniel Craig as Bond? Called Skyfall, one of its key plot drivers occurs when the evil mastermind blows up part of British spy headquarters, MI6, in London, with a handful of deft key strokes. By the way, OT in the title of this post = Operational Technology, as differentiated from business information technology or IT.

Stuxnet this is not, but it is clearly depicted as a cyber attack on physical assets, and others who have weighed in on the plausibility/authenticity of this depiction (see HERE and HERE) cannot help but point to Stuxnet as the real world proof of concept.

To free up more time for mayhem, Javier Bardem's well played psychopath might have started with Shodan, the online search engine that helps both good guys and charismatic bad guys quickly locate internet-connected control systems.

Monday, November 19, 2012

Is the Smart Grid a Homeland Security Problem?

Last week I had the privilege of being on a IEEE/Department of Homeland Security (DHS) panel discussing the topic: Smart Grid: A Homeland Security Problem or Not? Talk about a title that begs the question.

My sharp co-panelists hailed from DHS, the Utilities Telecom Council (UTC), MIT, the University of Vermont and MITRE, and we were masterfully moderated by Emily Frye, also of MITRE.

Anyway, all I want to say here is that we got a great question from an audience member (and it was a very interactive audience!) that we were hard pressed to answer. It went basically like this:
If each utility was somehow given an infusion of $1 million (Dr. Evil's preferred amount) what would be the best, most security impacting way for them to spend it?

Friday, November 16, 2012

Great Video: Latest Utility CEO on Cybersecurity


Another CEO joins the emerging chorus of senior energy sector executives not just tuned in to the strategic nature of cybersecurity and privacy challenges in the Smart Grid era, but willing to speak out about it. Also hits some good notes re: supply chain issues as well.

Thanks to Jessie Knight, Chairman and CEO of San Diego Gas & Electric (SDG&E). And hat tip to IBM colleague Tracy A and SmartGridNews.com for sending me this.

Wednesday, November 14, 2012

The Evolving Role of State Regulation in Grid Cybersecurity


Led by Elizaveta Malashenko, the grid cybersecurity team at California's Public Utility Commission, makes a good case for increased PUC involvement in cybersecurity matters, particularly those affecting distribution elements:
State regulators have not traditionally played a large role in cybersecurity. However, this is beginning to change with the recognition that Federal compliance-based models may not be sufficient to ensure grid resiliency, reliability and safety, as well as customer data privacy. With grid modernization on the way, there is an important role that State regulators need to step into, as much of this new infrastructure will be located on the distribution grid, which is currently outside of NERC authority. There is also a possibility that the Federal government could preemptively move to regulate in this area if there is no action at the State level.
You can (and should) read this grid planning and reliability policy paper here: Cybersecurity and the Evolving Role of State Regulation: How it Impacts the California Public Utilities Commission.

Tuesday, November 6, 2012

Conference Alert: Smart Grid & Control Systems Security for Europe


Sometimes I don't give enough lead time, here's a case where maybe I'm giving you too much lead time. Anyway, you know how time flies when you're having fun, so 5 short months from now, you might want to be here:

  • What: 3rd European Smart Grid and SCADA Security Forum
  • Where: The Copthorne Tara Hotel, London
  • When: 11-12 March 2013
  • Web: For more info and to register, click HERE

Thursday, November 1, 2012

Joe Weiss' 2012 ICS Security Conference Highlights

The twelfth ICS Security has come and gone, and it sounds from the tone of Joe's write-up that whatever progress there's been to date in awareness and/or improved capabilities has been frustratingly slow and incremental.

After twelve years, I guess we can call that a trend.  Nevertheless, the best parts often seem to involve drama related to actual events in the field. Here are Joe's notes on two of them:

Nuclear
An international utility was prepared to share information dealing with a recent cyber security assessment of their nuclear plant control-systems performed by third parties. However, because of a threat by their vendor, they did not present. This decision also affected Ralph Langner's decision not to present. This international utility's assessment and analysis program is more comprehensive than existing US Nuclear Regulatory