Saturday, December 22, 2012
Smart Grid Security Seasons Greetings
Shutting down the SGSB this week for Christmas and some Winter-oriented R&R. As you look back on 2012 hope you can see some real progress. I sure can, and am looking forward to doing much more in the year ahead.
Good health and happiness to you and your family and friends, dear reader.
Monday, December 17, 2012
EEI on Electric Sector Cybersecurity, late 2012
David Batz (rhymes with yachts, not cats) is in a good position to know what he's talking about when he says:
Utilities are taking actions to mitigate and manage cybersecurity threats.
As Cybersecurity Director for the Edison Electric Institute (EEI), a DC-based industry advocacy firm that represents the interests of the vast majority of investor owned utilities in the US, Batz is emminently credible as he spends just about every waking hour working with utilities, various Federal and state regulators, and the companies that serve the sector.
At a recent conference in Arlington, VA Batz shared some observations on the state of electric sector cybersecurity preparedness that I liked. Here's one:
In today’s world, cyber attacks and cyber hacking have become monetized and different ventures are using cyber attacks as a ways to generate income .... This poses a problem for law-abiding citizenry and creates a problem for the electric sector.
Thursday, December 13, 2012
Smart Grid Security 2012 Highlights and 2013 Look Forward
By far the most important development this year was that it began with only a few specific guidance documents from NIST and NRECA) and is now ending with a comparative landslide of guidance, including some directly aimed at helping utilities assess their current security posture and plot future courses for improvement.
I documented most of these in an October post but for those who missed, forgot or avoided it, here are the new ones for North America published in 2012:
- DOE's Electricity Subsector Cybersecurity Maturity Model (Jun 2012)
- DOE’s Electricity Subsector Risk Management Process (May 2012)
- NARUC's Cybersecurity for State Regulators (Jun 2012)
- NIST’s NISTIR 7628 Assessment Guide (Aug 2012)
- California's Cybersecurity and the Evolving Role of State Regulation (Sep 2012)
Friday, December 7, 2012
So Much New SCADA Goodness ... So Few Words on Security
Hat tip to EnergySec's Patrick Miller for finding and tweeting this article so I could find it. Please note before you read this post that it's not intended to be critical of the article it cites. I think it's great and if I didn't have to think about security it would feel like pure, unadulterated progress to me.
The article, "Web-based SCADA Gathers More Fans" which appeared recently in Automation World, describes many excellent new capabilities that are arriving in the SCADA world, many of which are related to new higher bandwidth communications between substations and other remote assets, often based on web technologies. As Honeywell engineer Gerry Browne says:
A few years ago, field equipment would have only a serial port. Today, the same equipment might have its own Web server and methods that expose all its operating parameters. Remote data is now available immediately, allowing users to make better decisions.
Wednesday, December 5, 2012
So Far, it Seems WAMPAC Systems are Insecure by (Lack of) Design
Thanks to colleague Jeff K for pointer to recent NESCOR reports.
First things first: in IBM and elsewhere the phrase "secure by design" is used to describe a project or a system where security requirements are considered at the earliest stages, right along with all the functional requirements.
Now for new initiates, WAMPAC = Wide Area Monitoring, Protection and Control, and the term refers to a group of new technologies and capabilities that will put the Smart in Smart Grid much more than the more attention grabbing Smart Meter.