Thursday, June 28, 2012

DOE's Prescription for Electric Sector Cybersecurity Uncertainties

I've had a link to this document in the blog's "Relevant Docs" section since it appeared, but with today's press release, I think it's time to shine a spotlight DOE's latest and greatest electric sector cybersecurity resource.

The campaign for measurement has just been given a big shot in the arm. By definition, in a weird permutation of Newton's Third Law, the minute a metric or measurement is proposed it creates its own opposition. Often vocal opposition, I might add.

Nevertheless, neither Newton nor opposition should cause us to accept stasis and the uncertainties that attend the status quo. "What uncertainties?" you might well ask.

And my answer is that the majority of C-Suiters and BoDs at medium-to-large electric utilities likely do not have a decent understanding of the cyber-related reliability and safety risks confronting their IT and OT operations. Nor do they understand well how sound (or unsound) are the defensive measures (people, policy, processes) their cybersecurity folks have deployed.

If I were to now transition to a tirade about the crying need for business-oriented security metrics and measurement, while linking to previous tirades, few would be surprised. But in a moment uncommon self restraint, I won't do that.

Instead, I invite you to consume a few tapas-sized sound bites from DOE's press release earlier today announcing its new, unpronounceable acronymed tool, the ES-C2M2.

Dig in:
  • Energy Department Develops Tool with Industry to Help Utilities Strengthen Their Cybersecurity Capabilities
  • New Tool Available to Enable Electric Utilities to Better Assess their Cybersecurity Needs and Assets 
  • Maturity models, which rely on best practices to identify an organization’s strengths and weaknesses, are widely used by other sectors to improve performance, efficiency and quality. 
  • More than a dozen utilities nationwide participated in pilot evaluations to help refine the model
  • The Cybersecurity Self-Evaluation Tool itself helps electric utilities and grid operators identify opportunities to further develop their own cybersecurity capabilities by posing a series of questions that focus on areas including situational awareness and threat and vulnerability management
  • Utilities that choose to provide their anonymous self-assessment results to the Energy Department will receive reports with anonymous benchmarking results of all utilities participating in the “opt-in” program.
Here's a LINK to the model. Utilities can request the Cybersecurity Self Evaluation Survey Tool by contacting the Energy Department at ES-C2M2@hq.doe.govNote: The Energy Department is also offering facilitated self-evaluations on request.

Please keep in mind that this is a 1.0 version developed at break-neck speed. The more feedback DOE gets from its earliest users, the more we can expect from future versions. And they do seek your feedback.

I think what's been started here is good, very good in fact. Now let's seek to use it, make it great, and substantially improve the industry's understanding of itself along the way.

Image credit: DiaVoLo Group on

Sunday, June 24, 2012

Security Checklists, Compliance Cultures, and Finding a Better Way

Fixating on responding to a compliance regime is in a sense, like agreeing to not learn. You know how when you're in the passenger seat and even if you go to the same destination a hundred times, if you weren't driving you don't remember how to get there cause you never learned in the first place? Fortunately, the GPS came long just in time to save your butt.

Before I go any further, please note this is not intended as invective against the NERC CIPs. I know why they were made and why we still have to have them. Most of us wish it were otherwise, but if and until the majority of utilities are observed performing the activities the CIPs require (and more) on their own initiative, this is the way it's going to be.

Have to tip the figurative hat again to Ernie H, who once again can be counted on for spotting and forwarding the good stuff. THIS recent Dark Reading article lays bare the downside of a checkbox compliance mindset. In it, I like this analogy from security researcher Lamar Bailey:
[Security] standards are like training missions in video games: They can help you acclimate, but they in no way represent the real game. If you can't pass them with two hands tied behind your back, your need to quit and find another game.
I could see how that might make some folks say Ouch!  Anyway, it prompted me do a search to see if
utilities were embracing or resisting some of the downsides of this mindset. Well, didn't take long before I happened upon this. Imagine you pay the salaries of dozens of folks, as many utilities do, engaged in activities described by one CIP compliance manual this way.

It begins, "Evidence is more than just documentation" and continues:
Demonstrating compliance usually means “corroborating” evidence. In other words, compliance programs should be designed to produce an output of several auditable records for each requirement to demonstrate performance. A documented process is the first part of demonstrating compliance. Additional examples include a log file, a change request form, a visitor log, or an incident response drill attendance sheet. For each requirement, a documented process and at least one other additional record should be available to demonstrate compliance.
There have got to be better ways to run and secure a utility, no? And of course, reading to this point is worth it if it means you get to a gem of an article I posted a link to almost exactly one year ago. Once again, HERE's Stephen Flanagan of FERC, giving a keynote on what he terms compliance cultures vs. cultures of commitment, who even as an auditor, keeps this in mind: "Security, not violations, is the primary focus." Like that.

Tuesday, June 19, 2012

NARUC Releases a Timely Cybersecurity Guide

I didn't like the tone of my original piece on this so have made a few mods. Content is essentially the same.

Here's a LINK to the National Association of Regulatory Utility Commissioners (NARUC)'s new Cybersecurity for State Regulators

Before I begin to comment on and critique some of the contents, I just want to say I have no ax to grind against NARUC. From my interaction with its members, including several of the folks named as authors of this document, these folks do a fantastic job, state by state by state, keeping the gigantic and sprawling US grid, reliably and economically up and running.

And let's continue with a little more praise. Very few state regulators have hands-on experience with cybersecurity. Giving them a guide that both teaches them, at an intro level, and arms them with good starting-point questions, is a wonderful and necessary thing. Major kudos for that.

However, this paraphrase from an article introducing the guide gave me initial pause:
NARUC advised state commissioners to work with utilities to increase their investment in cybersecurity protections for the smart grid.
This statement makes it sound like someone knows what the right amount of spending is. And that would suggest that that same someone knows a lot about the evolving threats, as well as the requirements for the right types of correctly deployed and configured technical and human protections, and has converted them to USDs (money). These are all things the energy sector security community is working on, but quantifying down to the right level of dollars spent is beyond us still, I think.

Now here's a direct quote from the guide:
Regulators have to determine whether the amount being invested is insufficient or excessive and whether it is allocated appropriately.
I know it's their job in general, but also think that specific to cybersecurity, this is a burden (on the regulators themselves) too far. Determining appropriate allocation is definitely a worthy pursuit, and the matter has great import for all stakeholder including customers. But man, without some commonly agreed frameworks or metrics to measure against, it's a tough one.

Now I'll do a quick pass at a couple of the proposed questions in the appendix.The first one is about budget:
Q26. Is cybersecurity budgeted for? What is the current budget for cybersecurity activities relative to the overall security spending?
Good stuff generally, and really core when it comes time to rate case justification. But I'd also want to know how is the budget arrived at? Like an elementary school teacher, I want you to step up to the board and show me the math. And not sure the second question is all that relevant ... is there a correct or helpful answer to that one?
Q27. Are individuals specifically assigned cybersecurity responsibility? Do you have a Chief Security Officer and do they have explicit cybersecurity responsibilities?
I hope that in even the smallest utilities (and some are mighty small) the answer to the first question is yes. And I know that in even the largest utilities, the answer to the second question is almost always no.

Now here are a couple of other questions I might have suggested." In addition to Q27, I would have liked to see questions that poke into other governance issues, like:
  • QAB1: Related to applications: How many applications do you have? What are the top 10 most important ones? Who owns them? Who developed them? Who patches them? How are they secured? When was the last time they were tested and how did they do? Who tested them?
  • QAB2: Related to data: Have you inventoried your data assets? Developed a classification scheme? Identified data owners? Developed data lifecycle and protection policies? Practiced responding to a data breach? Who owns Privacy?
  • QAB3: Related to money (again): Beyond pen testing, how do you evaluate the effectiveness of your cybersecurity policies and programs? Related to Q26, what methods do you use for prioritizing your cybersecurity expenditures?
OK, I'll leave off there. This is simply going too long. But would like to end by saying that this was a document that could never fully please everyone, and if we remember it's a 1.0 version, then in that context it's an ambitious and excellent start. Let's start providing feedback now so that 2.0 can be even better.

Tuesday, June 12, 2012

Talking Back to the CMU/Cylab Report's Energy Sector Findings

The report in question is the CyLab 2012 Report - Governance of Enterprise Security: How Boards & Senior Executives Are Managing Cyber Risks. Posted on this report recently, HERE, which includes links to it.

Have gotten some less-than-happy feedback from a number of readers, so in the interest of giving you access to additional points of view, here's a bulletized critique from a concerned utility industry professional:
  • Survey size is too small to produce meaningful results/findings (e.g. 108 respondents, with only 14 or so in the "utility/energy" category)
  • Not sure what types of companies fell in the “Energy and utility companies” bucket. It's unclear if many or any are electric power
  • In addition, the survey was global, with a minority of respondents (40%) based in North America and it's unclear whether there were any energy/utility co's from North America
  • The survey states opinion (vs. evidence) concerning the adequacy of corporate board and senior executive review of risk
  • The survey makes erroneous judgments about an organization’s ability to manage cyber security and privacy risks regarding the presence or absence of corporate officers with particular titles or the composition of corporate audit/risk committee structure
I found many of these points well founded and worthy of airing here. In order to provide valuable insights for our sector, and particularly for the US and North America, one would want hundreds if not thousands of data points. That, I'm afraid, was beyond the budget, scope and/or timeline of the team doing this research.

Shodan Again: the Search Engine You Need to Know About

First mentioned on the SGSB HERE late last year re: a water pump hacking story, Shodan has an interesting origin story and its current use is even more interesting.

You know how you use Google or Bing to find links, apps, music, movies, photos, people, etc.? Well, you use Shodan to find connected physical objects: servers, routers, printers, sensors, water pumps .... And sometimes, electric power generation assets and other control systems. In the era of the "Internet of Things" connections are going to happen, sometimes by intention and often by accident.

Most of us would agree that some things simply should not be connected to the Internet. And if they need to be, security protections are a must. But Shodan reveals not just what's connected, but that those connected systems are often completely lacking standard cybersecurity protections.

Described by Robert O'Harrow, Jr., here's how it works:
The Shodan software runs 24 hours a day. It automatically reaches out to the world wide Web and identifies digital locators, known as internet protocol addresses, for computers and other devices. The program then attempts to connect to the machines. If a connection is made, Shodan "fingerprints" the machine, recording its software, geographic location and other data contained in the identification "banner" displayed by devices on the internet .... Shodan compiles the information in [its] servers - about 10 million devices every month - and makes it almost as easy to query online as a Google search.
There's a tremendous account of Shodan and it's impact on critical infrastructure protection community published in the Washington Post HERE ... it's good read indeed.

And if you've read all the way to this point in the post, then you're probably a good candidate to get value from this year's biggest and best control systems security conference. It runs 22-25 October and you can learn more about it, and register, HERE.

Tuesday, June 5, 2012

More Datapoints on the Current State of Electric Sector Cybersecurity Governance

In March we covered the preliminary CyLab report on the state of cross sector Security governance and one of the things it taught me was that electric sector cybersecurity professionals are not alone in their quest to improve/increase the level of interaction and communication with senior executives in their companies, including the CEO and Board of Directors (BoD).

Other than financial services sector companies, whose reputation for being in the lead on security and privacy governance matters is corroborated, none of the other sectors covered (IT/Telecom, Energy/Utilities, Industrial) fares particularly well.

Well, the final Carnegie Mellon/CyLab report is out now, and it provides a lot more detail into which to sink one's teeth. You can begin with the press release HERE, or move straight into the 28-page full report HERE.

But with your limited time in mind, electric sector reader, I've cherry picked a few salient nuggets for your more rapid consumption. First, an opening statement:
Interestingly, none of the energy/utilities sector respondents indicated that they have a Chief Risk Officer (CRO) even though their risks are high. The energy/utilities sector also places a much lower value on board member IT though their risks are high. The energy/utilities sector also places a much lower value on board member IT experience than the other sectors, which is puzzling since their operations are so dependent upon complex experience than the other sectors, which is puzzling since their operations are so dependent upon complex supervisory control and data acquisition (SCADA) systems.
Interesting: connecting IT experience with a foundation for grasping control systems security fundamentals. Certainly better than having no information systems background. And I didn't know CRO's where rare in large utilities. Maybe the utilities that participated in this survey are not representative of the larger population for some reason. But I would have thought CROs were commonplace, even if their attention wasn't trained on cybersecurity risks.

Now lets go straightaway to electric sector conclusions:
  • The energy/utilities and IT/telecom respondents indicated that their organizations never rely upon insurance brokers to provide outside risk expertise, while the industrials sector relies upon them 100%
  • Energy/utilities and IT/telecom sector boards are not adequately reviewing cyber insurance coverage
  • The energy/utilities sector places a much lower value on board member IT experience than financial, IT/telecom, and industrials industry sectors
And let's conclude with this recommendation, since it squares so nicely with one of the oft-repeated themes of this blog:
Review existing top-level policies to create a culture of security and respect for privacy
This CyLab report is an interesting complement to the recently release IBM CISO Survey, the results of which were discussed HERE last month. I'm always glad to add others' takes on how our sector is faring, even if the findingss are less than glowing. The truth, as they say, and presuming it's present to some degree in these reports, will set you free. Hopefully free to make things better.

Image credit: Magnetbox at