Tuesday, December 17, 2013

Whitsitt on What's Up with the NIST CSF

Before you click through on the link provided below, I have to tell you that this write-up is not just about the NIST Critical Infrastructure Security Framework (CSF), but it's also a review of the current state of the security profession/practice/belief system, depending on your vantage point.

Penned by Jack Whitsitt of EnergySec, who among other things helped design the cyber security policies for the Transportation Security Agency (TSA) when it was just getting started. Be forewarned: Jack is no ordinary security guru. Because he's a practicing artist too, he brings both hemispheres to this challenge, and as a result, his perspectives and insights are unlike what you'll likely encounter anywhere else.

Monday, December 16, 2013

Security at the Edge of the Grid

We used to be very concerned about traveling too close to the edge of the world, remember?  Then some smart math and science guys figured out, surprisingly, Earth has no edge, so we were free to move about about the globe.

Now as we approach the end of the beginning of the Smart Grid era, what began as an initiative to add visibility, flexibility, and yes, smarts all over the grid is now seeing change accelerate close to the points of consumption.

Of course, amid all the excitement about innovation in distributed generation, distribution automation, energy efficiency, demand management, microgrids, storage, etc., one could forget that there's some basic housekeeping to attend to in the categories of power regulation and security.

The former, which includes maintaining the quality of electricity and keeping dangerous phenomena like harmonics in check, has been the province of utilities and ISO/RTOs and that's not going to change.  Ever increasing percentages of distributed generation are, in anything, going to make utilities' capabilities in this area even more essential to safe and reliable power delivery.

The other housekeeping item, now that it's 2013/2014 and not 1963/1964, is that all the new edge devices have several attributes in common:

  • They send, receive and store data
  • They constrain access to their data and/or services to certain other systems
  • They receive control signals, sometimes from humans (think: iPhone apps) and sometimes from other systems (think: Nest thermostats)

Of course this is an oversimplification, but astute readers will notice that the integrity of all of these activities depends entirely on capabilities from the security domain.  My job as part of Greentech Media's new Grid Edge Executive Council (see my humble logo above nestled among the titans) is to ensure less-than-sexy security attributes are baked into the functional requirements of all the new products that plan to participate in this edgy arena.

That way, when 2023/2024 arrives, we'll be powering our homes, businesses and country with power we can depend upon.

Thursday, December 5, 2013

Beroset on AMI and Smart Meter Security Considerations - Late 2013

Ed Beroset is the Director of Technology and Standards at one of the main smart meter making companies, Elster, and I've had the good fortune of meeting him on several occasions when both had speaking duties at grid security conferences. In this case, tech director also = security strategist and spokesman.

Recently, as I've started to prepare myself for work with Greentech Media's Grid Edge council, I wanted to check up on the current state of security thinking around AMI and smart meters.

Lo and behold, here's Ed who just put it down in pixels with 3 questions to ask yourself, along the lines of what are you protecting and why, and 7 to ask your vendors.  In the latter category, I particularly like #1 and the advice that follows:
What security measures does your system employ? 
Don’t settle for vague or imprecise answers to this question. Any reputable vendor will be able to give you a clear and detailed answer. Furthermore, don’t accept the excuse that the security measures are proprietary and top secret. As any security expert can attest, in modern systems, it is not a secret algorithm, but a secret key, that ensures security.
This may be more advanced than your typical energy sector start-up is ready for or need be ready for, but it's a good example of the types of scrutiny mature product suppliers like Elster have come to expect as a matter of doing business with increasingly security-aware customers.

You can read the full article HERE.

Wednesday, November 27, 2013

A Means to a Measured Approach to Cybersecurity

Having posted innumerable times on the many benefits the energy and other critical infrastructure sectors would achieve if they would identify a few security metrics and start measuring them, it seems that a practical means to at least partially achieve this objective may be at hand.

Just came upon a new company that appears to be pursuing a good part of the SGSB playbook, though they appear to have found their way to these ideas by following their own path.

A few of the principles we seem to share include:

Monday, November 25, 2013

ICS Electric Utility Attack Video and Aegis to the Rescue

SANS Securing the Human - ICS Attacker
The excellent security-mined people at the SANS Institute have produced an 8 minute video that walks you through a control systems attack.  The money they saved by using animation instead of Matt Damon or Morgan Freeman was put to good use as you'll see. For such an esoteric subject, this is a first rate video. For more info please visit the Securing the Human site at http://www.securingthehuman.org/

Meanwhile, to calm you down after the video gets your heart rate up, you should start learning about a new tool that's set for release at the upcoming SANS SCADA Summit. It's called Aegis and it's not an anti-ballistic missile system.  It's a testing tool to help ensure systems communicating with one of the most common SCADA and controls systems communications protocols, DNP3, are harder to attack.

You can ready more about Aegis here: http://www.automatak.com/aegis/

And more about the SANS ICS Summit here: http://www.sans.org/event/north-american-ics-scada-summit-2014

Saturday, November 23, 2013

Sandia and Hayden on Cybersecurity Strategies for Microgrids

First off, thanks to friend and colleague Ernie Hayden for writing a microgrid security post following his mini-immersion in the topic last week.  You can read his write-up HERE.

In particular, want you to see something he linked to: SNL's Microgrid Cybersecurity Reference Architecture.  That's Sandia National Labs, btw, not Saturday Night Live; talented though he is, Jimmy Fallon is not a contributor to this piece.

Thursday, November 21, 2013

SCADA Primers Now for Grades 1-8 and Even More Managers

Earlier this year, the US Air Force's Robert M. Lee brought us SCADA and Me, an intro level graphic novelette optimized for very young children and certain managers. Now comes Haley Wauson of industrial automation company Cimation with a blog post that should help SCADA and Me readers advance to the level of middle school literacy and educate an even more advanced cohort of managers.

In her succinct post "What is SCADA Anyway?" Ms. Wauson uses infographic style visuals and multi-syllabic words to take readers to a level of depth that goes well beyond Robert Lee's Goodnight Moon-esque masterpiece.

Sounds like I'm joking around but actually works like these are just the thing for de-mystifying technology that's foreign to IT-centric folks.  SCADA and control systems are of central importance to making good things happen in our increasingly interconnected "Internet of Things" world, or as my recent alma mater IBM has dubbed it, the Smarter Planet.

Securing these things, now that's another matter. But first you have to know what they are, and where they are, in the first place!

Thursday, November 14, 2013

Grid Attack Simulation Just Completed: “It was More Severe than Anything We’ve Drilled"

So said the President and COO of AEP subsidiary Southwestern Electric Power Company, of scenario she and her people faced during NERC's second GridEx exercise.

Sounds like NERC CEO Gerry Cauley and his team brewed up something pretty potent this time.  Heck, it even included 7 deaths and 150 casualties ... in quotes of course.

NERC will issue an "after action" report including objectives, what actually happened, lessons learned and recommendations as soon as they get some sleep.  In the meantime, this account from the NY Times Matthew Wald is pretty darn good.  You can check it out HERE.

Photo credit: The Guardian

Tuesday, November 5, 2013

Webinar Alert: UTC Cybersecurity Metrics Training

Never thought I'd see training on one of my favorite topics, but somehow the Utilities Telecom Council (UTC) is going to do it a week from now.  To some readers' pleasure and others chagrin, I've done a million posts on metrics, some absurdly long (see: HERE) and I for one, will be paying very close attention.

When: 12 November 2013, 2 - 3:30 pm ET

What: "This webinar provides an overview of metrics development and implementation approaches based on national and international standards and best practices. It describes how to develop and use metrics to gauge performance and facilitate improvement and gives examples from the utilities space."

How: Click HERE for more info and to register

Thanks again to tmorkemo on Flickr.com for this image ... my 2nd timing using it

Thursday, October 31, 2013

Because Excercise is Good for US, GridEx II is Coming

In case you've been wondering what kind of shape our North American grid incident response and information sharing system is in, now's your chance to find out.  You can click HERE for more details on what's coming up and register to participate if you're an asset owner one of the other types of orgs that have an official role to play.
  • When: 13-14 November
  • Where: North America
  • Dress: Business Casual
While you're here, here are a few other items of possible interest:
  • You can read a decent GridEx II intro HERE, from the NYTimes
  • Findings and recommendations from the first GridEx begin on page 10 of the After Action Report
  • Click HERE for news on a recent disruptive control system cyber attack on a tunnel traffic system in Israel
Poster image courtesy of Crossfit.com

Monday, October 28, 2013

Wrap Up: The 13th Annual ICS Cybersecurity Conference

Another Industrial Control Systems Cybersecurity conference is behind us and, as usual, as documented by founder Joe Weiss, there were signs of a slow awakening to the importance of this topic, mixed with persistent inertia.

You can read highlights from first two days HERE, and Joe's final day summary HERE.

It was nice to hear that my friend (and very good guy) Johan Rambi from large utility Alliander (based in The Netherlands) was playing such an active role.  And this note below reminds everyone that ICS security is not only an energy or power sector problem.  As Joe tells it:
Jeffrey Smith from American Axle gave a great presentation about how they have secured (or very significantly improved security) in their factories world-wide. What I felt was so important is their focus was on productivity and worker safety. Security was simply a threat that needed to be addressed so they could operate safely and efficiently.
This is reminiscent of others who point to the two goals one finds most highly valued in a power co, reliability and safety, and urge the security community to tie physical and cybersecurity tightly to those domains from messaging and business case perspectives.

Security practices are funded and run not merely to check compliance boxes, but to give businesses and government orgs Confidentiality, Integrity, and Availability (CIA) for their systems, networks, apps and data ... so they can continue to pursue their missions with confidence and efficiency.

Or to call out a potential ICS-specific update to the perennial security triad the conference produced: adding O for Operational Controls.  For this very important and highly specialized domain, it might make sense to reverse the prioritized order of CIA and get the O in there too: AIOC.  Ayy-Awk.

Wednesday, October 23, 2013

Webinar Alert: Energy Sector Learning to Speak a New and Secure Procurement Language

Hat tip to UTC's Nadya Bartol (Twitter @NadyaBartol) for the heads-up on this upcoming webinar to unveil a draft document as follows:

Title: Cybersecurity Procurement Language for Energy Delivery Systems
Project Description: This effort seeks to promote cybersecurity by design through procurement language tailored to the specific needs of the energy sector. Updated language for the energy sector can aid in addressing some of the evolving challenges by helping asset owners, operators, and suppliers establish a baseline of minimum cybersecurity requirements.
When: Monday, October 28, 2013 @ 3:00 - 4:00 PM EDT

Register: HERE

For more info on this effort: click HERE

POC: Eric Wagner at eric.wagner@utc.org

Saturday, October 19, 2013

Conference Alert: FIRST Energy Symposium - Energy Sector Incident Response

Sorry for the late announcement, but in the spirit of better late than never ...

In cooperation with ISC2, ICS-ISAC and EnergySec, the Forum of Incident Response and Security Teams (FIRST) brings you its first energy sector focused event.

As the FIRST folks put it:
This conference will bring together computer security incident response and security team professionals from all over the world and provide a forum for experts to promote, share, and discuss issues relating to developments in the field of Incident Response relating to the Energy Sector.
When: 28 + 29 October, 2013

Where: Lansdowne resort, Leesburg, VA (Not be be confused with Lansdowne Street in Boston)

To register: Click HERE (Save $100 using this code: Energy13)

BONUS: the agenda shows presentations by Jack Whitsitt and Chris Blask. If you don't know them, they are two of the more brilliant and idiosyncratic personalities in the business.  Worth the price of admission alone, IMHO.

Wednesday, October 16, 2013

Special Conference Alert: Risk Management-Focused NARUC Annual Meeting

This NARUC Annual Meeting is called "Managing Risk: Protecting Consumers and Critical Assets" and yours truly will have the honor of participating as a panelist.

As per usual, here are basics:
  • Where: Orlando Hilton Bonnet Creek, FL
  • When: 17-20 November 2013
  • To Register: click HERE
Here's a press release for more flavor, and here's the agenda.

The Sunday afternoon panel I'm on is called: "Risk Management in Action: Challenges and Opportunities for Implementation", and here's the narrative description of what we'll be discussing:

There’s a lot of talk about the benefits of risk management processes to address cybersecurity, but how familiar are we with the actual implementation of these processes? Come hear panelists discuss the resources necessary to implement and maintain risk management processes for cybersecurity of our critical infrastructure. What are the bottom line impacts on owners’ and operators’ resources for implementing risk management? Hear from subject matter experts about the opportunities and challenges.

Should be great.  Hope some of you can make it.

Photo credit: TripAdvisor.com

Tuesday, October 15, 2013

Job Posting: Senior Power Systems Strategist

If you have ICS engineering credentials, you're not already in Idaho, and you want a change, can you picture yourself in Idaho? Or maybe you know someone qualified, and would be happier if they were in Idaho?

Either way, there's an opening at Idaho National Labs (INL) and if you could help fill it, one way or another, I'll be happy to give you contact information and mail you the full position description upon request.

Photo credit: VisitIdaho.org

From DOD Energy Blog: Time for a US Oil Change?

Navy refueling at speed
To grid heads no other incident did more to change our business than the great Northeast Blackout of 10 years ago; it's a big reason there's such a thing as the Smart Grid Security blog. But I'm cross-posting this from DOD Energy blog as it reflects on the singular most important energy event in some of our lifetimes. One which changed the nation, changed the global economy, and continues to reverberate 30 years after.

On the heals of last week's post on China surpassing the US to become the biggest importer, two recent articles ponder oil's place in our world, particularly in light of how it was used as a weapon against the US during the Arab-Israeli War.

The first, Does OPEC Still have the US over a Barrel? brings the events of those days back vividly. If you're old enough, this will conjure up a scary memory. If you're young enough, this may sound like a Tom Clancy (RIP) novel, but it was far too real for those managing the crisis in 1973:
“I’m sitting at my desk at the Pentagon,” recalls James Schlesinger, then secretary of defense, “and a cable comes in, and it reads: ‘In accordance with the orders of His Majesty, we are obliged to cut off all oil supplies to your 6th Fleet and to your forces in western Europe. Signed [Saudi oil minister] Zaki Yamani.’ ”

Friday, October 11, 2013

Moving Beyond Technical: Use Security Governance Strategies to Integrate Security with the Mission

If like me you've come to the conclusion that a tech-centric strategy can only get us so far in energy sector cyber risk management, then you might want to see some of the source materials I've come across in my explorations.

The two I'll point to in this post are from Carnegie Mellon University's CERT program and PricewaterhouseCoopers' cybersecurity consulting practice.  What they have in common is that they are both several years old.  This is not VC or DARPA-funded cutting edge stuff.  It's human behavior stuff, and as such, it's not on an upgrade path anything like iOS, Android, or "Next Generation" firewalls. But neither are these concepts rapidly deployable, as you'd be hard put to find them put into practice widely at many utilities in 2013.

Tuesday, October 8, 2013

Heads-Up: The 2013 ICS Cybersecurity Summit is Closing In

We talked about this conference and many of its concerns a few weeks ago at the EnergySec Summit, and among things, got a great presentation showing how one utility has built and gotten great value from its OT security test-bed.

There's going to be a talk on test-beds plus a bunch of other great presentations at the annual "Joe Weiss" summit, so if you have interest, and the ability to get there,  I highly recommend you do.

Here are the basics:
Dates: 21-24 October 2013 
Venue: Conference location: GTRI Conference Center, 250 14th Street NW, Atlanta, GA 30318 
LINK for more info and to register 
LINK to register
Photo credit: Jomi Thomas Mani @ Flickr.com

Monday, September 30, 2013

Putting all our Cybersecurity Eggs in Technology Baskets

Attackers perform discovery, surveillance, intrusion, denial of service and exfiltration with software tools. Defenders defend with tools of their own in the domains of network security, system security, application security, data security. The "good guys" also:
  • Encrypt data in hopes it will remain secret in transit and at rest
  • Patch and patch and patch and patch applications ond OSs
  • Pen test to see if they can find and fix weaknesses before the attackers do
  • Monitor and inspect network traffic and analyze logs for abnormalities
  • And oh so much more ...
Organizations spend millions on defensive technologies, purchasing and/or subscribing, deploying, integrating, updating and yet CISOs still have no dependable process for demonstrating to senior utility leadership the amount of cyber protection they're adding, or put another way, the amount of business risk accepted.

Recently we've seen the DoE and NRECA announce seed grants to help suppliers perform R&D for new technological solutions to cybersecurity challenges facing utilities. Some of these may prove useful to utilities, suppliers, and their services organizations.

Now I almost never use bold, italics or underlining for emphasis. Prefer to let the right words do the work.

But none are likely to substantially address the fundamental issue that cybersecurity threats are a hard-to-quantify risk to business, have human origins, and that improved human awareness and behavior can drive better outcomes in ways everyone can see and understand.

NERC CIP-004: "Cybersecurity - Personnel and Training" calls for humans who have access to critical cyber assets (CCAs) to have appropriate security training and awareness. But the CIPS cover only a very small part of the grid, and as we've seen, it's not just the folks who touch CCAs who can cause significant damage to an organization through their wrong actions ... or wrong inactions.

There are technology products that aim to effect improvements in human behavior (e.g. PhishMe). And there are universities and training organizations galore, some of them even beginning to add industry-specific operational technology (OT) content to their cybersecurity instruction.

And yet many utilities and the government organizations that seek to guide them continue to look almost exclusively to technology to save the day.  Here are two things you can do to begin to flesh out the people pieces:

1) Look at the org chart.  Look at how involved and cyber-aware are the board, the CEO, CFO, GC, etc. You could certainly argue they have bigger (or at least other) fish to fry, but if they knew a little more they might well move cyber threats a bit higher up on their ladder of strategic risks to reliability.

2) See how the CISO is empowered, where he/she sits in the organization, how often he/she briefs the board and corporate officers, and whether he/she has authority to set and enforce security policy enterprise-wide.

There's a lot more of course, but the closing pedantic message of this post, before it sprawls too long, is: don't short the human part of the cybersecurity equation. Humans are the problem, and humans can and should be a  much bigger part of the solution.

Photo credit: JS @ Flickr.com

Tuesday, September 24, 2013

Several Scenes from EnergySec Summit 2013

Click for much Gibber ... I mean, bigger
Was in Denver not far from flooded Boulder last week at the 9th annual EnergySec Summit ... my first.  I'm sure we'll be seeing more articles and posts from EnergySec scribes and some of the other 150 or so attendees soon, but wanted to get my observations out.

I missed a number of presentations due to a mid day arrival on Wednesday and missed a few others to field a few intermittent phone calls, but got to hear most of them (my apologies to speakers not covered below).

First off, Patrick Miller and Steve Parker, EnergySec Presidents past and present, were both outstanding ringmasters and herders of wandering speakers.

Monday, September 16, 2013

A Novel Approach to Grid Cybersecurity Awareness

Not long ago I was in a meeting with the CIO of a large electric utility and when I inquired as to the cybersecurity awareness of the board of directors, was told it had recently skyrocketed.

Why the sudden shift I asked?  Had the company just endured a serious and/or highly public breach? Nope, things had been mercifully static on that front. A classified threat briefing by DHS? No, not that either. Well, what was it then?

Apparently one board member had read the latest Tom Clancy book, Threat Vector and once exposed to Clancy's fictional vision of how the US could be brought low through largely cyber means, it changed his thinking. Spoke in language he could understand, and captured his imagination too. It soon spread to the rest of the board.

Now comes former Senator Byron Dorgan with a cautionary novel of his own, and this one is much more grid-centric, from the title on. I later read Threat Vector myself ... 900 pages or so if I remember right, looking for power sector specific attacks and breaches and they were few. I've read some of the reviews of Gridlock, though, and in it the US grid is front and center and not doing so well.

Dorgan and co-author David Hagberg don't have anywhere near Clancy's readership, not close. But if an executive in your company were to happen upon a copy, well, apparently it's quite a page turner, and you might have a new, more cybersecurity-aware board to work with in a few weeks.

Monday, September 9, 2013

Conference Alert: EnergySec and NESCO Town Hall next Week

Ok, so usually I'm giving a heads-up about some conference or seminar you might want to know about, or even attend. But this time I'm saying that, but also revealing I'll be there too.

And I note, in the town where Peyton Manning recently threw 7 TD passes in one game and one can easily procure Rocky Mountain Oysters, I'll be joining luminaries from industry and a number of utilities too.

Here are the deets:

  • Where: Magnolia Hotel, Denver, CO
  • When: 17 - 19 September, 2013
  • What: Lots of stuff. Agenda HERE
  • How: Easy. You can still register HERE

For your edutainment, I'll be moderating a town hall style discussion about the current state and future of the cyber security workforce in the energy sector. We'll be considering full life (as in human life) cycle issues, from birth to tablet training, from kindergarten to college curriculum, from entry level security practitioners to ICS forensics wizards and all the way up the managerial stack to CSOs and CISOs.

Hope to break some new ground and capture some new ideas we can share with all and will do here on the SGSB during and/or right after. Will also tweet whenever possible using the hashtag #ess13.

Hope to see some of you there!

Photo credit: Daily Mail online

Thursday, September 5, 2013

The Things I've Seen Series: Part 2 - Execs Exempted

Last week I posted on an encouraging trend I witnessed over the past 2 years: the emergence in some utilities of security governance boards comprised of security and privacy leaders, often a rep from legal or compliance, and senior stakeholders representing different business lines.  Soon after it went live, I received multiple corroborations from friends in the field who have seen the same thing in their patches. This is all goodness.

But there are other, less uplifting trends you should be aware of if you're not already. I've seen senior executives who have not once met with their cybersecurity leaders and who feel they have no reason to do so. I've had senior state regulators tell me that they haven't really thought about cybersecurity until very recently. 

Friday, August 30, 2013

The Things I've Seen Series: Part 1 - Utility Security Governance Boards

In the final moments of Blade Runner, Rutger Hauer's character, close to death, tells Harrison Ford: "I've seen things you people wouldn't believe."

Over the course of the next several posts I'm going to go through some of my sanitized field notes and let you see things you may or may not believe, some good, some not so good.  Nothing quite as cosmic as what Hauer relates in his final moments, but probably should be interesting if you're in or work with the industry.

Let's start off the series on a positive note with the formation of Security Advisory Boards.  Investor Owned Utilities (IOUs) typically have a number of boards: executive, safety, governance, audit & compliance, etc. However, you can dig through annual reports and review the investor information sections on company web sites for a long time and you likely won't find much if anything relating to cybersecurity risk strategies, concerns or activities.

Thursday, August 29, 2013

Training Alert: SANS SCADA Security Training

By now you know the drill:
  • When: 16-20 September
  • Where: Las Vegas, NV
  • What: A hands-on SCADA Security course with over 20 exercises and labs that are performed on a portable SCADA lab that contains over 15 different PLCs, RTUs, RF, and telemetry devices. It was designed to bridge the skills sets of Control System Engineers, Technicians, and IT Security professionals
Click HERE to learn more and register.

And use this code to save some dough when you do: SANSICS_SGSB5

Photo credit: zekedawg00 @ Flickr.com

Tuesday, August 27, 2013

Declaration of Independence and Intent

I've been warming up and working in this space for years now, and if you've been a Smart Grid Security blog subscriber or an intermittent visitor, you may have noticed an evolution in cyber security thinking of sorts. Well, with changing the world as my goal, it's time to stop treading water and start swimming like I mean it. I just left IBM in order to bring a new type of security advisory service to energy sector organizations. Here’s a brief version of the concept:
You often hear that culture change is the hardest thing to accomplish in an organization. That may be, but to help put our sector’s cybersecurity preparations on a better course, I’m developing an approach focused on increasing organizational awareness and improving internal communications about the security issues that matter. It begins with senior leadership, extends throughout the enterprise and doesn’t stop until it reaches service providers and the supply chain. Most engagements will begin with an in-depth orientation briefing for senior stakeholders, followed by periodic meetings and dedicated hours of access so that I can be a resource whenever my input is needed.

Thursday, August 22, 2013

NERC CIPs Catching up to iPhone Version Numbers

OK, imagine an auction barker: "Bids opening at NERC version 3, do we have a version 3? ..."

"Yes! How about version 4?" Etc.

Well, according to Honeywell's NERC CIP guru Tom Alrich (of the famous, eponymous and quite helpful blog), it now appears that the next version of the CIPs to which utilities must comply will be neither version 4 nor  5 but rather version 6!

I was stunned as were many of the those in online attendance. Tom explains his reasoning on the EnergySec webcast and much more, which you can see HERE. There's a lot of helpful information for utilities of all sizes dispensed in this hour long piece, with some deep dives into the ramifications of high, medium, and low risk assets.

Now, depending on whether we get an iPhone 5s or 6 next month, it's clear that NERC will not allow the CIP versions to lag far behind.


Attended most of this webinar online, but hat tip to my former colleague and (hopefully) current friend, Nebraskan Dave Hemsath of IBM for sending me the replay.

Photo credit: KCRW.com

Tuesday, August 20, 2013

Motivation through Compensation: Paying Utilities to Upgrade Cyber Defenses

Now we're getting somewhere!  The long submerged topic of "who should pay" for electric utility cyber security improvements has just breached the surface and is now bobbing up and down in clear daylight.

A recent article in Bloomberg documents several large US utilities' efforts to recover current and future cyber security investments the same way they get paid for other infrastructure programs: by getting clearance from their state utility commissions to approve these expenses in their rate cases.

Actually rate payers (aka electricity customers) will pay one way or another, as they should, for the essential service that makes our modern lifestyles possible.  Possible methods of payment include:
  • Absorbing the costs to their businesses and their lives associated with brown outs or black outs or electricity quality issues stemming from successful attacks on control centers or systems
  • Paying more every month to cover some, most or all (TBD) of their utilities' cyber-protection expenses
  • Or, as Pepco CIO Doug Myers said, as cited in the Bloomberg article, allowing utilities to be reimbursed through federal grants
This concept was articulated more formally by Michael Daniel, special assistant to the President on Cybersecurity, when he included rate recovery as one of a number of cyber incentive strategies for critical infrastructure providers:
Rate Recovery for Price Regulated Industries — Agencies [DHS, Commerce, Treasury] recommended further dialogue with federal, state, and local regulators and sector specific agencies on whether the regulatory agencies that set utility rates should consider allowing utilities recovery for cybersecurity investments related to complying with the Framework and participation in the Program.
As this blog often reiterates, we have to acknowledge and accept the costs of living in a technology-enabled world, where the impulse to cyber secure important services must become every bit as natural as physically securing our more tangible valuables.

Else, I have a nice cave I'd like to show you. And no, it doesn't have wifi.

Wednesday, August 7, 2013

First Look at Cyber Security Incentive Ideas, Companion to NIST's Framework Work

I'll oversimplify this to keep it short, but the President kicked all of this off earlier this year in wake of failed cyber security legislation efforts in 2010 (GRID Act) and 2012 (Cybersecurity Act of 2012).

The two primary vectors on this project have included:

  1. Having NIST lead the charge to develop a new cyber security framework (i.e., pattern, roadmap, guidance) made up of references to existing guidance that seem to work well. On twitter this effort is tagged #NISTCSF
  2. A parallel initiative to develop incentives that might improve the business case for being more proactive on cyber security.
The incentive categories were just made public, and so far include :
  • Cybersecurity Insurance
  • Grants
  • Process Preference
  • Liability Limitation
  • Streamline Regulations
  • Public Recognition
  • Rate Recovery
  • Cybersecurity Research
Liability and insurance are going to be the thorniest.  And rate recovery help, if workable, sounds promising.

You ran read The Hill's coverage and the original White House text via URLs below, as well as check out the current status and next activities related to the framework.



The Hill


White House




Monday, August 5, 2013

Joe Weiss on a New (or Newly Discovered) Risk to Substations

Control Systems security guru Joe Weiss recently wrote up his observations of a problem reported at a nuclear power facility wherein a transformer load tap charger (LTC) malfunctioned, wasn't detected in a timely manner, and could have caused trouble.

LTCs are used in ALL (Joe's emphasis) substation transformers and are designed to be remotely accessible.  But his bigger point, as he wrote me separately is that:
This incident can affect EVERY (again) electric substation - I found it because it affected a nuclear plant and an unusual event notice was issued - and [note] the word "cyber" was never used.
Key words here: "remotely accessible." Not something you want to see too often in an incident at or near a nuclear plant. You can read his full post at the URL for his Control Global blog provided below.

Also, Joe was recently quoted in an MIT Tech Review article on an attack on a water plant honey pot. You'll find a URL for that piece piece below as well.



Control Global


MIT Tech Review


Monday, July 29, 2013

Rapidly Approaching Training Alert: SANS Control Systems Security

Depending on where you sit at the cyber security table, this might be for you or someone in your org.

Here's how the SANS folks describe it:
A rising number of cyber threats impacting industrial systems have increased the urgency to address security challenges for Industrial Control Systems. Learn how to develop an effective and comprehensive cyber security strategy and equip yourself with the technical know-how and skills to apply in these unique applications. Cyber security is an important element to achieve highly reliable and safe operations. SANS Hosted ICS training courses equip both security professionals and control system engineers with the knowledge and skills they need to safeguard these important systems.
Available classes: SCADA Security Training, Critical Infrastructure and Control System Cybersecurity, and Assessing and Exploiting Control Systems

OK now the details:

  • What: SANS Industrial Control Systems Training
  • When: 12-16 August 2013
  • Where (Generally speaking): Washington DC
  • Where (More specifically) : the Westin hotel in Georgetown
You can register here: http://www.sans.org/event/ics-security-training-washington-dc and if you use this code you'll get a discount: SANSICS_SGSB5

Wednesday, July 24, 2013

Major SPIDERS (DOD Secure Microgrid) Update

This post just in from Mr. Harold Sanborn, Program Manager at Construction Engineering Research Lab (CERL), US Army and technical manager for the SPIDERS Joint Capability Technology Demonstration (JCTD).  I've removed most of the defense industry speak from a longer version you can find on the DOD Energy Blog.  FYI SPIDERS = an ongoing DOD distributed energy program and the acronym stands for Smart Power Infrastructure Demonstration for Energy Reliability and Security. ab

Here's Harold:

SPIDERS Phase I has finished the "history tour" as we codify and publish the lessons learned.

SPIDERS results demonstrated additional capability for Joint Base Pear Harbor Hickam, including:
  • Synchronizing with the utility service power signal while pushing electricity back on to the base distribution system
  • Operational viewing of other circuits in the substation in addition to the one controlled by the micro-grid, and
  • Power factor improvements and the opportunity to test generators at load

Tuesday, July 23, 2013

SANS cyber security awareness training for eager utility employees ... and their regulators

I recently stumbled upon some excellent online training materials from the well respected SANS Institute that could be quite useful to you and your organization.

In a series of online modules, many of them tailored to the particular needs of utilities, SANS "Securing the Human" courseware seems to be an easily digestible, self-paced way to get important cyber security awareness messages across to a large number of users.

Note: NERC CIP content here is constructed around version 3, so with newer versions now approved by NERC and FERC, SANS will want to update certain modules accordingly. But 99% of the material is right on the mark, and would be appropriate for electric sector personnel outside the US as well.

Wherever you fit in the ecosystem, whether you're an executive or a rank and file worker bee, whether you're in a utility, a regulatory agency, a vendor, or just a user of digital technology who wants to stay safe, recommend you check it out.




Saturday, July 20, 2013

RFP Alert: Security Advisor Sought for New England Utility Commissions

No sooner had I posted on the need for more state utility commissions to ensure access to quality cyber security guidance, when an RFP with this exact goal in mind came across my desk (figuratively speaking). So without further delay, your attention please:

The region of 6 northeastern US states collectively referred to as "New England" and boasting the highest per-capita concentration of Dunkin Donuts is seeking one very well qualified energy and cyber security professional to help guide them for a six month period commencing in mid September.

The New England Conference of Public Utilities Commissioners, Inc. (NECPUC) has issued an RFP for which responses are due NLT 5 pm August 8, 2013. I provide the URL to the RFP below but to save you an unnecessary trip, here are the qualifications required if you or your small firm want to even be considered for the job:
  • Background and knowledge of utility sector industrial control system and business operations
  • Knowledge and expertise in computer systems security and related physical security issues
  • Certified Information Systems Security Professional or similar computer security management certification preferred
  • U.S. Government security clearance of “Secret” or higher preferred

Thursday, July 18, 2013

To Secure Your State Grid, First Know Your Public Utility Commission (UPDATED)

19 July 2013 UPDATE: Significant clarification just in from Terry Jarrett, Commissioner of Missouri's Public Service Commission and Chairman of the Committee on Critical Infrastructure at NARUC:
Actually, the NARUC Critical Infrastructure Committee's main focus has been cyber security for the past two years that I have been chairman. Last fall at our annual meeting, incoming NARUC president Phil Jones declared cyber security to be one of the themes of his presidency. To say that cyber will be given more attention in Denver than in the past simply is not factual. 
Thank you Terry.  I'll leave the original post below intact so you can see to what Terry was referring, but please keep his clarification in mind as you do.  ab

-- -- -- -- --

The Advanced Energy Economy Institute (AEE) has a great new site for helping you navigate your way around any of the 50 US states' energy landscapes, including commission leadership, energy portfolio mix, legislation and more. One topic you won't read much about, however, at least not without doing some substantial digging, is cyber security preparedness.

As readers of the SGSB may recall, we've done shout outs to California and Texas, both states having cyber security knowledgable professionals on their Public Utility Commission (PUC) staff, and there are a couple of other states now similarly equipped. Many other states, however, haven't yet made a modest level of cyber security capability a requirement.

With the Business Roundtable (BRT) issuing guidance earlier this year for how organizations should better organize themselves to meet the rising cyber security risks they face, to a recent report drawn from mega-insurer Lloyds of London's survey of CEOs and Board of Directors at the world's top companies showing they now consider cyber security among the top three risks facing their companies, you could say it's well past time for all organizations, and particularly those with public authority and responsibility like state utility commissions, to ensure they are well informed.

Lastly, you should note that the national body representing the interests of state commissions in Washington, NARUC, has demonstrated excellent leadership producing not just one, but two versions of practical cyber security guidance for commissions in the past year. NARUC will be holding its annual summer meetings in Denver next week and I understand cyber security is going to be given much more attention than it's received in the past.  Hmm, maybe this is a good chance to jump-start your commission's cyber security program ....

Friday, July 12, 2013

NIST Thinking about Cyber Security for Critical Infrastructure Company Boards and CEOs

I just returned from the beautiful UC San Diego campus (hmmm, if only I could travel back in time and attend this school instead ...) where NIST assembled hundreds of cyber security (and other) professionals to advance the initiative known as the Critical Infrastructure Cybersecurity Framework, or CSF for short.

So far some are happy with progress made and some are quite the opposite. I think a little more time will have to pass and we'll have to see what comes out of the NIST oven ahead of the final workgroup session coming up in Dallas.

Tuesday, July 9, 2013

NIST Critical Infrastructure Cyber Security Framework (#NISTCSF) Effort Steaming Ahead

Five hundred souls or so are expected in sunny San Diego this week for the 3rd round of meetings intended to produce new cyber security guidelines for operators of US critical infrastructure.

This article gives you the most recent update on status including cares and concerns related to privacy, business case, and getting senior management buy-in to even consider following this framework in the first place:


It references this DHS doc from earlier this year that attempts to pave the way for CEOs to become more engaged in their organization's cyber security efforts, called Cyber Security Questions for CEOs:


Lastly, if you want to see more of the process without actually getting your feet weight (or getting on a west-bound plane) here are a few resources for you:

The emerging framework itself: http://www.nist.gov/itl/cyberframework.cfm

Details on the San Diego workshop: http://www.nist.gov/itl/csd/3rd-cybersecurity-framework-workshop-july-10-12-2013-san-diego-ca.cfm

Live webcasts of the proceedings can be viewed via these URLs:
Day 1 (Wednesday) Webcast: http://www.youtube.com/watch?v=3hJww5_BDSQ
Day 2 Webcast: http://www.youtube.com/watch?v=SLVW0vFw0gI
Day 3 Webcast: http://www.youtube.com/watch?v=-9hORcAcXNA
I'm flying out today, along with a few of my IBM colleagues. Looking forward to seeing some of you there.

Photo credit: The San Diego Union-Tribune

Monday, July 1, 2013

Super Cyber Security Reading: 2Q ICS-CERT Monitor

Unfortunately, the Energy Sector wins this competition over last 12 months

There are few publications you can read that will tell you more about the current state of cyber awareness and attacks on critical infrastructure orgs and systems than this than the Monitor.

Wednesday, June 26, 2013

Oil and Natural Gas Co's became Primary Attack Targets Last Year

At least according to analysis from cyber security company Alert Logic. This detail and more is captured in a report just released by the US Council on Foreign Relations (CFR).

According to authors Blake Clayton and Adam Segal:
Cyber attacks on energy companies are increasing in both frequency and sophistication, making them more difficult to detect and defend against. Cyber espionage is being carried out by foreign intelligence and defense agencies, even organized crime or freelance hackers.

Monday, June 10, 2013

An Industry Starts to Pivot: Electric Utilities' Shifting Business Models in the Rise of Solar

Amory Lovins and Karl Rabago saw this coming a long time ago.

Now the Wall Street Journal (not Grist, not Mother Jones, not Rolling Stone) references the EEI distributed solar dispatch from earlier this year and runs with it. Not just early/first mover NRG, but the old guard is chiming in too: AEP, Duke, Southern Co, Nextera, Dominion, PG&E ... you get the

First up is Nick Akins, American Electric Power CEO:
On its face you would look at it and say distributed generation is a threat. But on the other hand we see it as an opportunity because our business is changing. There's no getting around it.
Other big utility CEOs join the chorus and soon the message is unmistakable.

Wednesday, June 5, 2013

CPUC's Villarreal is the Real Deal for Grid Security from the US States' Perspective

From cybersecurity to privacy, the Green Button and security metrics, this recent deck from the California Public Utility Commission's (CPUC's) Chris Villarreal covers the entire grid security waterfront from a (very big) state's point of view.

This is well worth your time if you're a regulator in another state, a regulated entity in any state, or you just want to get a better feel for the way this process is evolving.

Note links on last slide to excellent CPUC security white paper by Chris and his security savvy colleagues, Liza Malashenko and J. David Erickson, and to NARUC's excellent "Cybersecurity for State Regulators 2.0" guide. There are other states upping their cybersecurity game as well, but California and Texas have been the two trailblazers. Of that there is no doubt.


URL for this deck, which accompanied Erfan Ibrahim's SG Educational Series webinar:


URL for another nice write-up on the work of Chris and his colleagues, from Greentech Media's Jeff St. John:


Tuesday, June 4, 2013

Energy sector can learn from DOD's cybersecurity strengths (and weaknesses)

Last year the US DoD released a report by one of its Defense Science Board teams and I've seen it referenced a number of times in recent weeks, especially in articles announcing our loss of the most sensitive systems design details on dozens of current and next generation weapons systems.

See if you think this excerpt from the executive summary would accurately describe the current state at the utility you work for, or regulate, or invest in, or power your home with:
[The conclusion that we must do much better on cyber defense] was developed upon several factors, including the success adversaries have had penetrating our networks; the relative ease that our Red Teams have in disrupting, or completely beating, our forces in exercises using exploits available on the Internet; and the weak cyber hygiene position of DoD networks and systems.
If you think it might, then it's possible that you may find value in digging into the findings and recommendations within. I noticed this one on culture as being particularly relevant to our sector:
Individual and organizational cyber practices result in so many cyber security breaches that many experts believe that DoD networks can never be secure with the current cyber culture. The individual’s immersion in the civil sector cyber culture and the military’s focus on mission objective are the two most important contributors to DoD’s poor cyber culture. In the face of a threat that routinely exploits organizational and personal flaws, DoD leadership must develop a clear vision for the Department’s cyber culture.
It's very likely your utility is not targeted nearly as much as are the DoD's networks and systems, but I'd still say this report has lots of applicability for the way we think and act.


URL for full report:


Tuesday, May 28, 2013

Grid Security Keynote of Note at May 2013 ISO Conference

Since you can't be everywhere, there's the SGSB (which can).  Former Seattle City Light CISO and current Verizon control systems security ace Ernie Hayden gave a keynote presentation at the recent ISO New England and New York ISO Energy Conference held in Boston, and we've got it for you.

If you don't know ISO, it stands for Independent System Operator, a term which is often used interchangeably with another acronym: RTO, or Regional Transmission Organization. In North America, these organizations are like referees and traffic cops, trying to keep the peace among utilities and ensure the smooth and reliable flow of appropriately priced electricity across multi-state regions.

It's good to see Security get such a prominent platform at a high profile industry event like this. Certainly a sign of the times.  Ernie's slides will take you through the past, 2013/present and future of grid security, and though some of the info would clearly benefit from his accompanying narration, a lot of this works quite well as is. And if you really want the audio, then I'm sure Ernie will agree to come to you and do it again, as long as you treat him right.  URLs below.


Ernie Hayden deck


Conference home page


Friday, May 24, 2013

Looking Again at the Markey-Waxman Grid Vulnerability Publication

Where would I be without feedback? Many thanks to SGSB readers who chimed in on this.

I recently published a post titled "House of Reps Report Reams Utilities on Cybersecurity." Not accurate and all you have to do is read the cover page which, just below the House seal, says "A Report written by the staff of congressmen Edward J. Markey (D-MA) and Henry A. Waxman (D-CA)". Mea Gulpa.

So on second look I looked a little closer and found some things to like and some things I had to wonder about. For example, I'm happy to see congressmen seeking more information about the current state of security in our sector. Who could argue with that?

But their methods are not fully sound.

Thursday, May 23, 2013

House of Reps Report Reams Utilities on Cybersecurity

Was trying to capture spirit of Jesse Berst's headline on the same subject:
Utilities to FERC: Take your security measures and shove it
That's not very nice, is it?  I think they toned it down with a later change, but this headline was what was in my inbox in this morning's SmartGridNews.com newsletter. The subject is a recent report published by the House of Representatives that's highly critical of electric utilities behavior to date re: grid cybersecurity.

Moving on! The Wall Street Journal's Rachel King did a fine write-up of recent testimony from the CEO of the American Gas Association (AGA), Dave McCurdy. King began by noting that:
The oil and gas sector faces many of the same cyber security challenges as the electric industry. Yet, there’s one major difference between the industries, both of which need to secure software-based industrial control systems from intruders. There are no regulations governing cyber security among the oil and gas companies.

Wednesday, May 22, 2013

Cyber Achilles Heal Afflicts Electric Sector (and other) Senior Leaders

Just for fun, let's begin with a few quotes from an article in yesterday's Wall Street Journal of the mind-blower variety:
Executives are disconnected from reality when it comes to IT and security.
Top leaders seem particularly inclined to do things their IT departments warn against, such as opening email from unfamiliar senders, or clicking on links.
During ... simulated attacks, top executives are 25% more likely to click on the links that in a real attack could install malware. One reason ... is that most senior leaders skip company programs on developing cautious email habits.
You can visit this WSJ page below for the full article and attribution.

But wow. What a cyber Achilles Heal we've got if the folks with access to the most important, most sensitive info in our companies are the easiest to scam into coughing it up.

Training Alert: ICS / 2 Control Systems Security Sessions Coming Up

SGSB readers: first a brief housekeeping note. Due to a dose of awareness I just received yesterday, I'll no longer be including live links in posts. When I want to recommend a web page for you to visit I'll give you the full URL, which you can paste into the browser of your choice (see below).

OK moving on. SANS is developing an ICS & utility focused security practice with NIPSCO's Tim Conway assisting.  And this effort is already bearing fruit, with training classes coming up next month.  Here are the deets for you:

  • When: June 11, 2013 (Saturday)
  • Where: Westin Houston Memorial City, Houston, TX USA
  • What: two courses:

1) SCADA Security Training 
2) Pen testing ICS and Smart Grid
For more info and to register, do what you need to do with the following URL: 

Special SGSB Offer: use the code SmartGrid2013 when you register and you'll receive $150 off the Pentesting ICS or the Smart Grid or the SCADA Security Training course.

Monday, May 20, 2013

Sanity Check: Nuclear Cyber Security Should be the Best, Right?

A few recent missile launchings notwithstanding, you may recall a little over a month ago things were hot and heavy in the North vs. South Korea showdown. On April 15th Japan Times published this account: South Korea Bolsters Security of Nuclear Plant Network, which opened thusly:
SEOUL – The state-run operator of South Korea’s nuclear power plants has separated its internal computer network from the Internet in an effort to guard against possible North Korean cyber attacks, Yonhap News Agency reported Sunday.
and continued:
It said Korea Hydro & Nuclear Power Co. has also completely divided its nuclear plant control systems from its internal computer networks and restricted both systems’ access to the Internet, while USB ports of the plant control systems have also been sealed.

Tuesday, May 14, 2013

Energy Security Conference Alert: IAGS' Target Energy 2013

UPDATE: Conference Cancelled ... Sorry about that.


What is IAGS you say? I'll answer briskly: the Institute for the Analysis of of Global Security. Teaming with NATO's Energy Security Center of Excellence, IAGS is hosting a conference called Target Energy that includes but goes well beyond cybersecurity and the grid.

For those SGSB readers whose professional lives are circumscribed by electric sector security, this is a chance to stretch a bit. Here's how the organizers describe the focus:
The cost of securing energy supplies is increasing due to threats from terrorists, hackers, activists and hostile nations. What is the impact of attacks against energy, and how can companies, organizations, and governments work with NATO to increase security?

Monday, May 13, 2013

Energy Sector Orgs: How Would You Know if You Were Secure Enough?

Along with my friend and IBM colleague Jeff Katz, I was recently cited in an article by a new publication called Breaking Energy. One of the things they captured was this statement:
[Legislators and regulators] hear statements that the grid is not secure enough .... That begs the question: how would you know? how do you know how secure it is now?”
If one was hellbent on better securing the grid, how would define your destination and how you know you were making progress towards it? Sorry so many questions.  Maybe you can provide some in the comment space below.

Meanwhile, in this USA Today piece, senior leaders in Washington continue to make alarming sounds about our industry's preparedness:
The power industry [ranges widely in security maturity] from companies that are very good to companies that need a lot of work and a lot of help," Gen. Keith Alexander, commander of Cyber Command, said Friday.
Meanwhile, in the NYTimes, two senior [DHS] officials just said "[a new wave of intrusions] were aimed largely at the administrative systems of about 10 major American energy firms, which they would not name."

Seems we have the motivation. And maybe the means. But I still question whether we have a roadmap, tools, or even language recognize progress. More on this coming up.

Monday, April 29, 2013

More on the Model: are Utilities Planning for the Future or Hoping it Doesn't Come?

A few weeks ago I posted about threats to the traditional investor owned utility (IOU) business model and I'm still soaking in what EEI and others are saying. Since then, I:
  • Attended a presentation on the future of renewables at MIT given by energy futurist Dr. Eric Martinot. You can download Martinot's full 2013 report HERE and follow his periodic updates HERE
  • Also had a great conversation with another energy futurist, Chris Nelder, after reading his Greentech Media Article titled "Adapt or Die: Private Utilities and the Distributed Energy Juggernaut". Nelder's personal site is HERE
  • Read THIS from Bloomberg, a name not normally associated with wild or starry eyed cleantech visions. Bloomberg analysts are predicting very strong gains with renewables comprising up to 37% of total power produced by 2030
I'm not a self proclaimed futurist, nor do I play one on TV or the Web. And I know if I was on a debate team, I could find plenty of arguments (e.g., low cost natgas, end of renewables subsidies, slow updake of EVs, etc.) for thinking it'll be business as usual for IOUs for decades to come.

Monday, April 22, 2013

All the NIST Critical Infrastructure Security RFI Responses You Can Eat

Re: the many and various submissions from companies and individuals to NIST, someone who knows more than a few things about grid security recently tweeted twice thusly:
Reading - and in many cases laughing at - #NISTCSF responses
and ...
The responses? Mostly neutrally irrelevant, some nonsensical. I've marked only 14% so far for "real" read later
I just want you to set your expectations bar sufficiently low before you click HERE and read all of the responses.

By the way there were a few good and very good responses too.

If, after reading, you not only feel like you have something to suggest that hasn't yet been suggested, but you also want to physically transport and immerse yourself in this grand sausage making activity, then ...

For more information on the 2nd workshop coming up in late May in Pittsburgh, and a link where you can register, click on THIS.

Photo credit: @Doug88888 on Flickr.com

Tuesday, April 16, 2013

SGSB Hello from Boston the Day After

As long-time readers already know, I live in Boston, USA. More specifically, in a town called Brookline, about a mile from the historic baseball stadium named Fenway Park, and about 2 miles from the finish line of the Boston Marathon.

I ran it in 2004, in honor of turning 40, and it was one of the most profound experiences of my life ... certainly a top 10 moment. Since then I try to at least be on the sidelines and return the energy and support I received. The thousands of people who run the event and the charities connected to it, the hundreds of thousands who cheer the runners on, and the twenty-thousand plus runners from all over the world you run with and among, all add up to making you proud to be a living, breathing, happy, healthy, human being, sharing the world with other like-minded individuals.

I was out of town yesterday, visiting a son in another state. When the news broke of the attack on the marathon, I was in an airport waiting to fly home. Since then, other than hit "publish" on a post I already had written a few days ago, checking to see if any friends or family were hurt, and responding to numerous others checking on me (thanks!), I haven't been of much use.

The current Boston newspaper headline reads "Bombs Packed with Shrapnel".  The devices were pressure cookers packed with nails and ball bearings. We know this now because these are the materials being pulled out of the bodies of the victims.

Out of a 150 casualties, 3 have died so far, including one great little 8 year old boy who was on the sidelines cheering on his dad who was running. The boy's mother and sister were with him: his mom has brain injuries and his little sister lost a leg. Another mother in a suburb to the north has two sons who've lost a leg each so far.

I don't have anything constructive to say at present so I'll just shut up. I know madmen's bombs are taking innocent lives all over the world on a daily basis. This one hit very close to home. I would very much like to find this particular madman.

Team Hoyt photo from yesterday: Masslive

Energy Security Update: Renewables Economics Hitting German Utilities Hard

A week or so ago I posted about an EEI report warning that many if not most utilities are ill equipped to adapt to shifting business models arising from the build-out of distributed energy generation technologies.

In what some call a vicious cycle, the more technology allows customers to partially or fully remove their loads from the grid, the fewer payers there are to support the maintenance (let alone the modernization) of the grid's vast and aging infrastructure. I also asked readers to consider the implications for cybersecurity thinking and spending in the context of these types of mounting economic pressures.

Now I've got another article for you ...

Friday, April 12, 2013

Webcast Alert: Establishing Security Baselines at Industrial Facilities

I love good baselines, and I'm not the only one. When famous jazz composer arranger Gil Evans (see Sketches of Spain) heard the early Police playing Walking on the Moon, he took time to personally compliment the stunned base player, Gordon Sumner aka Sting.

Now another baseline for you, less musical but more actionable, courtesy of the new ICS-ISAC:
  • Title: Raising All Boats: Establishing Security Baselines at Industrial Facilities
  • Date: Monday April 29th, 2013
  • Time: 1:00-2:00pm USA Eastern Time
  • Registration and more info here: http://ics-isac.org/events.html
Hope you can make it. Oh, and here's Miles for you: http://www.youtube.com/watch?v=7KDQNoqKya0

Wednesday, April 10, 2013

It's Hard for Utilities to Improve Security when Their Business Models are Increasingly Insecure

This one's not about security, unless you consider the well-being of the utilities who own and operate most of the grid to be security related.  In which case this post is completely about security!

Greentech Media (GTM) has just written a short piece highlighting some of the take-aways of a new Edison Electric Institute (EEI) report called "Can the Utility Industry Survive the Energy Transition?" and I'd say both the GTM article and the full EEI report are well worth your attention.

Friday, April 5, 2013

Helpful Clarifications Still Leave NERC CIP Version 4 Changes Feeling Overwhelming

If your job is to ensure your utility complies with new version 4, certainly you've been scouring info like this for a while now. But if you're a member of electric sector support or regulatory communities, including services providers and state commissioners, it'll behoove you to get a better feel for the massively numerous and often ambiguous compliance hoops through which these folks have to jump.

Thursday, April 4, 2013

Early Conference Alert: EnergySec Call for Speakers

If you have potent ideas that could help utilities, regulators or other members of our tight-knit community, a rich vocabulary and a booming, resonant voice, are somewhat animated and can make dramatic hand gestures, then you may have a place in the line-up at the next EnergySec conference.

Here's the content of just-received email in case you didn't get or see it directly:
The EnergySec Annual Security Summit has been privileged to host some of the most intriguing, informative, technical and entertaining cyber security presentations and panels this industry has seen. But we think we can do better.

Wednesday, April 3, 2013

SGSB notes from NIST's Critical Infrastructure Cybersecurity Framework Workshop

Long title, eh?  Cranking this out just before heading back to Beantown from DC/Reagan airport so please be more tolerant than usual of typo's, lack of narrative, lack of clarity, weak grammar, lack of a point, etc. ...

ICS-ISAC Chair Chris Blask, pictured above (long hair on right), waited very patiently at a microphone that seemed like it was for audience use, and ultimately got his turn, in which he asked a long question phrased like a long statement.

Sunday, March 31, 2013

ICS Lab for Grid Security Research, Training and Demonstrations

In case you're not already tuned into this community, but might want to be, I submit for your review the contents of an email I received yesterday.  It goes like this:
Greetings ICS-ISAC Members and partners! 
The ICS-ISAC and MS-ISAC are partnering with several key Members to create an ICS Security Lab as a shared asset for research, training and demonstrations. Physically hosted in Livermore, CA by Robot Garden the Lab is now in Phase One of procuring equipment and establishing the virtual capabilities that Members can have access to. 
If you are interested in participating in this activity or have equipment that would be of benefit to this endeavor please send a note to ICS-ISAC Chair Chris Blask at chris@ics-isac.org
There is also a LinkedIn group for collaboration at http://www.linkedin.com/groups?home=&gid=4932821&trk=anet_ug_hm&goback=%2Emyg

Acronym Legend:

ICS-ISAC = Industrial Control Systems Information Sharing and Analysis Center

MS-ISAC = Multi-State Information Sharing and Analysis Center

That's all I got.

Thursday, March 28, 2013

EnergySec Welcomes NERC CIP Virgin Utilities with Version 4 Briefing

Titled "Get Ready for Version 4" the deck linked at the end of my words has some great and helpful info in it, not just for utilities transitioning from version 3, but for brand new utilities who for the first time come under the tender embrace of the CIPs. To them, all of us in the community say, "Welcome aboard !!!"

An all-star energy and security team, including Steve Parker, new President of the Energy Sector Security Consortium (EnergySec), and Honeywellers Tom Alrich and Donovan Tindill, shared some sobering, cold, hard, urgent facts. Those from Tom Alrich were particularly rich:

Monday, March 25, 2013

NatGas Cybersecurity getting a lot more Visibility

Thanks to colleague H. Chantz for spotting this article and sending this way.

As has been the case quite a bit this year, once again we are in the realm of SCADA/Control System security. William Rush of the Gas Technology Institute states it plainly, if somewhat dramatically:
Anyone can blow up a gas pipeline with dynamite. But with this stolen information, if I wanted to blow up not one, but 1,000 compressor stations, I could,” he adds. “I could put the attack vectors in place, let them sit there for years, and set them all off at the same time. I don’t have to worry about getting people physically in place to do the job, I just pull the trigger with one mouse click.
There are no NERC CIPs for the gas industry, but with 25-30% of US electric power and a whole lot of home heating coming from gas, it's time to get moving on better securing this infrastructure.

Pipeline operators, now alerted to the fact that sensitive access control information to important subsystems is in the hands of folks outside the industry (and outside the country it seems), need to get moving. And I'm sure they will, but it's a BIG job.

The whole Christian Science Monitor article is HERE.

Photo credit: War News Updates

Thursday, March 21, 2013

Boxing the Fundamental Assumptions of Cybersecurity Risk Management

Here's something to wrap your head around (or more literally, put in your head) as you head to NIST on April 3rd to make your contribution to the Critical Infrastructure Cybersecurity framework development processes, an effort begat by the recent Presidential Executive Order.

Many in our community love to talk about risk management as the common sense, business oriented antidote to the mandatory and therefore inflexible and slow moving instructions in the NERC CIPs.

You could certainly put me at least half in that camp.  Well, after reading THIS sharp Brookings paper from Ralph Langer and Perry Pederson, that half of me is feeling a little wobbly.

Thursday, March 14, 2013

Metrics Mark the End of Faith-based Cybersecurity

Thanks to Dark Reading for covering the RSA 2013 metrics panel and for the article: "Governance Without Metrics Is Just Dogma."

To whom do we owe this powerful and provocative headline? Not the editors at Dark Reading, though they were smart enough to grab it and put it at the top. It was Alex Hutton, an Operations Risk and Governance director at Zions National Bank.

In case you're not used to seeing the word dogma in this context, let's refresh ourselves with a definition (thanks Wikipedia):
Dogma is an official system of belief or doctrine held by a religion, or a particular group or organization. It serves as part of the primary basis of an ideology or belief system. 

Monday, March 11, 2013

Cybersecurity Workforce Developers Need You, Part Deux

Yes we can. The following is number 2 in a series of 2 un-paid public service announcements from what remains one of my favorite organizations. It begins, as it did the first time on March 2, thusly:

Power industry security stakeholders (if you read this blog, that means you!),

The National Board of Information Security Examiners (NBISE) is partnering with the Pacific Northwest National Laboratory to contribute to the development of the U.S. cybersecurity workforce. Toward this effort, a utility SME panel has mapped power system cybersecurity job responsibilities to the objectives of two workforce frameworks (NICE and ES-C2M2), the domains of training/education programs, and the objectives of key certifications. 

Thursday, March 7, 2013

Recommended Reading: Industrial Safety and Security Source

3/8/13 Flash update - SGSB reader and contributor Ernie H suggests you visit Joel Langill's www.scadahacker.com site as well to further enrich your budding control systems security knowledge.

As I've mentioned a few times before, this year I'm working on getting my OT security chops up to speed, and that means getting a lot more familiar with the way SCADA and ICS systems work when they're functioning properly, to better appreciate how they can be exploited when reached by those with impure thoughts and nefarious motives.

To that end I reach out to folks who seem to know more about this part of the world than I do (sadly, a group that must number in the hundreds of millions). I'm not always successful, but when I am, am happy to share my success so you can advance your own understanding, if necessar, as well.