Thursday, February 28, 2013

Heralding the Dawn of Critical Infrastructure Security Metrics

You may like this blog because of its emphasis on business-oriented security metrics and measurement. Or you may loathe it for the same reason (though if you do, you shouldn't still be visiting much).

Can't measure, can't manage. On this we agree, right?

So ... we're two weeks past the Presidential executive order (EO) that kicked off a new round of meetings that will ultimately produce a new NIST framework for grid security. You can read about the goals for this thing, including the RFI process HERE.

Thanks for EnergySec's Patrick Miller who tweeted yesterday that this round of work is designed, among other things, to produce metrics that can be used to assess the current security posture of your organization.

Tuesday, February 26, 2013

The Future of Naval Installation Energy

Posting this one for SGSB readers who might not otherwise see relevant content on the DOD Energy Blog. There's a lot to admire, and learn from what the Navy is doing in Washington DC and the surrounding region. Check it out ...
As projected several years ago in this great 5-minute video, paving the way for demand management, energy efficiency, microgrids, support for renewables and all manner of support-the-mission, energy security goals (with cybersecurity baked in).

From all accounts, the folks involved with this initiative are right on schedule and are meeting their objectives.  Recommend you keep an eye on this.

Wednesday, February 20, 2013

DOE Seeks Your Ideas for Better Grid and Smart Grid Security

Thanks for to my colleagues JSK and SG for initially sending this my way and given the news lately, how timely it is!

A new Department of Energy (DOE) funded project seeks:
... applications to conduct research, development and demonstrations leading to next generation tools and technologies that will become widely adopted to enhance and accelerate deployment of cybersecurity capabilities for the U.S energy infrastructure, including cyber secure integration of smart grid technologies.

Thursday, February 14, 2013

CNAS Provides a Good Way to Grok the Executive Order

First of all, Happy Valentines Day, SGSB readers.  Hope you are finding as much success in your love lives as you are in your careers securing (or caring about securing) the most critical of critical infrastructures.

Yesterday found me walking down the street in Washington DC a little before noon, when suddenly I ran into some friends, old and new, who had just popped out of the US Department of Commerce. They witnessed directly, and gave me a  first-hand account, of the birth of the administration's Executive Order (EO) on better securing the nation's critical infrastructures.

Monday, February 11, 2013

Conference Alert: AGRION Energy & Sustainability

On Feb 19, one of the year's best energy and sustainability conferences will be kicking off in NYC. It's organized  by a great org I've become familiar with recently: AGRION, a global business network for energy, cleantech and corporate sustainability.

On the second day, following a morning keynote by PSE&G CEO Ralph Izzo, I'll be moderating a panel of experts on the topic "Smart Grid Market: Scope and Scale":
  • Kevin Genieser, Managing Director & Head of Clean Energy & Renewables, Morgan Stanley
  • Joe Callis, Sr. Applied Solutions Engineer, PJM Interconnection
  • David Groarke, Smart Grid Senior Analyst, Greentech Media
To be sure, I'll work in an appropriate amount of security substance. After all, you can't deploy a Smart Grid that's easy to disrupt, right?

You can see the full agenda, list of speakers and venue details HERE. Hope some SGSB readers can make it.

Thursday, February 7, 2013

One Step Closer: Announcing NARUC's Cybersecurity Guide for State Regulators 2.0

My last post on NARUC*, from June of 2012, was on the first version of their cybersecurity guide for state regulators, and the somewhat sprawling piece ended thusly:
I would like to end by saying that this was a document that could never fully please everyone, and if we remember it's a 1.0 version, then in that context it's an ambitious and excellent start. Let's start providing feedback now so that 2.0 can be even better.
Well guess what readers? Some of you and maybe some others provided feedback, so well and fully in fact that we find ourselves fewer than 9 months later with a new and improved 2.0 version, just released by NARUC after announcing it at its Winter Meetings (note sublime, almost hypnotic snowflake animation on landing page).

Tuesday, February 5, 2013

California PUC to Host Cybersecurity Discussion

This is great because apparently you can participate in person in San Francisco (who wouldn't want to visit?) or in a remote fashion. Here are some of the details for  you:

WHEN: Feb. 27, 2013, 1:30 p.m. – 3:30 p.m.

Opening remarks will be made by CPUC President Michael R. Peevey and the event will be moderated by Gary Ackerman, Executive Director, Western Power Trading Forum.

  • Commissioner Terry Jarrett, Missouri Public Service Commission
  • Tim Roxey, North America Energy Reliability Corporation
  • Steven Dougherty, IBM
  • James Sample, Pacific Gas and Electric Company

WHERE: CPUC Auditorium, 505 Van Ness Ave., San Francisco, CA, USA


You can submit questions on advance to  Pretty nice, right? Wonder if other states or maybe countries will follow suit?

Monday, February 4, 2013

ICS-ISAC Webinar on Municipal Utility Control Systems Security

The ICS-ISAC (that's Industrial Control Systems Information Sharing and Analysis Center if you want it spelled out for you) has a webinar coming up soon if you want a bite-sized dose of control systems security best practice knowledge. As the site says:
ICS-ISAC Member Briefing Miki Calero, Chief Security Officer for the City of Columbus Ohio, will provide a first-hand assessment of the challenges and opportunities presented to those responsible for securing municipal infrastructures.
For me, this is interesting because in addition to getting more info out on control systems security, we'll also get to hear the municipal (or "muni") point of view. Muni's are everywhere and are often below the radar of the sector press, who like to focus on  the large investor owned utilities (IOUs). Yet muni's, responsible for medium sized cities and above, play a critical role in keeping the lights on for millions (maybe billions) around the world, especially at the distribution level.

The webinar will also include ICS-ISAC Chair Chris Blask brief ISAC members on new developments at the Center.

When: February 20, 1-2 pm ET

Here's a LINK to learn more and register.

Sunday, February 3, 2013

Alrich on Distributech's 2013 Cybersecurity Focus Panels

I couldn't make it to the panel sessions but fortunately Tom Alrich could and did. Here's are his short-takes on 3 different panels:
Substation Integration and Automation: The Cybersecurity Landscape is Changing - Didier Giarratano of Schneider Electric discussed Role Based Access Control (RBAC) and how to do good job applying RBAC to the challenges of substations. Anthony Eshpeter of SUBNET Solutions discussed “Complexities of Substation Cyber Security”. He provided a very good, lucid discussion – pointing out the need for solutions like those SUBNET sells but without ever making a sales pitch. Bradley Tips of Cisco addressed “Real-world Deployment of Network Security for NERC CIP Compliance”. A good overview of what CIP requires for a substation these days.

Friday, February 1, 2013

Conference Alert: SANS ICS Summit coming up fast

Smart Grid Security Blog readers: heads-up. I've decided that this year the time has come to do a massive press on Operational Technology (OT) Security issues.  I think the reason for the timing is obvious, but I'll make my case in a future post when I have more time.

And this won't be just for the US and North America, and it won't be limited solely to the electric sector. We'll look at OT security challenges and efforts in other industrial equipment-oriented critical infrastructure sectors.

But for now, get ready to see some announcements for upcoming conferences and webinars on this topic by some of the best and most experienced folks in the business. Details on the first one are right here:


The 8th Annual SCADA and Process Control System Security Summit


Feb 6-11: Pre-Summit Courses
Feb 12-13: Summit (click HERE for Summit agenda)
Feb 14-15 :Post-Summit Courses


Walt Disney World Disney's Yacht & Beach Club
1700 Epcot Resorts Boulevard
Lake Buena Vista, FL 32830

To Register

Click HERE to register for Summit
Disney Website: Walt Disney World Disney's Yacht & Beach Club
Reservations & Discounted Park Tickets:

This week and half would enable one to really immerse themselves in the topic. And maybe enjoy a little Disney time too.