ICS Lab for Grid Security Research, Training and Demonstrations

In case you're not already tuned into this community, but might want to be, I submit for your review the contents of an email I received yesterday.  It goes like this:

Greetings ICS-ISAC Members and partners! 

The ICS-ISAC and MS-ISAC are partnering with several key Members to create an ICS Security Lab as a shared asset for research, training and demonstrations. Physically hosted in Livermore, CA by Robot Garden the Lab is now in Phase One of procuring equipment and establishing the virtual capabilities that Members can have access to. 

If you are interested in participating in this activity or have equipment that would be of benefit to this endeavor please send a note to ICS-ISAC Chair Chris Blask at chris@ics-isac.org
There is also a LinkedIn group for collaboration at http://www.linkedin.com/groups?home=&gid=4932821&trk=anet_ug_hm&goback=%2Emyg

Acronym Legend:

ICS-ISAC = Industrial Control Systems Information Sharing and Analysis Center

MS-ISAC = Multi-State Information Sharing and Analysis Center

That's all I got.

EnergySec Welcomes NERC CIP Virgin Utilities with Version 4 Briefing

Titled "Get Ready for Version 4" the deck linked at the end of my words has some great and helpful info in it, not just for utilities transitioning from version 3, but for brand new utilities who for the first time come under the tender embrace of the CIPs. To them, all of us in the community say, "Welcome aboard !!!"

An all-star energy and security team, including Steve Parker, new President of the Energy Sector Security Consortium (EnergySec), and Honeywellers Tom Alrich and Donovan Tindill, shared some sobering, cold, hard, urgent facts. Those from Tom Alrich were particularly rich:

NatGas Cybersecurity getting a lot more Visibility

Thanks to colleague H. Chantz for spotting this article and sending this way.

As has been the case quite a bit this year, once again we are in the realm of SCADA/Control System security. William Rush of the Gas Technology Institute states it plainly, if somewhat dramatically:

Anyone can blow up a gas pipeline with dynamite. But with this stolen information, if I wanted to blow up not one, but 1,000 compressor stations, I could,” he adds. “I could put the attack vectors in place, let them sit there for years, and set them all off at the same time. I don’t have to worry about getting people physically in place to do the job, I just pull the trigger with one mouse click.

There are no NERC CIPs for the gas industry, but with 25-30% of US electric power and a whole lot of home heating coming from gas, it's time to get moving on better securing this infrastructure.

Pipeline operators, now alerted to the fact that sensitive access control information to important subsystems is in the hands of folks outside the industry (and outside the country it seems), need to get moving. And I'm sure they will, but it's a BIG job.

The whole Christian Science Monitor article is HERE.

Photo credit: War News Updates

Boxing the Fundamental Assumptions of Cybersecurity Risk Management

Here's something to wrap your head around (or more literally, put in your head) as you head to NIST on April 3rd to make your contribution to the Critical Infrastructure Cybersecurity framework development processes, an effort begat by the recent Presidential Executive Order.

Many in our community love to talk about risk management as the common sense, business oriented antidote to the mandatory and therefore inflexible and slow moving instructions in the NERC CIPs.

You could certainly put me at least half in that camp.  Well, after reading THIS sharp Brookings paper from Ralph Langer and Perry Pederson, that half of me is feeling a little wobbly.

Metrics Mark the End of Faith-based Cybersecurity

Thanks to Dark Reading for covering the RSA 2013 metrics panel and for the article: "Governance Without Metrics Is Just Dogma."

To whom do we owe this powerful and provocative headline? Not the editors at Dark Reading, though they were smart enough to grab it and put it at the top. It was Alex Hutton, an Operations Risk and Governance director at Zions National Bank.

In case you're not used to seeing the word dogma in this context, let's refresh ourselves with a definition (thanks Wikipedia):

Dogma is an official system of belief or doctrine held by a religion, or a particular group or organization. It serves as part of the primary basis of an ideology or belief system. 

Cybersecurity Workforce Developers Need You, Part Deux

Yes we can. The following is number 2 in a series of 2 un-paid public service announcements from what remains one of my favorite organizations. It begins, as it did the first time on March 2, thusly:

Power industry security stakeholders (if you read this blog, that means you!),

The National Board of Information Security Examiners (NBISE) is partnering with the Pacific Northwest National Laboratory to contribute to the development of the U.S. cybersecurity workforce. Toward this effort, a utility SME panel has mapped power system cybersecurity job responsibilities to the objectives of two workforce frameworks (NICE and ES-C2M2), the domains of training/education programs, and the objectives of key certifications. 

Recommended Reading: Industrial Safety and Security Source

3/8/13 Flash update - SGSB reader and contributor Ernie H suggests you visit Joel Langill's www.scadahacker.com site as well to further enrich your budding control systems security knowledge.
--------------------------------

As I've mentioned a few times before, this year I'm working on getting my OT security chops up to speed, and that means getting a lot more familiar with the way SCADA and ICS systems work when they're functioning properly, to better appreciate how they can be exploited when reached by those with impure thoughts and nefarious motives.

To that end I reach out to folks who seem to know more about this part of the world than I do (sadly, a group that must number in the hundreds of millions). I'm not always successful, but when I am, am happy to share my success so you can advance your own understanding, if necessar, as well.

NIST Critical Infrastructure Cybersecurity Framework RFI and Workshop Details

We're about a month away from the first NIST workshop to help create the new framework described in the recent Executive Order, as well as from the 5 pm, USA ET, April 8 deadline to submit responses to the RFI.

To refresh, here's what they/we are trying to do:

The goals of the Framework development process will be: (i) To identify existing cybersecurity standards, guidelines, frameworks, and best practices that are applicable to increase the security of critical infrastructure sectors and other interested entities; (ii) to specify high-priority gaps for which new or revised standards are needed; and (iii) to collaboratively develop action plans by which these gaps can be addressed. It is contemplated that the development process will have requisite stages to allow for continuing engagement with the owners and operators of critical infrastructure, and other industry, academic, and government stakeholders.

If you are so moved and have something to say (and NIST and I hope you do), here's how to submit your ideas and recommendations:

Old School

For those who prefer to communicate longhand by dipping your peacock feather quill into the inkwell on your vintage desk, "Written comments may be submitted by mail to Diane Honeycutt, National Institute of Standards and Technology, 100 Bureau Drive, Stop 8930, Gaithersburg, MD 20899."

DHS' CSET: a Remedy for Electric Sector Security Measurement and Reporting Complexity Pains?

Sorry about that ridiculously long title, but felt it couldn't be helped this time. Thanks to Dr. Les Cardwell of Central Lincoln PUD, a publicly owned utility serving communities on the coast of Oregon.

Les wrote in and shared some of what he recommended to NIST and DOE regarding the recent RFI on the "Framework for Reducing Cyber Risks to Critical Infrastructure."

I'm not going to reprint the entirety of his submission, but will share with you two things here. First, Les' articulation of the need for a way to keep complexity in check as we go about this search for a new/better security framework for our community:

Conference Alert: European Smart Grid Cyber and SCADA Security

The European wing of our global grid security tribe is gathering soon in London. Some great speakers and plenty of utility participation at this one.

Recommend you check it out - here are the basic deets:

• When: March 11 & 12
• Where: The Copthorne Tara Hotel, Scarsdale Place, Kensington, London, W8 5SR
• For more info and registration, click HERE

SGSB point of contact: Jamison Nesbitt, jnesbitt@smi-online.co.uk

Photo credit: Magnet Magazine

Cybersecurity Workforce Developers Need You !!!

The following is an un-paid public service announcement from one of my favorite organizations (note: while this is intended for US-based cybersecurity professionals,  there's a lot to learn, and a lot of similar tasks that need to be accomplished, if you live and/or do your work in other regions):

Power industry security stakeholders!

The National Board of Information Security Examiners (NBISE) is partnering with the Pacific Northwest National Laboratory to contribute to the development of the U.S. cybersecurity workforce. Toward this effort, a utility SME panel has mapped power system cybersecurity job responsibilities to the objectives of two workforce frameworks (NICE and ES-C2M2), the domains of training/education programs, and the objectives of key certifications.