Wednesday, June 26, 2013

Oil and Natural Gas Co's became Primary Attack Targets Last Year

At least according to analysis from cyber security company Alert Logic. This detail and more is captured in a report just released by the US Council on Foreign Relations (CFR).

According to authors Blake Clayton and Adam Segal:
Cyber attacks on energy companies are increasing in both frequency and sophistication, making them more difficult to detect and defend against. Cyber espionage is being carried out by foreign intelligence and defense agencies, even organized crime or freelance hackers.

Monday, June 10, 2013

An Industry Starts to Pivot: Electric Utilities' Shifting Business Models in the Rise of Solar

Amory Lovins and Karl Rabago saw this coming a long time ago.

Now the Wall Street Journal (not Grist, not Mother Jones, not Rolling Stone) references the EEI distributed solar dispatch from earlier this year and runs with it. Not just early/first mover NRG, but the old guard is chiming in too: AEP, Duke, Southern Co, Nextera, Dominion, PG&E ... you get the

First up is Nick Akins, American Electric Power CEO:
On its face you would look at it and say distributed generation is a threat. But on the other hand we see it as an opportunity because our business is changing. There's no getting around it.
Other big utility CEOs join the chorus and soon the message is unmistakable.

Wednesday, June 5, 2013

CPUC's Villarreal is the Real Deal for Grid Security from the US States' Perspective

From cybersecurity to privacy, the Green Button and security metrics, this recent deck from the California Public Utility Commission's (CPUC's) Chris Villarreal covers the entire grid security waterfront from a (very big) state's point of view.

This is well worth your time if you're a regulator in another state, a regulated entity in any state, or you just want to get a better feel for the way this process is evolving.

Note links on last slide to excellent CPUC security white paper by Chris and his security savvy colleagues, Liza Malashenko and J. David Erickson, and to NARUC's excellent "Cybersecurity for State Regulators 2.0" guide. There are other states upping their cybersecurity game as well, but California and Texas have been the two trailblazers. Of that there is no doubt.


URL for this deck, which accompanied Erfan Ibrahim's SG Educational Series webinar:

URL for another nice write-up on the work of Chris and his colleagues, from Greentech Media's Jeff St. John:

Tuesday, June 4, 2013

Energy sector can learn from DOD's cybersecurity strengths (and weaknesses)

Last year the US DoD released a report by one of its Defense Science Board teams and I've seen it referenced a number of times in recent weeks, especially in articles announcing our loss of the most sensitive systems design details on dozens of current and next generation weapons systems.

See if you think this excerpt from the executive summary would accurately describe the current state at the utility you work for, or regulate, or invest in, or power your home with:
[The conclusion that we must do much better on cyber defense] was developed upon several factors, including the success adversaries have had penetrating our networks; the relative ease that our Red Teams have in disrupting, or completely beating, our forces in exercises using exploits available on the Internet; and the weak cyber hygiene position of DoD networks and systems.
If you think it might, then it's possible that you may find value in digging into the findings and recommendations within. I noticed this one on culture as being particularly relevant to our sector:
Individual and organizational cyber practices result in so many cyber security breaches that many experts believe that DoD networks can never be secure with the current cyber culture. The individual’s immersion in the civil sector cyber culture and the military’s focus on mission objective are the two most important contributors to DoD’s poor cyber culture. In the face of a threat that routinely exploits organizational and personal flaws, DoD leadership must develop a clear vision for the Department’s cyber culture.
It's very likely your utility is not targeted nearly as much as are the DoD's networks and systems, but I'd still say this report has lots of applicability for the way we think and act.


URL for full report: