Rapidly Approaching Training Alert: SANS Control Systems Security

Depending on where you sit at the cyber security table, this might be for you or someone in your org.

Here's how the SANS folks describe it:

A rising number of cyber threats impacting industrial systems have increased the urgency to address security challenges for Industrial Control Systems. Learn how to develop an effective and comprehensive cyber security strategy and equip yourself with the technical know-how and skills to apply in these unique applications. Cyber security is an important element to achieve highly reliable and safe operations. SANS Hosted ICS training courses equip both security professionals and control system engineers with the knowledge and skills they need to safeguard these important systems.

Available classes: SCADA Security Training, Critical Infrastructure and Control System Cybersecurity, and Assessing and Exploiting Control Systems

OK now the details:

• What: SANS Industrial Control Systems Training
• When: 12-16 August 2013
• Where (Generally speaking): Washington DC
• Where (More specifically) : the Westin hotel in Georgetown

You can register here: http://www.sans.org/event/ics-security-training-washington-dc and if you use this code you'll get a discount: SANSICS_SGSB5

Major SPIDERS (DOD Secure Microgrid) Update

This post just in from Mr. Harold Sanborn, Program Manager at Construction Engineering Research Lab (CERL), US Army and technical manager for the SPIDERS Joint Capability Technology Demonstration (JCTD).  I've removed most of the defense industry speak from a longer version you can find on the DOD Energy Blog.  FYI SPIDERS = an ongoing DOD distributed energy program and the acronym stands for Smart Power Infrastructure Demonstration for Energy Reliability and Security. ab

Here's Harold:

SPIDERS Phase I has finished the "history tour" as we codify and publish the lessons learned.

SPIDERS results demonstrated additional capability for Joint Base Pear Harbor Hickam, including:

• Synchronizing with the utility service power signal while pushing electricity back on to the base distribution system
• Operational viewing of other circuits in the substation in addition to the one controlled by the micro-grid, and
• Power factor improvements and the opportunity to test generators at load

SANS cyber security awareness training for eager utility employees ... and their regulators

I recently stumbled upon some excellent online training materials from the well respected SANS Institute that could be quite useful to you and your organization.

In a series of online modules, many of them tailored to the particular needs of utilities, SANS "Securing the Human" courseware seems to be an easily digestible, self-paced way to get important cyber security awareness messages across to a large number of users.

Note: NERC CIP content here is constructed around version 3, so with newer versions now approved by NERC and FERC, SANS will want to update certain modules accordingly. But 99% of the material is right on the mark, and would be appropriate for electric sector personnel outside the US as well.

Wherever you fit in the ecosystem, whether you're an executive or a rank and file worker bee, whether you're in a utility, a regulatory agency, a vendor, or just a user of digital technology who wants to stay safe, recommend you check it out.

---------------

SANS URL:

http://www.securingthehuman.org/utility/index

RFP Alert: Security Advisor Sought for New England Utility Commissions

No sooner had I posted on the need for more state utility commissions to ensure access to quality cyber security guidance, when an RFP with this exact goal in mind came across my desk (figuratively speaking). So without further delay, your attention please:

The region of 6 northeastern US states collectively referred to as "New England" and boasting the highest per-capita concentration of Dunkin Donuts is seeking one very well qualified energy and cyber security professional to help guide them for a six month period commencing in mid September.

The New England Conference of Public Utilities Commissioners, Inc. (NECPUC) has issued an RFP for which responses are due NLT 5 pm August 8, 2013. I provide the URL to the RFP below but to save you an unnecessary trip, here are the qualifications required if you or your small firm want to even be considered for the job:

• Background and knowledge of utility sector industrial control system and business operations
• Knowledge and expertise in computer systems security and related physical security issues
• Certified Information Systems Security Professional or similar computer security management certification preferred
• U.S. Government security clearance of “Secret” or higher preferred

To Secure Your State Grid, First Know Your Public Utility Commission (UPDATED)

19 July 2013 UPDATE: Significant clarification just in from Terry Jarrett, Commissioner of Missouri's Public Service Commission and Chairman of the Committee on Critical Infrastructure at NARUC:

Actually, the NARUC Critical Infrastructure Committee's main focus has been cyber security for the past two years that I have been chairman. Last fall at our annual meeting, incoming NARUC president Phil Jones declared cyber security to be one of the themes of his presidency. To say that cyber will be given more attention in Denver than in the past simply is not factual. 

Thank you Terry.  I'll leave the original post below intact so you can see to what Terry was referring, but please keep his clarification in mind as you do.  ab

-- -- -- -- --

The Advanced Energy Economy Institute (AEE) has a great new site for helping you navigate your way around any of the 50 US states' energy landscapes, including commission leadership, energy portfolio mix, legislation and more. One topic you won't read much about, however, at least not without doing some substantial digging, is cyber security preparedness.

As readers of the SGSB may recall, we've done shout outs to California and Texas, both states having cyber security knowledgable professionals on their Public Utility Commission (PUC) staff, and there are a couple of other states now similarly equipped. Many other states, however, haven't yet made a modest level of cyber security capability a requirement.

With the Business Roundtable (BRT) issuing guidance earlier this year for how organizations should better organize themselves to meet the rising cyber security risks they face, to a recent report drawn from mega-insurer Lloyds of London's survey of CEOs and Board of Directors at the world's top companies showing they now consider cyber security among the top three risks facing their companies, you could say it's well past time for all organizations, and particularly those with public authority and responsibility like state utility commissions, to ensure they are well informed.

Lastly, you should note that the national body representing the interests of state commissions in Washington, NARUC, has demonstrated excellent leadership producing not just one, but two versions of practical cyber security guidance for commissions in the past year. NARUC will be holding its annual summer meetings in Denver next week and I understand cyber security is going to be given much more attention than it's received in the past.  Hmm, maybe this is a good chance to jump-start your commission's cyber security program ....

NIST Thinking about Cyber Security for Critical Infrastructure Company Boards and CEOs

I just returned from the beautiful UC San Diego campus (hmmm, if only I could travel back in time and attend this school instead ...) where NIST assembled hundreds of cyber security (and other) professionals to advance the initiative known as the Critical Infrastructure Cybersecurity Framework, or CSF for short.

So far some are happy with progress made and some are quite the opposite. I think a little more time will have to pass and we'll have to see what comes out of the NIST oven ahead of the final workgroup session coming up in Dallas.

NIST Critical Infrastructure Cyber Security Framework (#NISTCSF) Effort Steaming Ahead

Five hundred souls or so are expected in sunny San Diego this week for the 3rd round of meetings intended to produce new cyber security guidelines for operators of US critical infrastructure.

This article gives you the most recent update on status including cares and concerns related to privacy, business case, and getting senior management buy-in to even consider following this framework in the first place:

http://insidecybersecurity.com/Cyber-Daily-News/Daily-News/nist-meeting-poses-major-test-for-obama-cybersecurity-push/menu-id-1075.html

It references this DHS doc from earlier this year that attempts to pave the way for CEOs to become more engaged in their organization's cyber security efforts, called Cyber Security Questions for CEOs:

https://www.us-cert.gov/sites/default/files/publications/DHS-Cybersecurity-Questions-for-CEOs.pdf

Lastly, if you want to see more of the process without actually getting your feet weight (or getting on a west-bound plane) here are a few resources for you:

The emerging framework itself: http://www.nist.gov/itl/cyberframework.cfm

Details on the San Diego workshop: http://www.nist.gov/itl/csd/3rd-cybersecurity-framework-workshop-july-10-12-2013-san-diego-ca.cfm

Live webcasts of the proceedings can be viewed via these URLs:

Day 1 (Wednesday) Webcast: http://www.youtube.com/watch?v=3hJww5_BDSQ
Day 2 Webcast: http://www.youtube.com/watch?v=SLVW0vFw0gI
Day 3 Webcast: http://www.youtube.com/watch?v=-9hORcAcXNA

I'm flying out today, along with a few of my IBM colleagues. Looking forward to seeing some of you there.

Photo credit: The San Diego Union-Tribune

Super Cyber Security Reading: 2Q ICS-CERT Monitor

Unfortunately, the Energy Sector wins this competition over last 12 months

There are few publications you can read that will tell you more about the current state of cyber awareness and attacks on critical infrastructure orgs and systems than this than the Monitor.