Friday, August 30, 2013

The Things I've Seen Series: Part 1 - Utility Security Governance Boards

In the final moments of Blade Runner, Rutger Hauer's character, close to death, tells Harrison Ford: "I've seen things you people wouldn't believe."

Over the course of the next several posts I'm going to go through some of my sanitized field notes and let you see things you may or may not believe, some good, some not so good.  Nothing quite as cosmic as what Hauer relates in his final moments, but probably should be interesting if you're in or work with the industry.

Let's start off the series on a positive note with the formation of Security Advisory Boards.  Investor Owned Utilities (IOUs) typically have a number of boards: executive, safety, governance, audit & compliance, etc. However, you can dig through annual reports and review the investor information sections on company web sites for a long time and you likely won't find much if anything relating to cybersecurity risk strategies, concerns or activities.

Thursday, August 29, 2013

Training Alert: SANS SCADA Security Training

By now you know the drill:
  • When: 16-20 September
  • Where: Las Vegas, NV
  • What: A hands-on SCADA Security course with over 20 exercises and labs that are performed on a portable SCADA lab that contains over 15 different PLCs, RTUs, RF, and telemetry devices. It was designed to bridge the skills sets of Control System Engineers, Technicians, and IT Security professionals
Click HERE to learn more and register.

And use this code to save some dough when you do: SANSICS_SGSB5

Photo credit: zekedawg00 @

Tuesday, August 27, 2013

Declaration of Independence and Intent

I've been warming up and working in this space for years now, and if you've been a Smart Grid Security blog subscriber or an intermittent visitor, you may have noticed an evolution in cyber security thinking of sorts. Well, with changing the world as my goal, it's time to stop treading water and start swimming like I mean it. I just left IBM in order to bring a new type of security advisory service to energy sector organizations. Here’s a brief version of the concept:
You often hear that culture change is the hardest thing to accomplish in an organization. That may be, but to help put our sector’s cybersecurity preparations on a better course, I’m developing an approach focused on increasing organizational awareness and improving internal communications about the security issues that matter. It begins with senior leadership, extends throughout the enterprise and doesn’t stop until it reaches service providers and the supply chain. Most engagements will begin with an in-depth orientation briefing for senior stakeholders, followed by periodic meetings and dedicated hours of access so that I can be a resource whenever my input is needed.

Thursday, August 22, 2013

NERC CIPs Catching up to iPhone Version Numbers

OK, imagine an auction barker: "Bids opening at NERC version 3, do we have a version 3? ..."

"Yes! How about version 4?" Etc.

Well, according to Honeywell's NERC CIP guru Tom Alrich (of the famous, eponymous and quite helpful blog), it now appears that the next version of the CIPs to which utilities must comply will be neither version 4 nor  5 but rather version 6!

I was stunned as were many of the those in online attendance. Tom explains his reasoning on the EnergySec webcast and much more, which you can see HERE. There's a lot of helpful information for utilities of all sizes dispensed in this hour long piece, with some deep dives into the ramifications of high, medium, and low risk assets.

Now, depending on whether we get an iPhone 5s or 6 next month, it's clear that NERC will not allow the CIP versions to lag far behind.


Attended most of this webinar online, but hat tip to my former colleague and (hopefully) current friend, Nebraskan Dave Hemsath of IBM for sending me the replay.

Photo credit:

Tuesday, August 20, 2013

Motivation through Compensation: Paying Utilities to Upgrade Cyber Defenses

Now we're getting somewhere!  The long submerged topic of "who should pay" for electric utility cyber security improvements has just breached the surface and is now bobbing up and down in clear daylight.

A recent article in Bloomberg documents several large US utilities' efforts to recover current and future cyber security investments the same way they get paid for other infrastructure programs: by getting clearance from their state utility commissions to approve these expenses in their rate cases.

Actually rate payers (aka electricity customers) will pay one way or another, as they should, for the essential service that makes our modern lifestyles possible.  Possible methods of payment include:
  • Absorbing the costs to their businesses and their lives associated with brown outs or black outs or electricity quality issues stemming from successful attacks on control centers or systems
  • Paying more every month to cover some, most or all (TBD) of their utilities' cyber-protection expenses
  • Or, as Pepco CIO Doug Myers said, as cited in the Bloomberg article, allowing utilities to be reimbursed through federal grants
This concept was articulated more formally by Michael Daniel, special assistant to the President on Cybersecurity, when he included rate recovery as one of a number of cyber incentive strategies for critical infrastructure providers:
Rate Recovery for Price Regulated Industries — Agencies [DHS, Commerce, Treasury] recommended further dialogue with federal, state, and local regulators and sector specific agencies on whether the regulatory agencies that set utility rates should consider allowing utilities recovery for cybersecurity investments related to complying with the Framework and participation in the Program.
As this blog often reiterates, we have to acknowledge and accept the costs of living in a technology-enabled world, where the impulse to cyber secure important services must become every bit as natural as physically securing our more tangible valuables.

Else, I have a nice cave I'd like to show you. And no, it doesn't have wifi.

Wednesday, August 7, 2013

First Look at Cyber Security Incentive Ideas, Companion to NIST's Framework Work

I'll oversimplify this to keep it short, but the President kicked all of this off earlier this year in wake of failed cyber security legislation efforts in 2010 (GRID Act) and 2012 (Cybersecurity Act of 2012).

The two primary vectors on this project have included:

  1. Having NIST lead the charge to develop a new cyber security framework (i.e., pattern, roadmap, guidance) made up of references to existing guidance that seem to work well. On twitter this effort is tagged #NISTCSF
  2. A parallel initiative to develop incentives that might improve the business case for being more proactive on cyber security.
The incentive categories were just made public, and so far include :
  • Cybersecurity Insurance
  • Grants
  • Process Preference
  • Liability Limitation
  • Streamline Regulations
  • Public Recognition
  • Rate Recovery
  • Cybersecurity Research
Liability and insurance are going to be the thorniest.  And rate recovery help, if workable, sounds promising.

You ran read The Hill's coverage and the original White House text via URLs below, as well as check out the current status and next activities related to the framework.



The Hill

White House


Monday, August 5, 2013

Joe Weiss on a New (or Newly Discovered) Risk to Substations

Control Systems security guru Joe Weiss recently wrote up his observations of a problem reported at a nuclear power facility wherein a transformer load tap charger (LTC) malfunctioned, wasn't detected in a timely manner, and could have caused trouble.

LTCs are used in ALL (Joe's emphasis) substation transformers and are designed to be remotely accessible.  But his bigger point, as he wrote me separately is that:
This incident can affect EVERY (again) electric substation - I found it because it affected a nuclear plant and an unusual event notice was issued - and [note] the word "cyber" was never used.
Key words here: "remotely accessible." Not something you want to see too often in an incident at or near a nuclear plant. You can read his full post at the URL for his Control Global blog provided below.

Also, Joe was recently quoted in an MIT Tech Review article on an attack on a water plant honey pot. You'll find a URL for that piece piece below as well.



Control Global

MIT Tech Review