Monday, September 30, 2013

Putting all our Cybersecurity Eggs in Technology Baskets

Attackers perform discovery, surveillance, intrusion, denial of service and exfiltration with software tools. Defenders defend with tools of their own in the domains of network security, system security, application security, data security. The "good guys" also:
  • Encrypt data in hopes it will remain secret in transit and at rest
  • Patch and patch and patch and patch applications ond OSs
  • Pen test to see if they can find and fix weaknesses before the attackers do
  • Monitor and inspect network traffic and analyze logs for abnormalities
  • And oh so much more ...
Organizations spend millions on defensive technologies, purchasing and/or subscribing, deploying, integrating, updating and yet CISOs still have no dependable process for demonstrating to senior utility leadership the amount of cyber protection they're adding, or put another way, the amount of business risk accepted.

Recently we've seen the DoE and NRECA announce seed grants to help suppliers perform R&D for new technological solutions to cybersecurity challenges facing utilities. Some of these may prove useful to utilities, suppliers, and their services organizations.

Now I almost never use bold, italics or underlining for emphasis. Prefer to let the right words do the work.

But none are likely to substantially address the fundamental issue that cybersecurity threats are a hard-to-quantify risk to business, have human origins, and that improved human awareness and behavior can drive better outcomes in ways everyone can see and understand.

NERC CIP-004: "Cybersecurity - Personnel and Training" calls for humans who have access to critical cyber assets (CCAs) to have appropriate security training and awareness. But the CIPS cover only a very small part of the grid, and as we've seen, it's not just the folks who touch CCAs who can cause significant damage to an organization through their wrong actions ... or wrong inactions.

There are technology products that aim to effect improvements in human behavior (e.g. PhishMe). And there are universities and training organizations galore, some of them even beginning to add industry-specific operational technology (OT) content to their cybersecurity instruction.

And yet many utilities and the government organizations that seek to guide them continue to look almost exclusively to technology to save the day.  Here are two things you can do to begin to flesh out the people pieces:

1) Look at the org chart.  Look at how involved and cyber-aware are the board, the CEO, CFO, GC, etc. You could certainly argue they have bigger (or at least other) fish to fry, but if they knew a little more they might well move cyber threats a bit higher up on their ladder of strategic risks to reliability.

2) See how the CISO is empowered, where he/she sits in the organization, how often he/she briefs the board and corporate officers, and whether he/she has authority to set and enforce security policy enterprise-wide.

There's a lot more of course, but the closing pedantic message of this post, before it sprawls too long, is: don't short the human part of the cybersecurity equation. Humans are the problem, and humans can and should be a  much bigger part of the solution.

Photo credit: JS @

Tuesday, September 24, 2013

Several Scenes from EnergySec Summit 2013

Click for much Gibber ... I mean, bigger
Was in Denver not far from flooded Boulder last week at the 9th annual EnergySec Summit ... my first.  I'm sure we'll be seeing more articles and posts from EnergySec scribes and some of the other 150 or so attendees soon, but wanted to get my observations out.

I missed a number of presentations due to a mid day arrival on Wednesday and missed a few others to field a few intermittent phone calls, but got to hear most of them (my apologies to speakers not covered below).

First off, Patrick Miller and Steve Parker, EnergySec Presidents past and present, were both outstanding ringmasters and herders of wandering speakers.

Monday, September 16, 2013

A Novel Approach to Grid Cybersecurity Awareness

Not long ago I was in a meeting with the CIO of a large electric utility and when I inquired as to the cybersecurity awareness of the board of directors, was told it had recently skyrocketed.

Why the sudden shift I asked?  Had the company just endured a serious and/or highly public breach? Nope, things had been mercifully static on that front. A classified threat briefing by DHS? No, not that either. Well, what was it then?

Apparently one board member had read the latest Tom Clancy book, Threat Vector and once exposed to Clancy's fictional vision of how the US could be brought low through largely cyber means, it changed his thinking. Spoke in language he could understand, and captured his imagination too. It soon spread to the rest of the board.

Now comes former Senator Byron Dorgan with a cautionary novel of his own, and this one is much more grid-centric, from the title on. I later read Threat Vector myself ... 900 pages or so if I remember right, looking for power sector specific attacks and breaches and they were few. I've read some of the reviews of Gridlock, though, and in it the US grid is front and center and not doing so well.

Dorgan and co-author David Hagberg don't have anywhere near Clancy's readership, not close. But if an executive in your company were to happen upon a copy, well, apparently it's quite a page turner, and you might have a new, more cybersecurity-aware board to work with in a few weeks.

Monday, September 9, 2013

Conference Alert: EnergySec and NESCO Town Hall next Week

Ok, so usually I'm giving a heads-up about some conference or seminar you might want to know about, or even attend. But this time I'm saying that, but also revealing I'll be there too.

And I note, in the town where Peyton Manning recently threw 7 TD passes in one game and one can easily procure Rocky Mountain Oysters, I'll be joining luminaries from industry and a number of utilities too.

Here are the deets:

  • Where: Magnolia Hotel, Denver, CO
  • When: 17 - 19 September, 2013
  • What: Lots of stuff. Agenda HERE
  • How: Easy. You can still register HERE

For your edutainment, I'll be moderating a town hall style discussion about the current state and future of the cyber security workforce in the energy sector. We'll be considering full life (as in human life) cycle issues, from birth to tablet training, from kindergarten to college curriculum, from entry level security practitioners to ICS forensics wizards and all the way up the managerial stack to CSOs and CISOs.

Hope to break some new ground and capture some new ideas we can share with all and will do here on the SGSB during and/or right after. Will also tweet whenever possible using the hashtag #ess13.

Hope to see some of you there!

Photo credit: Daily Mail online

Thursday, September 5, 2013

The Things I've Seen Series: Part 2 - Execs Exempted

Last week I posted on an encouraging trend I witnessed over the past 2 years: the emergence in some utilities of security governance boards comprised of security and privacy leaders, often a rep from legal or compliance, and senior stakeholders representing different business lines.  Soon after it went live, I received multiple corroborations from friends in the field who have seen the same thing in their patches. This is all goodness.

But there are other, less uplifting trends you should be aware of if you're not already. I've seen senior executives who have not once met with their cybersecurity leaders and who feel they have no reason to do so. I've had senior state regulators tell me that they haven't really thought about cybersecurity until very recently.