Thursday, October 31, 2013

Because Excercise is Good for US, GridEx II is Coming

In case you've been wondering what kind of shape our North American grid incident response and information sharing system is in, now's your chance to find out.  You can click HERE for more details on what's coming up and register to participate if you're an asset owner one of the other types of orgs that have an official role to play.
  • When: 13-14 November
  • Where: North America
  • Dress: Business Casual
While you're here, here are a few other items of possible interest:
  • You can read a decent GridEx II intro HERE, from the NYTimes
  • Findings and recommendations from the first GridEx begin on page 10 of the After Action Report
  • Click HERE for news on a recent disruptive control system cyber attack on a tunnel traffic system in Israel
Poster image courtesy of

Monday, October 28, 2013

Wrap Up: The 13th Annual ICS Cybersecurity Conference

Another Industrial Control Systems Cybersecurity conference is behind us and, as usual, as documented by founder Joe Weiss, there were signs of a slow awakening to the importance of this topic, mixed with persistent inertia.

You can read highlights from first two days HERE, and Joe's final day summary HERE.

It was nice to hear that my friend (and very good guy) Johan Rambi from large utility Alliander (based in The Netherlands) was playing such an active role.  And this note below reminds everyone that ICS security is not only an energy or power sector problem.  As Joe tells it:
Jeffrey Smith from American Axle gave a great presentation about how they have secured (or very significantly improved security) in their factories world-wide. What I felt was so important is their focus was on productivity and worker safety. Security was simply a threat that needed to be addressed so they could operate safely and efficiently.
This is reminiscent of others who point to the two goals one finds most highly valued in a power co, reliability and safety, and urge the security community to tie physical and cybersecurity tightly to those domains from messaging and business case perspectives.

Security practices are funded and run not merely to check compliance boxes, but to give businesses and government orgs Confidentiality, Integrity, and Availability (CIA) for their systems, networks, apps and data ... so they can continue to pursue their missions with confidence and efficiency.

Or to call out a potential ICS-specific update to the perennial security triad the conference produced: adding O for Operational Controls.  For this very important and highly specialized domain, it might make sense to reverse the prioritized order of CIA and get the O in there too: AIOC.  Ayy-Awk.

Wednesday, October 23, 2013

Webinar Alert: Energy Sector Learning to Speak a New and Secure Procurement Language

Hat tip to UTC's Nadya Bartol (Twitter @NadyaBartol) for the heads-up on this upcoming webinar to unveil a draft document as follows:

Title: Cybersecurity Procurement Language for Energy Delivery Systems
Project Description: This effort seeks to promote cybersecurity by design through procurement language tailored to the specific needs of the energy sector. Updated language for the energy sector can aid in addressing some of the evolving challenges by helping asset owners, operators, and suppliers establish a baseline of minimum cybersecurity requirements.
When: Monday, October 28, 2013 @ 3:00 - 4:00 PM EDT

Register: HERE

For more info on this effort: click HERE

POC: Eric Wagner at

Saturday, October 19, 2013

Conference Alert: FIRST Energy Symposium - Energy Sector Incident Response

Sorry for the late announcement, but in the spirit of better late than never ...

In cooperation with ISC2, ICS-ISAC and EnergySec, the Forum of Incident Response and Security Teams (FIRST) brings you its first energy sector focused event.

As the FIRST folks put it:
This conference will bring together computer security incident response and security team professionals from all over the world and provide a forum for experts to promote, share, and discuss issues relating to developments in the field of Incident Response relating to the Energy Sector.
When: 28 + 29 October, 2013

Where: Lansdowne resort, Leesburg, VA (Not be be confused with Lansdowne Street in Boston)

To register: Click HERE (Save $100 using this code: Energy13)

BONUS: the agenda shows presentations by Jack Whitsitt and Chris Blask. If you don't know them, they are two of the more brilliant and idiosyncratic personalities in the business.  Worth the price of admission alone, IMHO.

Wednesday, October 16, 2013

Special Conference Alert: Risk Management-Focused NARUC Annual Meeting

This NARUC Annual Meeting is called "Managing Risk: Protecting Consumers and Critical Assets" and yours truly will have the honor of participating as a panelist.

As per usual, here are basics:
  • Where: Orlando Hilton Bonnet Creek, FL
  • When: 17-20 November 2013
  • To Register: click HERE
Here's a press release for more flavor, and here's the agenda.

The Sunday afternoon panel I'm on is called: "Risk Management in Action: Challenges and Opportunities for Implementation", and here's the narrative description of what we'll be discussing:

There’s a lot of talk about the benefits of risk management processes to address cybersecurity, but how familiar are we with the actual implementation of these processes? Come hear panelists discuss the resources necessary to implement and maintain risk management processes for cybersecurity of our critical infrastructure. What are the bottom line impacts on owners’ and operators’ resources for implementing risk management? Hear from subject matter experts about the opportunities and challenges.

Should be great.  Hope some of you can make it.

Photo credit:

Tuesday, October 15, 2013

Job Posting: Senior Power Systems Strategist

If you have ICS engineering credentials, you're not already in Idaho, and you want a change, can you picture yourself in Idaho? Or maybe you know someone qualified, and would be happier if they were in Idaho?

Either way, there's an opening at Idaho National Labs (INL) and if you could help fill it, one way or another, I'll be happy to give you contact information and mail you the full position description upon request.

Photo credit:

From DOD Energy Blog: Time for a US Oil Change?

Navy refueling at speed
To grid heads no other incident did more to change our business than the great Northeast Blackout of 10 years ago; it's a big reason there's such a thing as the Smart Grid Security blog. But I'm cross-posting this from DOD Energy blog as it reflects on the singular most important energy event in some of our lifetimes. One which changed the nation, changed the global economy, and continues to reverberate 30 years after.

On the heals of last week's post on China surpassing the US to become the biggest importer, two recent articles ponder oil's place in our world, particularly in light of how it was used as a weapon against the US during the Arab-Israeli War.

The first, Does OPEC Still have the US over a Barrel? brings the events of those days back vividly. If you're old enough, this will conjure up a scary memory. If you're young enough, this may sound like a Tom Clancy (RIP) novel, but it was far too real for those managing the crisis in 1973:
“I’m sitting at my desk at the Pentagon,” recalls James Schlesinger, then secretary of defense, “and a cable comes in, and it reads: ‘In accordance with the orders of His Majesty, we are obliged to cut off all oil supplies to your 6th Fleet and to your forces in western Europe. Signed [Saudi oil minister] Zaki Yamani.’ ”

Friday, October 11, 2013

Moving Beyond Technical: Use Security Governance Strategies to Integrate Security with the Mission

If like me you've come to the conclusion that a tech-centric strategy can only get us so far in energy sector cyber risk management, then you might want to see some of the source materials I've come across in my explorations.

The two I'll point to in this post are from Carnegie Mellon University's CERT program and PricewaterhouseCoopers' cybersecurity consulting practice.  What they have in common is that they are both several years old.  This is not VC or DARPA-funded cutting edge stuff.  It's human behavior stuff, and as such, it's not on an upgrade path anything like iOS, Android, or "Next Generation" firewalls. But neither are these concepts rapidly deployable, as you'd be hard put to find them put into practice widely at many utilities in 2013.

Tuesday, October 8, 2013

Heads-Up: The 2013 ICS Cybersecurity Summit is Closing In

We talked about this conference and many of its concerns a few weeks ago at the EnergySec Summit, and among things, got a great presentation showing how one utility has built and gotten great value from its OT security test-bed.

There's going to be a talk on test-beds plus a bunch of other great presentations at the annual "Joe Weiss" summit, so if you have interest, and the ability to get there,  I highly recommend you do.

Here are the basics:
Dates: 21-24 October 2013 
Venue: Conference location: GTRI Conference Center, 250 14th Street NW, Atlanta, GA 30318 
LINK for more info and to register 
LINK to register
Photo credit: Jomi Thomas Mani @