Tuesday, December 17, 2013

Whitsitt on What's Up with the NIST CSF

Before you click through on the link provided below, I have to tell you that this write-up is not just about the NIST Critical Infrastructure Security Framework (CSF), but it's also a review of the current state of the security profession/practice/belief system, depending on your vantage point.

Penned by Jack Whitsitt of EnergySec, who among other things helped design the cyber security policies for the Transportation Security Agency (TSA) when it was just getting started. Be forewarned: Jack is no ordinary security guru. Because he's a practicing artist too, he brings both hemispheres to this challenge, and as a result, his perspectives and insights are unlike what you'll likely encounter anywhere else.

Monday, December 16, 2013

Security at the Edge of the Grid

We used to be very concerned about traveling too close to the edge of the world, remember?  Then some smart math and science guys figured out, surprisingly, Earth has no edge, so we were free to move about about the globe.

Now as we approach the end of the beginning of the Smart Grid era, what began as an initiative to add visibility, flexibility, and yes, smarts all over the grid is now seeing change accelerate close to the points of consumption.

Of course, amid all the excitement about innovation in distributed generation, distribution automation, energy efficiency, demand management, microgrids, storage, etc., one could forget that there's some basic housekeeping to attend to in the categories of power regulation and security.

The former, which includes maintaining the quality of electricity and keeping dangerous phenomena like harmonics in check, has been the province of utilities and ISO/RTOs and that's not going to change.  Ever increasing percentages of distributed generation are, in anything, going to make utilities' capabilities in this area even more essential to safe and reliable power delivery.

The other housekeeping item, now that it's 2013/2014 and not 1963/1964, is that all the new edge devices have several attributes in common:

  • They send, receive and store data
  • They constrain access to their data and/or services to certain other systems
  • They receive control signals, sometimes from humans (think: iPhone apps) and sometimes from other systems (think: Nest thermostats)

Of course this is an oversimplification, but astute readers will notice that the integrity of all of these activities depends entirely on capabilities from the security domain.  My job as part of Greentech Media's new Grid Edge Executive Council (see my humble logo above nestled among the titans) is to ensure less-than-sexy security attributes are baked into the functional requirements of all the new products that plan to participate in this edgy arena.

That way, when 2023/2024 arrives, we'll be powering our homes, businesses and country with power we can depend upon.

Thursday, December 5, 2013

Beroset on AMI and Smart Meter Security Considerations - Late 2013

Ed Beroset is the Director of Technology and Standards at one of the main smart meter making companies, Elster, and I've had the good fortune of meeting him on several occasions when both had speaking duties at grid security conferences. In this case, tech director also = security strategist and spokesman.

Recently, as I've started to prepare myself for work with Greentech Media's Grid Edge council, I wanted to check up on the current state of security thinking around AMI and smart meters.

Lo and behold, here's Ed who just put it down in pixels with 3 questions to ask yourself, along the lines of what are you protecting and why, and 7 to ask your vendors.  In the latter category, I particularly like #1 and the advice that follows:
What security measures does your system employ? 
Don’t settle for vague or imprecise answers to this question. Any reputable vendor will be able to give you a clear and detailed answer. Furthermore, don’t accept the excuse that the security measures are proprietary and top secret. As any security expert can attest, in modern systems, it is not a secret algorithm, but a secret key, that ensures security.
This may be more advanced than your typical energy sector start-up is ready for or need be ready for, but it's a good example of the types of scrutiny mature product suppliers like Elster have come to expect as a matter of doing business with increasingly security-aware customers.

You can read the full article HERE.