Monday, November 17, 2014

Energy Security Postscript and Next Chapter

Long-time readers of the SGSB might have wondered if they'd ever see another post. Me too. After producing an average of 1+ posts per week since its inception 5 years ago, I cut way back after leaving IBM in 2013 to give myself more time to focus on consulting. And now there's a new development to report.

4 month ago I shuttered my security strategy business and began my first day on the job at Idaho National Laboratory (INL). It's one of the Department of Energy's national labs, and it's the one most squarely positioned at the intersection of energy infrastructure and national security. Let's call that energy security.

My INL title: Senior Cyber & Energy Security Strategist - may sound a little pretentious, but it pretty accurately captures what I was hired to do. If you visit the lab's home page or the INL Twitter feed it seems like nuclear energy research and related nuclear work are its dominant activities. But while nuclear energy research and fuels fabrication were its origin in the 1940's and its historic mission, with the help of its massive and remote test range that includes grid-scale transmission, distribution and communications assets, the lab I just joined does a ton of research and applied work on power and industrial control systems, Smart Grid and wireless communications, cyber and physical security and resilience, renewables, microgrids, energy storage and more.

Nuclear energy R&D, and full nuclear fuel lifecycle work (including non proliferation) will always be a significant part of that nation's requirements, and the INL mission, but nuclear energy is arguably the most reliable portion of our non fossil fuel baseload, but INL is quietly becoming something much more - and more important - than its nuclear legacy might suggest.

Without going into too much detail, the lab's customers now include not just DOE's nuclear energy organizations, but also DOE's renewables, resilience and cyber-physical security components too. DHS has become a major customer, as the lab hosts the ICS-CERT cyber security overwatch function for the US grid and other critical infrastructures, and performs other leading edge cyber and physical security roles as well. DoD is a very large customer too, for energy, security and communications test functions, rounded out by direct work with utilities and energy and telecom technology suppliers.

In short, INL in 2014 is not the lab many people think it is. While it's yet to update its image online, a visit to Idaho Falls quickly confirms that this is one of the nation's preeminent Energy Security lab resources. Nuclear energy is and likely always will be a key element, but without making much noise about it, INL has become so much more, and I'm very very lucky to be a part of it.


Postscript to the Postscript post: Though my blogs are in suspended animation, I continue to speak in public, and albeit more frequently and tersely, on Twitter @andybochman. As the Twitter profile reveals, I continue to work out of my home office in Boston while hitting the road most often for DC, and of course, now, Idaho.

Monday, June 30, 2014

Get Schooled on ICS Sec by SANS at SERC in Charlotte

Here's the facts, just the facts:

Legendary cyber training institute SANS has joined forces with industry leaders to equip security professionals and control system engineers with the cybersecurity skills they need to defend national critical infrastructure.

Course name: ICS410 -- ICS/SCADA Security Essentials 

Course description: ICS410 provides a set of standardized skills and knowledge for industrial cybersecurity professionals. The course is designed to ensure that the workforce involved in supporting and defending industrial control systems is trained to keep the operational environment safe, secure, and resilient against current and emerging cyber threats.

The discount: Receive a massive 5% off with discount code: SANSICS_SGSB5

Venue and date: SERC Reliability Corporation, July 14 – 18 in Charlotte, NC

Friday, June 20, 2014

Calls for Enhanced Enterprise Security Governance Starting to Steamroll

Though I've been approaching this issue from a sector-specific perspective for years, lots of what's been in the news lately (and I mean lately) is intended for all technology-enabled sectors. Which pretty much means every business and every organization that intends to maintain consistent and reliable operations in the near and mid-term future.

First off, and with origins that predated the Target breach that's credited with generating most of this activity, was DOE's Energy Advisory Committee giving thumbs up in May to a paper on this topic on Security Governance. It proposes that DOE pursue potential upgrades to how energy companies organize and run themselves from a security perspective. Titled: EAC Recommendations for DOE Action Regarding Implementing Effective Enterprise Security Governance - Outline for Energy Sector Executives and Boards, among other things, this paper lists the following "Characteristics of Effective Security Governance":
  • Clearly defined responsibilities from the board of directors to senior leadership to employees 
  • Presence of an active Security Governance board comprised of senior stakeholders from across 
  • the company 
  • An executive owner of enterprise security: with purview over IT, OT and physical security policy designated CSO or similar 
  • Striving for 100% alignment with of security with business/mission 
  • Using measurement of key indicators to increase awareness and drive improvement (with 
  • maturity tools like DOE's ES-C2M2

Friday, April 18, 2014

New England (and Connecticut in Particular) Showing PUC Leadership on Security

NARUC has been issuing cybersecurity guidance to the 50 US public utility commissions (PUCs) since 2010. And NASEO's been guiding other state government orgs.  California's PUC has been very active, showing leadership with its multiple publications on security and privacy. Until recently, PUC Texas had a true cybersecurity pro on staff.

But now I'm going to tell you about my part of the world: New England.  Last fall the organization that brings the six northeastern PUCs together, NECPUC, put out an RFP for security consulting for the six and some of their utilities. Won by EnergySec, I've heard only positive news about what that six month engagement has produced. In addition, the Massachusetts AG recently released an RFP seeking 3rd part evaluations of cybersecurity preparedness of the distribution companies serving the state.

Monday, March 31, 2014

Security Governance Ripples from Target Breach

You know the saying, if you want a different result, best not to keep doing the same thing. In this case, the result was the massive data loss breach involving loss of the records of 40 million customers at mega retailer Target.

In its wake, CEO Gregg Steinhafel stated that he is "elevating the role" of its chief information security officer and hiring outside the company to fill the position.  According to this NY Times article from early March, bringing on a new CISO will help Target centralize the company's security responsibilities.

And while the timing is coincidental, I owe Schweitzer Engineering Laboratories' Sharla Artz thanks for pointing out that Wisconsin based electric utility Alliant Energy Corp just made a similar move. For me, there are several promising parts to Alliant's announcement at the recent EnergyBiz conference that it had just:
Created an executive-level opening ... for overseeing cyber and physical security. The position was designed to bring cyber issues out of the weeds of the IT shop, where CEOs generally don't tread.
What I like best about this is:
  • The company didn't have to endure a huge security incident to justify this change to the org chart
  • The position is clearly not going to be buried in an IT silo, so it should have authority to set security policy across IT and OT
  • Reflecting a convergence that's happening in many energy enterprises, this new security exec will oversee both cyber and physical security
Hopefully we'll see more utilities make similar moves ... and soon.

Image credit: Michael Durham at

Wednesday, March 26, 2014

An Eerie and Early Visualization of the Internet of Things (IoT)

I've got a short story to recommend to you. It's cerebral without being overly literary. It's got action, though no cyber-physical grid attacks. There's no shooting. No lives lost. No outages. But is there ever a lot going on! In fact, I'm pretty sure it's a parody of sorts of what may be coming our way in the not-very-distant future.

Titled "Water,' it was published last year by author and futurist, Ramez Naam.

Here's what the ad-free, neural-implanted main character experiences walking down a street in NYC:
Civic systems chattered away. The sidewalk slabs beneath his feet fed a steady stream of counts of passers-by, estimates of weight and height and gender, plots of probabilistic walking paths, data collected for the city planners. Embedded biosensors monitored the trees lining the street, the hydration of their soils, the condition of their limbs. Health monitors watched for runny noses, sneezing, coughing, any signs of an outbreak of disease. New York City’s nervous system kept constant vigil, keeping the city healthy, looking for ways to improve it.

Wednesday, March 19, 2014

A Social Summary of SANS ICS Security Summit 2014

Since I went solo there's been less time for blogging but I hope to catch up a little with this mega post on the just-concluded, 9th annual SANS ICS Security Summit which took place in the Contemporary Hotel at Disney.

Where I can I'll include Twitter IDs, as for many of us, Twitter is how we stay abreast of what we find interesting and what we're thinking about in between real world meet-ups. (Note: I only include these when they're unique to the individual and not shared by a company or org.)

I won't cover all the talks because I didn't attend all of them, and I apologize to those presenters I don't cover here. Nor was I at "Game Night" (though I wish I was) which from what I heard later was a fantastic and grueling hack-fest that extended into the wee hours before champions finally emerged.

Wednesday, March 5, 2014

Energy Firms Not Ready for Cyber Insurance?

Or so says corporate underwriter and veteran cyber insurance provider, Lloyds of London, in a BBC article last week:
Any company that applies for cover has to let experts employed by Kiln and other underwriters look over their systems to see if they are doing enough to keep intruders out. Assessors look at the steps firms take to keep attackers away, how they ensure software is kept up to date and how they oversee networks of hardware that can span regions or entire countries.
Sadly, as the article goes on to say:
After such checks were carried out, the majority of applicants were turned away because their cyber defenses were lacking.

Tuesday, February 25, 2014

Where do Today's Electric Utility CEOs come from, and what do their Origins Mean for Grid Security?

I remember once thinking, naively perhaps, that most utility CEOs must have come up through the ranks, like generals in the military, with hands-on operational engineering experience garnering them the respect of their peers and subordinates along the way.

When I shared that concept last year with a 40-year industry veteran who'd done his time in generation and T&D, he schooled me saying that while that used to be the case, it's not the norm today.  He said more often you'll find someone with a finance background, often imported from sectors outside power.

Friday, February 21, 2014

Thoughts on "Risk and Responsibility in a Hyperconnected World"

Hat tip to Tim Dierking of Aclara for spotting and forwarding this January 2014 World Economic Forum / McKinsey report: "Risk and Responsibility in a Hyper-connected World." Tim pointed to a couple of excellent sections on cyber resilience and future scenarios which you'll find within, but I'm going to call out a different selection for your immediate consumption.

This below is taken directly from the McKinsey summary, which while not energy-sector specific, is right on the money, IMHO, on the culture, leadership and organizational dynamics aspects of what's needed to do security right in 2014+.  Here you go:
A CEO-level issue 
Given the trillions of dollars in play, the stakes are high. And given the range of social and business issues that cyber resiliency affects—for example, intellectual property, regulatory compliance, privacy, customer experience, product development, business continuity, legal jurisdiction—it can only be addressed effectively with active engagement from the most senior business and public leaders. 

Sunday, February 16, 2014

DOE's C2M2 is Growing Up Fast

There's been a ton of work accomplished since DOE handed the C2M2 flame to former FERCer Jason Christopher.  This program has now been leveraged at hundreds of enterprises and now gives you three flavors of Cybersecurity Capability Maturity Model (C2M2) to choose from now.

You can download any/all of the models right this minute if you are so inclined:

In addition, there are a number of new supporting resources for organizations at some stage of the C2M2 consideration or implementation process:

  • C2M2 FAQ - helps answer whether or not a C2M2 self-assessment is right for your organization (ab: sounds a little too much like a Cialis commercial to me)
  • C2M2 Facilitator Guide - provides step-by-step guidance for organizations that want to perform their own internal self-assessments (with or without a 3rd party)
  • C2M2 toolkit for all three models (electricity, oil & natural gas, and sector-neutral) based on MS Excel and Word, so it can be used by any organization. (Toolkits are provided by request only—email for more information.)

Lastly, this just-released bulletin tells you how DOE, NIST and DHS see the C2M2 and the Critical Infrastructure Security Framework (CSF) playing complementary roles.

So much good stuff.  Between all of the above and the Olympics, this should keep you off the streets and out of trouble until Spring finally shows up.

Wednesday, February 12, 2014

Please Remain Calm: My Metcalf Substation Physical Security Take-Aways

Valentines Day update - Two more good links have surfaced for you since I wrote the original post a few days ago:
PBS Interview with Jon Wellinghof and Mark Weatherford 
A 3rd WSJ article, this one largely a counterpoint to the more FUD-oriented first one

It's been nearly 10 days now since the Wall Street Journal published its big story on the attack on a transmission substation outside Silicon Valley in California.  Since then, the media, keying on words like "assault, military-style, terrorism" have had a pre-apocalyptic field day.

So in my own way, I've been running a counter-alarmism campaign when speaking with the press as well as with infrastructure security experts about to go live on one of the hysterical "news shows."

My main points are:

  • This attack was significant but it didn't cause a blackout
  • So be concerned, but don't overreact
  • You can thank the hard work and preparation by Pacific Gas & Electric (PG&E) for at least 2 things: 1) rerouting energy flows so there was no perceptible customer impact despite the loss of many transformers, and, 2) getting the substation fully back on line within one month
  • This was a great opportunity for utilities to refresh their physical security policies, and that's what they're doing right now
  • Utilities are already taking concrete steps to deter this type of attack, including: erecting screens or walls to block a would-be shooter's view of his/her intended targets, inviting citizens living near substations to call their utilities if they see something suspicious, in the spirit of the "if you see something, say something" transit security campaign, and looking at the transformer stockpiling and loaner program 

Wednesday, February 5, 2014

Security and other Notes from a Cold Distributech 2014

Cross-posted from the new Bochman Advisors' Blog.

What a wonderful thing a Distributech is.  Held alternatively in San Diego and San Antonio, the vibrant but relatively conservative host communities are a near perfect match for the demographics it attracts in the dead of winter.  What I'm saying is it's warm but it's not a jungle ... it's not Vegas, there's no Hangover.

This one, my fourth, was in San Antonio, and unfortunately, thanks to the Polar Vortex, or Son of Polar Vortex, it was too cold to sip cocktails by the River Walk, or run along the River Walk, or really to do anything outside besides hurry to the next dwelling.  Suffice it to say, most attendees, remembering balmy Distributechs past, did not bring the right clothes, and I for one left with a parting gift of H1N1.

Thursday, January 23, 2014

Announcing a Blogging Slowdown as a New Energy and Security Business is Born

Dear Reader,

You may have noticed the number of posts has tapered off lately on the Smart Grid Security Blog. I've got to tell you that it's not from lack of interest or diminished activity in our space ... far from it.

Rather, since I departed IBM last September I've been working overtime putting my consulting business together. I've now reached the point where my focus is set, my offerings are defined, and my first partners and customers have emerged.

That means the taxiing period is over and it's time to push the throttle all the way forward and lift off ... hence, less blogging on the SGSB, at least for a while.

The new business is called Bochman Advisors, and as you'll see when you visit the NEW SITE I just built, it immediately identifies its focus as "Strategic security consulting for the energy sector".  So far, this is working out as helping security companies get smarter on energy matters, and energy companies do better with security.

Monday, January 13, 2014

Conference Alert: SmartSec Europe 2014

There's not much time left, but here's an exciting conference for if you're not going to Distributech in San Antonio, but still want to visit a historic city with picturesque waterways.

Location: Amsterdam
Dates: 29-30 January 2014
For more info, click HERE
To register, click HERE

Bonus #1: My friend Johan Rambi and grid security superstar Annabelle Lee will be speaking

Bonus #2: All SmartSec attendees are invited to stay on one more day to help set the course for Europe's new ISAC and situational awareness organization, DENSEK.  It convenes at 1000 hours on Friday the 31st at the same venue.

And in case you're wondering DENSEK includes but is not focused on Denmark. DENSEK stands for Distributed ENenergy SEcurity Knowledge ... capiche?

Photo credit: The Travis Caulfield Travel Blog

Thursday, January 9, 2014

SANS gets Cyber-Physical with ICS Breach Response Guide

With apologies to Olivia Newton John, you may or may not be aware that some bad actors have been helping raise awareness about physical threats to electric infrastructure lately.  You might say, "Are we sure about this, or were they merely after some copper ... or groundnuts?"

Of course, it always pays to be skeptical, but in the age of video cameras, motion detectors and similar, it's clear that these were humans not after enrichment or nourishment, but rather, intent on destruction.

Mike Assante and Scott Swartz of security training firm SANS just released a how-to manual describing how you can help your utility proceed in the event of an attack.  In particular, they want utilities to be on the lookout for cyber security foul play as they investigate breaches of physical defenses.

Tuesday, January 7, 2014

Singer & Brookings on the Security Governance/Ownership Vacuum

Analyst and author Peter Singer of the Brookings Institute has a new book out intended for everyman. And everywoman. To include particularly those types who consider themselves non technical, or as I've heard cyber folks in DOD refer to them - tech immigrants (vs. typically younger tech natives).

The net he casts is wide enough to captures senior government and business leaders too.  Below are excerpts from a recent interview with CNN/Fortune that really resonated with me, with particular applicability to our sector:
"Stop looking for others to solve it for you, stop looking for silver bullet solutions, and stop ignoring it."