Tuesday, February 25, 2014

Where do Today's Electric Utility CEOs come from, and what do their Origins Mean for Grid Security?

I remember once thinking, naively perhaps, that most utility CEOs must have come up through the ranks, like generals in the military, with hands-on operational engineering experience garnering them the respect of their peers and subordinates along the way.

When I shared that concept last year with a 40-year industry veteran who'd done his time in generation and T&D, he schooled me saying that while that used to be the case, it's not the norm today.  He said more often you'll find someone with a finance background, often imported from sectors outside power.

Friday, February 21, 2014

Thoughts on "Risk and Responsibility in a Hyperconnected World"

Hat tip to Tim Dierking of Aclara for spotting and forwarding this January 2014 World Economic Forum / McKinsey report: "Risk and Responsibility in a Hyper-connected World." Tim pointed to a couple of excellent sections on cyber resilience and future scenarios which you'll find within, but I'm going to call out a different selection for your immediate consumption.

This below is taken directly from the McKinsey summary, which while not energy-sector specific, is right on the money, IMHO, on the culture, leadership and organizational dynamics aspects of what's needed to do security right in 2014+.  Here you go:
A CEO-level issue 
Given the trillions of dollars in play, the stakes are high. And given the range of social and business issues that cyber resiliency affects—for example, intellectual property, regulatory compliance, privacy, customer experience, product development, business continuity, legal jurisdiction—it can only be addressed effectively with active engagement from the most senior business and public leaders. 

Sunday, February 16, 2014

DOE's C2M2 is Growing Up Fast

There's been a ton of work accomplished since DOE handed the C2M2 flame to former FERCer Jason Christopher.  This program has now been leveraged at hundreds of enterprises and now gives you three flavors of Cybersecurity Capability Maturity Model (C2M2) to choose from now.

You can download any/all of the models right this minute if you are so inclined:

In addition, there are a number of new supporting resources for organizations at some stage of the C2M2 consideration or implementation process:

  • C2M2 FAQ - helps answer whether or not a C2M2 self-assessment is right for your organization (ab: sounds a little too much like a Cialis commercial to me)
  • C2M2 Facilitator Guide - provides step-by-step guidance for organizations that want to perform their own internal self-assessments (with or without a 3rd party)
  • C2M2 toolkit for all three models (electricity, oil & natural gas, and sector-neutral) based on MS Excel and Word, so it can be used by any organization. (Toolkits are provided by request only—email C2M2@doe.gov for more information.)

Lastly, this just-released bulletin tells you how DOE, NIST and DHS see the C2M2 and the Critical Infrastructure Security Framework (CSF) playing complementary roles.

So much good stuff.  Between all of the above and the Olympics, this should keep you off the streets and out of trouble until Spring finally shows up.

Wednesday, February 12, 2014

Please Remain Calm: My Metcalf Substation Physical Security Take-Aways

Valentines Day update - Two more good links have surfaced for you since I wrote the original post a few days ago:
PBS Interview with Jon Wellinghof and Mark Weatherford 
A 3rd WSJ article, this one largely a counterpoint to the more FUD-oriented first one

It's been nearly 10 days now since the Wall Street Journal published its big story on the attack on a transmission substation outside Silicon Valley in California.  Since then, the media, keying on words like "assault, military-style, terrorism" have had a pre-apocalyptic field day.

So in my own way, I've been running a counter-alarmism campaign when speaking with the press as well as with infrastructure security experts about to go live on one of the hysterical "news shows."

My main points are:

  • This attack was significant but it didn't cause a blackout
  • So be concerned, but don't overreact
  • You can thank the hard work and preparation by Pacific Gas & Electric (PG&E) for at least 2 things: 1) rerouting energy flows so there was no perceptible customer impact despite the loss of many transformers, and, 2) getting the substation fully back on line within one month
  • This was a great opportunity for utilities to refresh their physical security policies, and that's what they're doing right now
  • Utilities are already taking concrete steps to deter this type of attack, including: erecting screens or walls to block a would-be shooter's view of his/her intended targets, inviting citizens living near substations to call their utilities if they see something suspicious, in the spirit of the "if you see something, say something" transit security campaign, and looking at the transformer stockpiling and loaner program 

Wednesday, February 5, 2014

Security and other Notes from a Cold Distributech 2014

Cross-posted from the new Bochman Advisors' Blog.

What a wonderful thing a Distributech is.  Held alternatively in San Diego and San Antonio, the vibrant but relatively conservative host communities are a near perfect match for the demographics it attracts in the dead of winter.  What I'm saying is it's warm but it's not a jungle ... it's not Vegas, there's no Hangover.

This one, my fourth, was in San Antonio, and unfortunately, thanks to the Polar Vortex, or Son of Polar Vortex, it was too cold to sip cocktails by the River Walk, or run along the River Walk, or really to do anything outside besides hurry to the next dwelling.  Suffice it to say, most attendees, remembering balmy Distributechs past, did not bring the right clothes, and I for one left with a parting gift of H1N1.