tag:blogger.com,1999:blog-19752107808541524342024-03-14T02:14:16.862-04:00The Smart Grid Security Blog<b>Where Smart = Secure</b>Andy Bochmanhttp://www.blogger.com/profile/16597503314698812234noreply@blogger.comBlogger543125tag:blogger.com,1999:blog-1975210780854152434.post-71910540265126382312014-11-17T22:52:00.000-05:002014-11-17T22:52:33.984-05:00Energy Security Postscript and Next ChapterLong-time readers of the SGSB might have wondered if they'd ever see another post. Me too. After producing an average of 1+ posts per week since its inception 5 years ago, I cut way back after leaving IBM in 2013 to give myself more time to focus on consulting. And now there's a new development to report.<br />
<br />
4 month ago I shuttered my security strategy business and began my first day on the job at Idaho National Laboratory (INL). It's one of the Department of Energy's national labs, and it's the one most squarely positioned at the intersection of energy infrastructure and national security. Let's call that energy security.<br />
<br />
My INL title: Senior Cyber & Energy Security Strategist - may sound a little pretentious, but it pretty accurately captures what I was hired to do. If you visit the <a href="https://inlportal.inl.gov/portal/server.pt?open=512&objID=255&mode=2" target="_blank">lab's home page</a> or the <a href="https://twitter.com/INL" target="_blank">INL Twitter feed</a> it seems like nuclear energy research and related nuclear work are its dominant activities. But while nuclear energy research and fuels fabrication were its origin in the 1940's and its historic mission, with the help of its massive and remote test range that includes grid-scale transmission, distribution and communications assets, the lab I just joined does a ton of research and applied work on power and industrial control systems, Smart Grid and wireless communications, cyber and physical security and resilience, renewables, microgrids, energy storage and more.<br />
<br />
Nuclear energy R&D, and full nuclear fuel lifecycle work (including non proliferation) will always be a significant part of that nation's requirements, and the INL mission, but nuclear energy is arguably the most reliable portion of our non fossil fuel baseload, but INL is quietly becoming something much more - and more important - than its nuclear legacy might suggest.<br />
<br />
Without going into too much detail, the lab's customers now include not just DOE's nuclear energy organizations, but also DOE's renewables, resilience and cyber-physical security components too. DHS has become a major customer, as the lab hosts the ICS-CERT cyber security overwatch function for the US grid and other critical infrastructures, and performs other leading edge cyber and physical security roles as well. DoD is a very large customer too, for energy, security and communications test functions, rounded out by direct work with utilities and energy and telecom technology suppliers.<br />
<br />
In short, INL in 2014 is not the lab many people think it is. While it's yet to update its image online, a visit to Idaho Falls quickly confirms that this is one of the nation's preeminent Energy Security lab resources. Nuclear energy is and likely always will be a key element, but without making much noise about it, INL has become so much more, and I'm very very lucky to be a part of it.<br />
<br />
<div style="text-align: center;">
------------------------------</div>
<br />
Postscript to the Postscript post: Though my blogs are in suspended animation, I continue to speak in public, and albeit more frequently and tersely, on Twitter @andybochman. As the Twitter profile reveals, I continue to work out of my home office in Boston while hitting the road most often for DC, and of course, now, Idaho.<br />
<br />
<br />Andy Bochmanhttp://www.blogger.com/profile/16597503314698812234noreply@blogger.com94tag:blogger.com,1999:blog-1975210780854152434.post-30374788892857340672014-06-30T11:06:00.000-04:002014-06-30T11:07:33.585-04:00Get Schooled on ICS Sec by SANS at SERC in CharlotteHere's the facts, just the facts:<br />
<br />
Legendary cyber training institute SANS has joined forces with industry leaders to equip security professionals and control system engineers with the cybersecurity skills they need to defend national critical infrastructure.<br />
<div>
<br /></div>
<div>
Course name: ICS410 -- ICS/SCADA Security Essentials </div>
<div>
<br /></div>
<div>
Course description: ICS410 provides a set of standardized skills and knowledge for industrial cybersecurity professionals. The course is designed to ensure that the workforce involved in supporting and defending industrial control systems is trained to keep the operational environment safe, secure, and resilient against current and emerging cyber threats.<br />
<br />
The discount: Receive a massive 5% off with discount code: SANSICS_SGSB5</div>
<div>
<br /></div>
<div>
To register: <a href="http://www.sans.org/info/161395">http://www.sans.org/info/161395</a></div>
<div>
<br /></div>
<div>
Venue and date: SERC Reliability Corporation, July 14 – 18 in Charlotte, NC</div>
Andy Bochmanhttp://www.blogger.com/profile/16597503314698812234noreply@blogger.com6tag:blogger.com,1999:blog-1975210780854152434.post-65795745429259311282014-06-20T09:52:00.000-04:002014-06-20T09:52:53.822-04:00Calls for Enhanced Enterprise Security Governance Starting to Steamroll<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEh4EatnTFLAvMnEFm_V6SyfY741TjSIqLyRCwOeTUU6CM1pcPupbqT-LgA7clDp6D1WQtRme56b4N9Cgct5z72biKxy_zqC0Zubl0IBCIXBV3Vg7hyphenhyphenmWphkojxza2TnUyZVfPg_h82H_nY/s1600/Boardroom-meeting-007.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEh4EatnTFLAvMnEFm_V6SyfY741TjSIqLyRCwOeTUU6CM1pcPupbqT-LgA7clDp6D1WQtRme56b4N9Cgct5z72biKxy_zqC0Zubl0IBCIXBV3Vg7hyphenhyphenmWphkojxza2TnUyZVfPg_h82H_nY/s1600/Boardroom-meeting-007.jpg" height="192" width="320" /></a></div>
<br />
Though I've been approaching this issue from a sector-specific perspective <a href="http://smartgridsecurity.blogspot.com/search?q=governance" target="_blank">for years</a>, lots of what's been in the news lately (and I mean lately) is intended for all technology-enabled sectors. Which pretty much means every business and every organization that intends to maintain consistent and reliable operations in the near and mid-term future.<br />
<br />
First off, and with origins that predated the Target breach that's credited with generating most of this activity, was DOE's Energy Advisory Committee giving thumbs up in May to a paper on this topic on Security Governance. It proposes that DOE pursue potential upgrades to how energy companies organize and run themselves from a security perspective. Titled: <a href="http://energy.gov/sites/prod/files/Mar2014EAC_Recs-CyberGovernance.pdf" target="_blank">EAC Recommendations for DOE Action Regarding Implementing Effective Enterprise Security Governance - Outline for Energy Sector Executives and Boards</a>, among other things, this paper lists the following "Characteristics of Effective Security Governance":<br />
<div>
<div>
<ul>
<li>Clearly defined responsibilities from the board of directors to senior leadership to employees </li>
<li>Presence of an active Security Governance board comprised of senior stakeholders from across </li>
<li>the company </li>
<li>An executive owner of enterprise security: with purview over IT, OT and physical security policy designated CSO or similar </li>
<li>Striving for 100% alignment with of security with business/mission </li>
<li>Using measurement of key indicators to increase awareness and drive improvement (with </li>
<li>maturity tools like DOE's <a href="http://energy.gov/sites/prod/files/2014/02/f7/ES-C2M2-v1-1-Feb2014.pdf" target="_blank">ES-C2M2</a>) </li>
</ul>
</div>
<br />
<a name='more'></a>Then there's this from Reuters in May: <a href="http://www.reuters.com/article/2014/05/30/us-usa-companies-cybersecurity-exclusive-idUSKBN0EA0BX20140530" target="_blank">Exclusive: U.S. companies seek cyber experts for top jobs, board seats</a>, which emphasizes the concept of getting the security chief out of IT:<br />
<blockquote class="tr_bq">
While a CISO typically reports to a company's chief information officer (CIO), some of the hiring discussions now involve giving them a direct line to the chief executive and the board, consultants and executives said. After high-profile data breaches such as last year's attack on U.S. retailer Target Corp, there is now an expectation that CISOs understand not just technology but also a company's business and risk management.</blockquote>
<div>
The Securities and Exchange (SEC) commissioner recently added his voice as well. In <a href="http://www.dwt.com/SEC-Commissioner-Calls-on-Corporate-Boards-to-Address-CybersecurityRefers-to-NIST-Cyber-Framework-as-the-Bible-06-11-2014/" target="_blank">SEC Commissioner Calls on Corporate Boards to Address Cybersecurity</a>, Commissioner Luis Aguilar expresses his hope for governance improvements this way: “One would expect that corporate boards and senior management universally would be proactively taking steps to confront these cyber-risks.”<br />
<br />
Then, from the International Association of Privacy Professionals online journal, there was <a href="https://www.privacyassociation.org/publications/cybersecurity_in_the_boardroom_the_new_reality_for_directors" target="_blank">Cybersecurity in the Boardroom: The New Reality for Directors</a>, which included a list of recommendations, some of which have particular relevance for security governance and culture:</div>
<ul>
<li>Develop a high-level understanding of cyber-risks facing the company through briefings from senior management and others</li>
<li>Ensure that the company has at least one committee that is responsible for overseeing and understanding cybersecurity issues, controls and procedures</li>
<li>Facilitate a culture that views cybersecurity as a business issue that all employees should understand and participate in. As part of that, companies should consider employee training and awareness programs</li>
<li>Include a cyber-expert on the company’s board of directors or receive regulator reports from a cybersecurity expert that are discussed at board meetings</li>
</ul>
<div>
So, as you can see, what once felt like a voice in the wilderness is now becoming a chorus. Or you could say a trickle is becoming a deluge. No matter the metaphor, will a little help from the Federal Government, and a lot more from The Real World, enterprise security governance is beginning to get the attention it deserves.<br />
<br />
Image credit: Peter Skelton<br />
<br />
<br />
<br /></div>
</div>
Andy Bochmanhttp://www.blogger.com/profile/16597503314698812234noreply@blogger.com13tag:blogger.com,1999:blog-1975210780854152434.post-35825432600776466362014-04-18T08:37:00.001-04:002014-04-18T15:33:07.220-04:00New England (and Connecticut in Particular) Showing PUC Leadership on Security<a href="http://naruc.org/" target="_blank">NARUC</a> has been issuing cybersecurity guidance to the 50 US public utility commissions (PUCs) since 2010. And <a href="http://naseo.org/" target="_blank">NASEO</a>'s been guiding other state government orgs. California's PUC has been very active, showing leadership with its multiple publications on security and privacy. Until recently, PUC Texas had a true cybersecurity pro on staff.<br />
<div>
<br /></div>
<div>
But now I'm going to tell you about my part of the world: New England. Last fall the organization that brings the six northeastern PUCs together, <a href="http://www.necpuc.org/" target="_blank">NECPUC</a>, put out an RFP for security consulting for the six and some of their utilities. Won by EnergySec, I've heard only positive news about what that six month engagement has produced. In addition, the Massachusetts AG recently released an RFP seeking 3rd part evaluations of cybersecurity preparedness of the distribution companies serving the state.<br />
<a name='more'></a></div>
<div>
<br /></div>
<div>
<div>
Now comes this comprehensive, 30-page report this from Connecticut's Public Utilities Regulatory Authority (PURA): "Cybersecurity and Connecticut's Public Utilities," released earlier this week. While giving credit to the two regulated electric utilities in its jurisdiction for doing a good job on cybersecurity so far, it also tackles head on key challenges and next steps, including:<br />
<ul>
<li>Setting performance criteria (hmmm, sounds like measurement maybe)</li>
<li>Seeking concurrence regarding the role of regulators</li>
<li>Establishing consistent regulation</li>
<li>Identifying reporting goals and standards</li>
<li>Sharing information and best practices</li>
<li>Maintaining confidentiality of sensitive cyber information</li>
<li>Rethinking procedures for ensuring personnel security</li>
<li>Defining appropriate cost thresholds and cost recovery guidelines</li>
<li>Identifying effective training and situational exercises</li>
<li>Integrating public utility cyber issues into Connecticut's emergency management operations. </li>
</ul>
All good stuff. However, the report notes that municipal utilities, while providing essential services, are not regulated by PURA. This is true across all 50 states and presents a massive power sector security regulatory blindspot.</div>
<div>
<br /></div>
<div>
Before the report wraps up, it presents regulators and other stakeholders with a few questions (in third person) to be asked about utility cyber preparations:</div>
<div>
<div>
<ul>
<li>Do the leaders in the public utilities serving Connecticut and their boards pay appropriate attention to risk management in general and cyber as part of that challenge? </li>
<li>Do they have skilled personnel and necessary hardware and software? Are their budgets for cybersecurity adequate? </li>
<li>Do they train and keep up with the constantly evolving set of threats? </li>
<li>Do they run mock drills with outside assistance to test the strength of their deterrence? </li>
<li>Do they have access to outside consultants and experts to stay up to date and to fill in gaps not covered by their own personnel? </li>
<li>Are they active participants in trade association activities geared toward sharing best practices? </li>
</ul>
</div>
</div>
<div>
There's more to say, but you're better off reading the report in full when you have a chance.</div>
<div>
<br /></div>
<div>
You'll find it <a href="http://www.ct.gov/pura/lib/pura/electric/cyber_report_041414.pdf" target="_blank">HERE</a>.</div>
<div>
<br /></div>
<div>
<br /></div>
</div>
Andy Bochmanhttp://www.blogger.com/profile/16597503314698812234noreply@blogger.com2tag:blogger.com,1999:blog-1975210780854152434.post-9519326442410803182014-03-31T21:27:00.001-04:002014-04-01T06:38:08.073-04:00Security Governance Ripples from Target Breach<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEi5MkWkgqtTLYRiN27sFPiEpS5pJBqGct6mJiEF2SGFeIyO8BLvzI4xRN4BQ_V-bT3KF5z6GhdHbcGMV6XgW0MNyr_gjKgW-Ttt87AhBOIIHQgvzEdLGZqJEnasq3YGf9otJsoiRwb4lrY/s1600/skipping-stone-michael-durham.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEi5MkWkgqtTLYRiN27sFPiEpS5pJBqGct6mJiEF2SGFeIyO8BLvzI4xRN4BQ_V-bT3KF5z6GhdHbcGMV6XgW0MNyr_gjKgW-Ttt87AhBOIIHQgvzEdLGZqJEnasq3YGf9otJsoiRwb4lrY/s1600/skipping-stone-michael-durham.jpg" height="213" width="320" /></a></div>
<br />
You know the saying, if you want a different result, best not to keep doing the same thing. In this case, the result was the massive data loss breach involving loss of the records of 40 million customers at mega retailer Target. <br />
<br />
In its wake, CEO Gregg Steinhafel stated that he is "elevating the role" of its chief information security officer and hiring outside the company to fill the position. According to this <a href="http://www.nytimes.com/2014/03/06/business/targets-chief-information-officer-resigns.html?_r=1" target="_blank">NY Times article</a> from early March, bringing on a new CISO will help Target centralize the company's security responsibilities.<br />
<div>
<br /></div>
And while the timing is coincidental, I owe Schweitzer Engineering Laboratories' Sharla Artz thanks for pointing out that Wisconsin based electric utility <a href="http://www.alliantenergy.com/" target="_blank">Alliant Energy Corp</a> just made a similar move. For me, there are several promising parts to Alliant's announcement at the recent EnergyBiz conference that it had just:<br />
<div>
<blockquote class="tr_bq">
<i>Created an executive-level opening ... for overseeing cyber and physical security. The position was designed to bring cyber issues out of the weeds of the IT shop, where CEOs generally don't tread.</i></blockquote>
What I like best about this is:</div>
<div>
<ul>
<li>The company didn't have to endure a huge security incident to justify this change to the org chart</li>
<li>The position is clearly not going to be buried in an IT silo, so it should have authority to set security policy across IT and OT</li>
<li>Reflecting a convergence that's happening in many energy enterprises, this new security exec will oversee both cyber and physical security</li>
</ul>
<div>
Hopefully we'll see more utilities make similar moves ... and soon.</div>
</div>
<div>
<br /></div>
<div>
Image credit: Michael Durham at fineartamerica.com</div>
Andy Bochmanhttp://www.blogger.com/profile/16597503314698812234noreply@blogger.com0tag:blogger.com,1999:blog-1975210780854152434.post-66744772815876116822014-03-26T16:27:00.004-04:002014-03-28T16:12:37.935-04:00An Eerie and Early Visualization of the Internet of Things (IoT)I've got a short story to recommend to you. It's cerebral without being overly literary. It's got action, though no cyber-physical grid attacks. There's no shooting. No lives lost. No outages. But is there ever a lot going on! In fact, I'm pretty sure it's a parody of sorts of what may be coming our way in the not-very-distant future.<br />
<br />
Titled "Water,' it was published last year by author and futurist, Ramez Naam.<br />
<br />
Here's what the ad-free, neural-implanted main character experiences walking down a street in NYC:<br />
<blockquote class="tr_bq">
Civic systems chattered away. The sidewalk slabs beneath his feet fed a steady stream of counts of passers-by, estimates of weight and height and gender, plots of probabilistic walking paths, data collected for the city planners. Embedded biosensors monitored the trees lining the street, the hydration of their soils, the condition of their limbs. Health monitors watched for runny noses, sneezing, coughing, any signs of an outbreak of disease. New York City’s nervous system kept constant vigil, keeping the city healthy, looking for ways to improve it.</blockquote>
<br />
<a name='more'></a>And there's a nice IoT breach for you, too, with extra padding for general readers:<br />
<blockquote class="tr_bq">
In a windowed office above the financial heart of Manhattan, a tiny AI woke and took stock of its surroundings. Location—check. Encrypted network traffic—check. Human present—check. Key . . . . Deep within itself, the AI found the key. Something stolen from this corporation, perhaps. An access key that would open its cryptographic security. But one with additional safeguards attached. A key that could only be used from within the secure headquarters of the corporation. And only by one of the humans approved to possess such a key. Triply redundant security. Quite wise. </blockquote>
<blockquote class="tr_bq">
Except that now the infiltration AI was here, in this secure headquarters, carried in by one of those approved humans. Slowly, carefully, the infiltration AI crawled its tiny body up the back of the silk suit it was on, toward its collar, as close as it could come to the human’s brain without touching skin and potentially revealing itself. When it could go no farther, it reached out, fit its key into the cryptographic locks of the corporation around it, and inserted itself into the inner systems of Pura Vita enterprises, and through them, into the onboard processors of nearly a billion Pura Vita products on shelves around the world.</blockquote>
<div>
Cyber and physical consequences ensue and cascade. You can and should read the whole 5K word story <a href="http://www.iftf.org/fanfutures/naam/" target="_blank">HERE</a>.</div>
<div>
<br />
While I've got you in the mood, less creative but still informative is a non fiction article I found via Twitter this morning: <a href="http://www.networkworld.com/research/2014/032514-cybersecurity-expert-and-cio-internet-280070.html?page=1" target="_blank">"Internet of Things is 'Scary as Hell'"</a>. In short-strokes, it's more "insecure by design" coming our way. And see if the expert guidance on what to do in your home doesn't faintly echo IT/OT power sector security advice:<br />
<blockquote class="tr_bq">
Secure your environment. And don't have your alarm system, your heating and air conditioning system, on the same internal network as your PCs. If they are easily hacked -- and they are -- and attacked, you don't want them to be on the exact same network.</blockquote>
Many people seem excited about what's going to happen when everything talks with everything else. Me, I'm no luddite, but even without taking the manifold security and privacy considerations into account, I'm not sure IoT represents a step forward for our species. Anyway, no matter, it's coming soon to a theater near you. And maybe "Water" will be too.<br />
<br /></div>
Andy Bochmanhttp://www.blogger.com/profile/16597503314698812234noreply@blogger.com8tag:blogger.com,1999:blog-1975210780854152434.post-5344415581331128362014-03-19T16:20:00.001-04:002014-03-20T13:50:49.677-04:00A Social Summary of SANS ICS Security Summit 2014 Since I went solo there's been less time for blogging but I hope to catch up a little with this mega post on the just-concluded, 9th annual <a href="http://www.sans.org/event/north-american-ics-scada-summit-2014" target="_blank">SANS ICS Security Summit</a> which took place in the Contemporary Hotel at Disney.<br />
<br />
Where I can I'll include Twitter IDs, as for many of us, Twitter is how we stay abreast of what we find interesting and what we're thinking about in between real world meet-ups. (<i>Note: I only include these when they're unique to the individual and not shared by a company or org.</i>)<br />
<br />
I won't cover all the talks because I didn't attend all of them, and I apologize to those presenters I don't cover here. Nor was I at "Game Night" (though I wish I was) which from what I heard later was a fantastic and grueling hack-fest that extended into the wee hours before champions finally emerged.<br />
<a name='more'></a><br />
<br />
For those of us lucky to be at the hotel Sunday night, and to know what was going on, a four-act play called "Exposure to Closure" or "The Heist" penned by<b> Ben Miller</b> @electricfork was really something. With MC <b>Tim Roxey</b> @ScubaNuke providing intro's, transitions, and running commentary, all injected with equal parts wisdom and levity, and a cast of characters from the really-not-ready-for-prime time-SANSICS players, for me it was the highlight of the trip, even before the conference officially started.<br />
<br />
The audience got to see, in four acts and sixteen scenes, the full sequence of an attack on a utility control center, the confusion, analysis and corporate squirming that ensues, and how it resolves relatively peacefully (in this case) in the end. <b>Mark Fabro </b>stole the show with a swift and spooky transformation from dweebish uber-geek to a credible threat to another actor's physical security.<br />
<br />
<b>Chris Sistrunk</b> @chrissistrunk and<b> Adam Crain </b>@automatak kicked things off smartly as twin fuzzing brothers from different mothers providing an overview of the many flavors of fuzzing, and the DNP3 protocol and how it's being made more secure (less insecure). At one point, Chris noted that with much of the initial badness having been attended to, "We're starting to look at the back yard and are finding it a bit overgrown. Some things are turning up there - like cars." They make a great instructor duo.<br />
<br />
Then we had an analyst panel, moderated by <b>John Pescatore</b> @john_pescatore and including <b>Bob Lockhart, Sid Snitkin</b> and myself. It seemed to go pretty well.<br />
<br />
<b>Eric Byres </b>@tofinosecurity followed by thoroughly excoriating the concept of patching ICS systems and transitioned to a tour-de-force explanation of deep packet inspection (DPI) that, like a good Bugs Bunny cartoon, communicated on many levels. Meaning: I think I understood most of it, but the more experienced folks around me seemed to get insights from it as well.<br />
<br />
The presentation by <b>Marc Ayala </b>@ICS_SCADA and <b>Eric Forner </b>demonstrated an attack on a mini water pump which turned the stage momentarily into Sea World, serving as a warm-up act for <b>Kyle Wilhoit's</b> @lowcalspam real-world honey pot presentation the next day documenting how global bad guys pursued what they believed to be the control system of a far more substantial pump, constructed by Kyle, at a municipal water tower. We all learned a lot from these two presos.<br />
<br />
<b>Nadya Bartol</b> @NadyaBartol presented on ICS supply chain security issues and by the time she was done, the scope and complexity of supply chain challenges to ICS became all-too-clear. <b>Ernie Hayden,</b> sitting next to me, tried to lighten my mood by informing me that there are 127 BIOS vendors alone.<br />
<br />
I missed the presentation on the new Global Industrial Cyber Security Professional (GISCP) certification, but in case you did too, I've put a link to it <a href="http://www.giac.org/certification/global-industrial-cyber-security-professional-gicsp" target="_blank">HERE</a>.<br />
<div>
<br />
The first presentation I made it to on day 2 was "Cybersecuring DoD Industrial Control Systems", during which <b>Michael Chipley </b>provided more content, pound for pound, than all of Monday's presenters combined. Each of his many slides was a universe in and of itself, and there were a multiverse of them. But that's the DoD we know and love, and Michael did a great job of plotting its progress, in which he plays no small part, from DITSCAP to DIACAP to the NIST CSF structure in which they're inserting, among other other things, the most up-to-date guidance on control system security. As masterful conference MC & Chairman <b>Michael Assante</b> said afterwards, "leave it to DoD to build a model where elevators and anti-ballistic missile systems are in the same category."<br />
<br />
I had a good lobby talk after that preso with Michael and <b>Chris Blask</b> @chrisblask. We were keying on how the I in ICS serves to exclude a big chunk of the systems and devices we all care about, and mused on whether the term would eventually transition to something more all-encompassing like Cyber Physical Systems (CPS), Internet of Things (IoT, though that's not quite right) or simply, control systems.<br />
<br />
Then we had another panel session, this one on the framework of the moment, the NIST Cybersecurity Framework and its relationship to DOE's Risk Management Process guide and C2M2 family. The group included <b>Ed Goff</b>, <b>Jason Christopher</b> @jdchristopher and substituting for the snowed-in Samara Moore, <b>Nadya Bartol</b>. These three did a great job and now we all understand perfectly how these guidance documents fit together. Moderator <b>Michael Assante</b> pointed out, more than once, that Nadya's cogent and succinct statements qualified her for service in the Executive branch of government.<br />
<br />
Air Force Lieutenant and famous writer <b>Robert M. Lee</b> @RobertMLee, author of the I-call-'em-like-I-see-'em 2013 article "<a href="http://www.afcea.org/content/?q=node/11855" target="_blank">The Failing of Air Force Cyber</a>," and its companion piece <a href="http://www.amazon.com/SCADA-Me-Book-Children-Management/dp/149127512X/ref=cm_cr_pr_product_top" target="_blank">SCADA and Me</a><a href="http://www.amazon.com/SCADA-Me-Book-Children-Management/dp/149127512X/ref=cm_cr_pr_product_top" target="_blank">: a Book for Children and Managers</a>, basically stole the show at this point. Not an expert, but rather a "lifelong learner," Rob reviewed the book's simple messages, and highlighted some of the more disturbing reactions to it, including:<br />
<ul>
<li>A Pentagon General who told him "I keep your book on my desk and share it with management." Which led Rob to suggest to the SANS audience: "At some point in your career you must admit that YOU ARE MANAGEMENT." </li>
<li>He also shared a one-star Amazon review along the lines of "I've been a nuclear engineer for 10 years and I got nothing out of this book."</li>
</ul>
<br />
Towards the end, Rob said the book has been translated into multiple languages and then flashed the cover of <a href="http://www.amazon.com/SCADA-YO-Directores-Spanish-Edition/dp/1495382176" target="_blank">SCADA y Yo: Un Libro Para Niños Y Directores</a>. I'm not sure why that was so funny, but it sure was.<br />
<br />
I mentioned Kyle's talk earlier, so that brings us to the penultimate preso, <b>Stacy Cannady's</b> overview of how OEM's can improve the integrity of their products despite the many threats they face, and vulnerabilities they can't help but include. It was very well done.<br />
<br />
Of my own preso on Security Governance at utilities, all I can say is I wish it went more smoothly. I should have known better, following a presentation on trusting and not trusting devices, that the slide-advancing pointer in my hand might turn against me. I've got a solution though: I'm going to cut my slide count from 30 to 1, and who knows, maybe 1 is 1 too many these days.<br />
<br />
I highly recommend you block off your calendar for the 10th annual version of this event next year. It's going to be on 1 April or thereabouts if I heard Mike right. This one was more educational and more fun than any conference I've been at in recent memory.<br />
<br />
Andy @andybochman<br />
<br />
<br />
<br />
<br /></div>
Andy Bochmanhttp://www.blogger.com/profile/16597503314698812234noreply@blogger.com2tag:blogger.com,1999:blog-1975210780854152434.post-62576203696353081442014-03-05T16:42:00.002-05:002014-03-24T15:49:12.228-04:00Energy Firms Not Ready for Cyber Insurance?<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEinaVmcb78v8RMzxVv4h4fMxnVbYv8dBTrzoaxTjPR3gotB61fcqqPL19EmoccgigZ4N3TCNWQEztjVboO11lvScvhxrAs0ZRGZGKgHtBd7fgeyW5-OP6uGJPAwk1f3xuc8_VfksoPA_Yo/s1600/Cyberinsurance+Shutterstock.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEinaVmcb78v8RMzxVv4h4fMxnVbYv8dBTrzoaxTjPR3gotB61fcqqPL19EmoccgigZ4N3TCNWQEztjVboO11lvScvhxrAs0ZRGZGKgHtBd7fgeyW5-OP6uGJPAwk1f3xuc8_VfksoPA_Yo/s1600/Cyberinsurance+Shutterstock.jpg" height="240" width="320" /></a></div>
<br />
Or so says corporate underwriter and veteran cyber insurance provider, Lloyds of London, in a BBC article last week:<br />
<blockquote class="tr_bq">
Any company that applies for cover has to let experts employed by Kiln and other underwriters look over their systems to see if they are doing enough to keep intruders out. Assessors look at the steps firms take to keep attackers away, how they ensure software is kept up to date and how they oversee networks of hardware that can span regions or entire countries.</blockquote>
Sadly, as the article goes on to say:<br />
<blockquote class="tr_bq">
After such checks were carried out, the majority of applicants were turned away because their cyber defenses were lacking.</blockquote>
<br />
<a name='more'></a>The article notes a great uptick in the last year in the number of energy sector firms seeking cyber coverage, but it doesn't posit a reason for the sudden rush. Questions immediately spring to mind:<br />
<ul>
<li>What is the audit or investigation like that Lloyds puts applicant through? </li>
<li>What is examined? </li>
<li>Who is interviewed? </li>
<li>Is this only data/privacy breach cyber insurance being discussed or is business continuity also on the table?</li>
<li>Are any technical tools used? </li>
<li>Are 3rd party risks evaluated?</li>
<li>Etc.</li>
</ul>
And for me the biggest two: what are the key indicators insurers look for that tell them that an organization is on the ball cyber security-wise and worth the risk of insuring? And where is the line drawn, above which an organization is secure enough?<br />
<br />
I am confident someone knows the answers to these questions, but I haven't been able to find him/her yet. But when I do, it'll be to tease out the most common energy-sector-specific shortcomings and then roadmap to an insurable state.<br />
<br />
Here's the URL for the full article: http://www.bbc.com/news/technology-26358042<br />
<br />
Image credit: Govtech.comAndy Bochmanhttp://www.blogger.com/profile/16597503314698812234noreply@blogger.com0tag:blogger.com,1999:blog-1975210780854152434.post-76123294942603239672014-02-25T20:50:00.002-05:002014-02-26T06:13:19.434-05:00Where do Today's Electric Utility CEOs come from, and what do their Origins Mean for Grid Security?<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhTh8XtekjTCNTvQED23nl6rSRkrEV1k1es99W5W-x2Deir_rSVHAjZJlZbY7G-WLmLAI_c8j2cCkNyiUQdZJhF0NKQS_VKWxmzotQEDSk8ffrZsDZ1gS5C-mozT3rolEeUYWC0ZW7JP3o/s1600/ht_wall_street_money_never_sleeps_nt_120227_wmain.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhTh8XtekjTCNTvQED23nl6rSRkrEV1k1es99W5W-x2Deir_rSVHAjZJlZbY7G-WLmLAI_c8j2cCkNyiUQdZJhF0NKQS_VKWxmzotQEDSk8ffrZsDZ1gS5C-mozT3rolEeUYWC0ZW7JP3o/s1600/ht_wall_street_money_never_sleeps_nt_120227_wmain.jpg" height="180" width="320" /></a></div>
<br />
I remember once thinking, naively perhaps, that most utility CEOs must have come up through the ranks, like generals in the military, with hands-on operational engineering experience garnering them the respect of their peers and subordinates along the way.<br />
<br />
When I shared that concept last year with a 40-year industry veteran who'd done his time in generation and T&D, he schooled me saying that while that used to be the case, it's not the norm today. He said more often you'll find someone with a finance background, often imported from sectors outside power.<br />
<br />
<a name='more'></a>Well, I got another round of schooling on this subject this week from former state commissioner and current consumer advocate Nancy Brockway, who has made her presence known on this blog before, in: "<a href="http://smartgridsecurity.blogspot.com/2012/07/the-state-of-states-and-smart-grid.html" target="_blank">The State of the States and Smart Grid Security</a>." Well she's back, and whether you agree with her or not, and allowing for exceptions, I think you definitely should hear what she has to say about the origins of senior utility leadership in 2014:<br />
<blockquote class="tr_bq">
Transaction-oriented finance and legal sector professionals have displaced engineers in the executive suites of most utilities. The big shift to deal-making occurred in the wake of the existential shocks of the late 20th century over cost over-runs, the end of cheap oil, and the growing recognition of the environmental costs of utilities. </blockquote>
<blockquote class="tr_bq">
Look back a century or more to the pioneers of the utility industry and you'll see a public interest value system that could and often did accompany the build out of utility territories and even accompanied mergers and acquisitions. Read 2004's <a href="http://www.amazon.com/Insull-Rise-Billionaire-Utility-Tycoon/dp/1587982439#" target="_blank">Insull: The Rise and Fall of a Billionaire Utility Tycoon</a> by Forrest MacDonald, for more background. </blockquote>
<blockquote class="tr_bq">
But economies of scale were pretty-well exhausted by the 1960s. Bigger was no longer better for customers. And an anti-regulation "winner takes the hindmost" political climate did not reward a utility executive's greater effort to serve the public. Rather, it rewarded ever more sophisticated schemes to funnel profits up to the executive suite.</blockquote>
<blockquote class="tr_bq">
Regulators have to push for what they see as the public interest. To do their jobs with any responsibility in these circumstances, they can no longer sit back and merely act as a brake on occasional excesses. Too often they have to define the public good and demand it from utility management.<br />
<br />
I am not sure that a workable redefinition of the roles and responsibilities of management and regulators can happen without a wholesale cultural shift away from "Greed is Good." My opposition to pre-approval of cyber security spending comes from the sense that if the utility drags its heels or does only what it needs to satisfy regulators, that just demonstrates that utility execs do not see security as fundamentally necessary for their personal financial success.</blockquote>
<div>
Sort of begs the question of how Gordon Gekko would weigh security investments vs. security risk, and you know what, I don't know the answer. But we know GG types thrive on risk and reward. </div>
<div>
<br /></div>
<div>
That's not exactly what I had in my mind previously, imagining conservative, retired military, former boy or girl scouts, with steady hands on the tiller of some of the absolute most important critical infrastructure organizations in the country.<br />
<br />
Hopefully, experience and acumen with fine tuning financial risk/reward equations will most often translate to similarly savvy understanding of and action on operational risks ... including one that's increasingly material and the raison d'etre of this blog.</div>
<div>
<br /></div>
<div>
Photo credit: <a href="http://abcnews.go.com/" target="_blank">ABC news</a></div>
Andy Bochmanhttp://www.blogger.com/profile/16597503314698812234noreply@blogger.com5tag:blogger.com,1999:blog-1975210780854152434.post-19254140360577595722014-02-21T14:57:00.003-05:002014-02-21T14:57:45.779-05:00Thoughts on "Risk and Responsibility in a Hyperconnected World"<div class="MsoNormal">
Hat tip to Tim Dierking of Aclara for spotting and forwarding this January 2014 World Economic Forum / McKinsey report: "Risk and Responsibility in a Hyper-connected World." Tim pointed to a couple of excellent sections on cyber resilience and future scenarios which you'll find within, but I'm going to call out a different selection for your immediate consumption.<br />
<br />
This below is taken directly from the McKinsey summary, which while not energy-sector specific, is right on the money, IMHO, on the culture, leadership and organizational dynamics aspects of what's needed to do security right in 2014+. Here you go:<br />
<blockquote class="tr_bq">
<b>A CEO-level issue</b> </blockquote>
<blockquote class="tr_bq">
Given the trillions of dollars in play, the stakes are high. And given the range of social and business issues that cyber resiliency affects—for example, intellectual property, regulatory compliance, privacy, customer experience, product development, business continuity, legal jurisdiction—it can only be addressed effectively with active engagement from the most senior business and public leaders. <a name='more'></a></blockquote>
<blockquote class="tr_bq">
Even improving cybersecurity capabilities within a single institution requires collaboration across a host of business functions. Operational managers must assess which information assets are most valuable. Privacy and compliance functions have to evaluate the impact of losing customer data. Decisions about how much to monitor employee access to sensitive data have major HR implications. And procurement must negotiate security requirements into vendor contracts. </blockquote>
<blockquote class="tr_bq">
Given the scale of impact and the degree of coordination and cultural change required, progress toward cyber resilience requires active engagement from the CEO and other senior leaders. They have to make clear they expect the following:<ul>
<li>an honest, granular assessment of existing capabilities and risks, given their business model</li>
</ul>
<ul>
<li>alignment on the most important information assets and a clear approach for providing them with required protection</li>
</ul>
<ul>
<li>a road map for getting to a scalable, business-driven cybersecurity operating model</li>
</ul>
<ul>
<li>a well-practiced set of skills for responding to breaches across business functions</li>
</ul>
Sustaining the pace of innovation and growth in the global economy will require resiliency in the face of determined cyberattacks. Only CEOs and senior public leaders can solve the problem, because of the strategic and organizational-change issues that need to be resolved.</blockquote>
And so continues the exhortation for senior business and government leaders to take more ownership of the security risk challenge. It's not easy. In fact, in the overly technical ways it's usually presented to them, it's overwhelming and way out of their comfort zone.<br /><br />For the umteenth time: Security leaders need to meet them more than halfway by speaking plain-English business language and as much as possible converting technology and security risk into dollars and cents to be gained or lost. Clarity and persistence are the keys here, as there are no gold, silver, or bronze bullets to hasten the process.<br /><br />The summary and full report can be found <a href="http://www.mckinsey.com/Insights/Business_Technology/Risk_and_responsibility_in_a_hyperconnected_world_Implications_for_enterprises">HERE</a><br /><br /><br /><br /><br /></div>
Andy Bochmanhttp://www.blogger.com/profile/16597503314698812234noreply@blogger.com1tag:blogger.com,1999:blog-1975210780854152434.post-87380477331959901572014-02-16T11:52:00.003-05:002014-02-16T11:52:38.334-05:00DOE's C2M2 is Growing Up FastThere's been a ton of work accomplished since DOE handed the C2M2 flame to former FERCer Jason Christopher. This program has now been leveraged at hundreds of enterprises and now gives you three flavors of Cybersecurity Capability Maturity Model (C2M2) to choose from now. <br />
<br />
You can download any/all of the models right this minute if you are so inclined:<br />
<br />
<ul>
<li><a href="http://energy.gov/sites/prod/files/2014/02/f7/ES-C2M2-v1-1-Feb2014.pdf" target="_blank">ES - Electricity Subsector</a> (version 1.1)</li>
<li><a href="http://energy.gov/sites/prod/files/2014/02/f7/ONG-C2M2-v1-1-Feb2014.pdf" target="_blank">O&G - Oil & Gas</a> (version 1.1)</li>
<li><a href="http://energy.gov/sites/prod/files/2014/02/f7/C2M2-v1-1-Feb2014.pdf" target="_blank">Sector Neutral</a></li>
</ul>
<br />
In addition, there are a number of new supporting resources for organizations at some stage of the C2M2 consideration or implementation process:<br />
<br />
<ul>
<li><a href="http://energy.gov/sites/prod/files/2014/02/f7/C2M2-FAQs.pdf">C2M2 FAQ</a> - helps answer whether or not a C2M2 self-assessment is right for your organization (<i>ab: sounds a little too much like a Cialis commercial to me</i>)</li>
<li><a href="http://energy.gov/sites/prod/files/2014/02/f7/C2M2-FacilitatorGuide-v1-1-Feb2014.pdf">C2M2 Facilitator Guide</a> - provides step-by-step guidance for organizations that want to perform their own internal self-assessments (with or without a 3rd party)</li>
<li>C2M2 toolkit for all three models (electricity, oil & natural gas, and sector-neutral) based on MS Excel and Word, so it can be used by any organization. (Toolkits are provided by request only—email <a href="mailto:C2M2@doe.gov">C2M2@doe.gov</a> for more information.)</li>
</ul>
<br />
Lastly, this <a href="http://energy.gov/sites/prod/files/2014/02/f7/Use-of-NIST-Cybersecurity-Framework-DOE-C2M2.pdf" target="_blank">just-released bulletin</a> tells you how DOE, NIST and DHS see the C2M2 and the Critical Infrastructure Security Framework (CSF) playing complementary roles.<div>
<br /></div>
<div>
So much good stuff. Between all of the above and the Olympics, this should keep you off the streets and out of trouble until Spring finally shows up.</div>
Andy Bochmanhttp://www.blogger.com/profile/16597503314698812234noreply@blogger.com0tag:blogger.com,1999:blog-1975210780854152434.post-11335715739923189002014-02-12T16:26:00.001-05:002014-02-16T12:15:34.265-05:00Please Remain Calm: My Metcalf Substation Physical Security Take-AwaysValentines Day update - Two more good links have surfaced for you since I wrote the original post a few days ago:<br />
<blockquote class="tr_bq">
A <a href="http://www.pbs.org/newshour/bb/sniper-attack-sparks-worry-security-nations-power-grid/" target="_blank">PBS Interview</a> with Jon Wellinghof and Mark Weatherford </blockquote>
<blockquote class="tr_bq">
A 3rd <a href="http://online.wsj.com/news/articles/SB10001424052702304558804579376700294221162" target="_blank">WSJ article</a>, this one largely a counterpoint to the more FUD-oriented first one</blockquote>
----<br />
<br />
It's been nearly 10 days now since the Wall Street Journal published its big story on the attack on a transmission substation outside Silicon Valley in California. Since then, the media, keying on words like "assault, military-style, terrorism" have had a pre-apocalyptic field day. <br />
<br />
So in my own way, I've been running a counter-alarmism campaign when speaking with the press as well as with infrastructure security experts about to go live on one of the hysterical "news shows."<br />
<br />
My main points are:<br />
<br />
<ul>
<li>This attack was significant but it didn't cause a blackout</li>
<li>So be concerned, but don't overreact</li>
<li>You can thank the hard work and preparation by Pacific Gas & Electric (PG&E) for at least 2 things: 1) rerouting energy flows so there was no perceptible customer impact despite the loss of many transformers, and, 2) getting the substation fully back on line within one month</li>
<li>This was a great opportunity for utilities to refresh their physical security policies, and that's what they're doing right now</li>
<li>Utilities are already taking concrete steps to deter this type of attack, including: erecting screens or walls to block a would-be shooter's view of his/her intended targets, inviting citizens living near substations to call their utilities if they see something suspicious, in the spirit of the "if you see something, say something" transit security campaign, and looking at the transformer stockpiling and loaner program <a name='more'></a></li>
</ul>
<div>
My more-than-slightly-frustrated-with-certain-people point is:</div>
<br />
Physical security will now be top of mind for grid security experts for a while. But since some minds are smaller than others I've heard certain experts say maybe we worry about grid cyber security too much. Brilliant, a physical attack means we should slow down on cyber security. Why didn't I think of that? I'm sure that's how cyber attack types think. Seeing the near-success of the Metcalf attack, they're probably trading in their laptops for bricks and bullets right now.<br />
<div>
<br /></div>
<div>
You may or may not have access to the WSJ articles below, but in case you do, here are 3 links that help tell the story, including a first one from shortly after the attack, before the hyperbole started flowing:</div>
<ul>
<li><a href="http://sanfrancisco.cbslocal.com/2013/04/16/gunshots-cause-oil-spill-at-san-jose-pge-substation/" target="_blank">CBS San Fransisco</a> April 16, 2013</li>
<li><a href="http://online.wsj.com/news/articles/SB10001424052702304851104579359141941621778?KEYWORDS=metcalf" target="_blank">WSJ</a> Feb 4, 2014</li>
<li><a href="http://online.wsj.com/news/articles/SB10001424052702303874504579372990589502828?KEYWORDS=metcalf" target="_blank">WSJ</a> Feb 9, 2014</li>
</ul>
<div>
As always, please keep calm and carry on. There's a lot of important work to do.</div>
Andy Bochmanhttp://www.blogger.com/profile/16597503314698812234noreply@blogger.com2tag:blogger.com,1999:blog-1975210780854152434.post-18832969769092255742014-02-05T16:53:00.001-05:002014-03-24T15:49:40.748-04:00Security and other Notes from a Cold Distributech 2014<i>Cross-posted from the new <a href="http://www.bochmanadvisors.com/" target="_blank">Bochman Advisors'</a> Blog.</i><br />
<br />
What a wonderful thing a Distributech is. Held alternatively in San Diego and San Antonio, the vibrant but relatively conservative host communities are a near perfect match for the demographics it attracts in the dead of winter. What I'm saying is it's warm but it's not a jungle ... it's not Vegas, there's no <a href="http://www.imdb.com/title/tt1119646/" target="_blank">Hangover</a>.<br />
<br />
This one, my fourth, was in San Antonio, and unfortunately, thanks to the Polar Vortex, or Son of Polar Vortex, it was too cold to sip cocktails by the River Walk, or run along the River Walk, or really to do anything outside besides hurry to the next dwelling. Suffice it to say, most attendees, remembering balmy Distributechs past, did not bring the right clothes, and I for one left with a parting gift of <a href="http://en.wikipedia.org/wiki/Influenza_A_virus_subtype_H1N1" target="_blank">H1N1</a>. <br />
<br />
<a name='more'></a><br /><br />
<br />
My main objective for this one was to see how various Distribution Management System (DMS) vendors are updating their products to meet the increasing challenges and complexities that come with distributed generation and other emergent demand side technologies like demand response, energy efficiency, energy storage and microgrids. My virtual guide for this trip, which included stops at Siemens, Schneider/Telvent, ABB/Ventyx, was GTM Research analyst Ben Kellison.<br />
<br />
Of course, what I was really trying to learn from the vendors, while asking about their updates, was to what extent they were factoring security into the requirements mix. Since I'm not a professional analyst, I'll hold off on saying who seemed stronger or weaker, but in short the answer was mixed, with 2 of them scoring very well, and the other leaving me confused with too much marketing, which in some circles can be considered lying.<br />
<br />
The keynote speakers gave plenty of attention to security, and most vendors, in addition to those who focus on security, let you know that security is built into their products. But buyer beware, often the word Security can have as much connection to reality in that context as "new and improved" or "virtually fat free". Even if you're not an expert, it pays to look under the hood.<br />
<br />
Other companies visited: Belden/Tofino, Enernex, Industrial Defender, Burns McDonnell, Black & Veatch, GridCo Systems, Scitor, UtiliSec, Greentech Media, Proximetry, and Worcester Polytechnical Institute (WPI), one of the few US universities to offer classes to power systems engineers. And of course, my recent alma mater: IBM where it was great to see and catch up with some old friends.<br />
<br />
If you want another source of info on the zeitgeist of the utility participants, there's no better source than Jesse Berst with his just-posted <a href="http://www.smartgridnews.com/artman/publish/Business_Lessons_Learned/Utilities-The-9-things-to-worry-about-most-6328.html/?fpt" target="_blank">9 Biggest Utility Worries</a> from Distributech. Of course, the more entrepreneurial among you will look at some of these worries and see opportunities. <br />
<br />
But no matter how you see things, there's no debating we're all hoping to meet up again next winter in a reliably warm San Diego.<br />
<br />
<br />Andy Bochmanhttp://www.blogger.com/profile/16597503314698812234noreply@blogger.com0tag:blogger.com,1999:blog-1975210780854152434.post-62602646792102612162014-01-23T20:43:00.002-05:002014-01-23T20:43:54.606-05:00Announcing a Blogging Slowdown as a New Energy and Security Business is Born<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgM_6aIVWjoVs7SqzBeUKRDZKCdFu2dPQvmTel26YvXMjoa7lIfaQ6aA95sAhKrYD8QJT-ifeskI0rpcD3R7e2JIScQeh1i4zNm1tEgWf6hnCXZesKFfFxrEH801dtWRjwHPZChQp-oe90/s1600/BochmanAdvisorsLogo+-+large.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgM_6aIVWjoVs7SqzBeUKRDZKCdFu2dPQvmTel26YvXMjoa7lIfaQ6aA95sAhKrYD8QJT-ifeskI0rpcD3R7e2JIScQeh1i4zNm1tEgWf6hnCXZesKFfFxrEH801dtWRjwHPZChQp-oe90/s1600/BochmanAdvisorsLogo+-+large.jpg" height="200" width="133" /></a></div>
<br />Dear Reader,<br /><br />You may have noticed the number of posts has tapered off lately on the Smart Grid Security Blog. I've got to tell you that it's not from lack of interest or diminished activity in our space ... far from it.<br /><br />Rather, since I departed IBM last September I've been working overtime putting my consulting business together. I've now reached the point where my focus is set, my offerings are defined, and my first partners and customers have emerged. <br /><br />That means the taxiing period is over and it's time to push the throttle all the way forward and lift off ... hence, less blogging on the SGSB, at least for a while.<br /><br />The new business is called Bochman Advisors, and as you'll see when you visit the <a href="http://www.bochmanadvisors.com/" target="_blank">NEW SITE</a> I just built, it immediately identifies its focus as "Strategic security consulting for the energy sector". So far, this is working out as helping security companies get smarter on energy matters, and energy companies do better with security.<a name='more'></a><br /><br />Because a blog is built into the site, I'm going to pull in a few posts I've previously published here and then start a fresh run there. This means the Smart Grid Security blog (as well as the DOD Energy blog) will continue to be accessible as archives, but that they'll be relatively quiet in terms of new material, at least in the first half of 2014. <br /><br />Meanwhile, I'm speaking in front of energy-oriented lawyers tomorrow, will be making the rounds (and warming up a bit) at Distributech in San Antonio next week, and speaking in DC and elsewhere throughout the rest of winter and spring. I've got these things posted on the News & Events page, btw, and will try to keep that updated.<div>
<br /></div>
<div>
I've also become a fairly active person on Twitter, where I simply use my name as my ID, so that's <a href="https://twitter.com/andybochman" target="_blank">@andybochman</a>. If that medium is new to you, you should know I learn an incredible amount there, and have met some of the most interesting and helpful energy and security people people on Twitter over the past year or so.</div>
<div>
<br /></div>
<div>
OK, that's all I've got for now. Hope this epistolary post finds you warm and well, and I'd be very happy to see you over at the Bochman Advisors blog sometime if you choose to stop by. </div>
<div>
<br /></div>
<div>
Yours truly, Andy</div>
Andy Bochmanhttp://www.blogger.com/profile/16597503314698812234noreply@blogger.com0tag:blogger.com,1999:blog-1975210780854152434.post-72235692970518566982014-01-13T21:07:00.000-05:002014-01-13T21:09:02.385-05:00Conference Alert: SmartSec Europe 2014<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjB3vOrZxyvfX3lF0R4vnd6wXIXugdFX1fm7eVba37n_B4dBQGSKROVgr96RgfyRca09OZo-u-uY3BLLbzH3XvcnWQBKRHCK0Hh6gq3-tIWCVbyF9t3q72CXKPyfUmqbn_7DlY8a0BuCk8/s1600/Screen+Shot+2014-01-13+at+8.47.54+PM.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="286" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjB3vOrZxyvfX3lF0R4vnd6wXIXugdFX1fm7eVba37n_B4dBQGSKROVgr96RgfyRca09OZo-u-uY3BLLbzH3XvcnWQBKRHCK0Hh6gq3-tIWCVbyF9t3q72CXKPyfUmqbn_7DlY8a0BuCk8/s320/Screen+Shot+2014-01-13+at+8.47.54+PM.png" width="320" /></a></div>
<br />
There's not much time left, but here's an exciting conference for if you're not going to Distributech in San Antonio, but still want to visit a historic city with picturesque waterways.<br />
<br />
Location: Amsterdam<br />
Dates: 29-30 January 2014<br />
For more info, click <a href="http://www.smartsec-europe.com/" target="_blank">HERE</a><br />
To register, click <a href="http://www.smartsec-europe.com/register.html" target="_blank">HERE</a><br />
<br />
Bonus #1: My friend Johan Rambi and grid security superstar Annabelle Lee will be speaking<br />
<br />
Bonus #2: All SmartSec attendees are invited to stay on one more day to help set the course for Europe's new ISAC and situational awareness organization, <a href="http://www.densek.eu/" target="_blank">DENSEK</a>. It convenes at 1000 hours on Friday the 31st at the same venue. <br />
<br />
And in case you're wondering DENSEK includes but is not focused on Denmark. DENSEK stands for Distributed ENenergy SEcurity Knowledge ... capiche?<br />
<br />
Photo credit: <a href="http://traviscaulfieldblog.wordpress.com/" target="_blank">The Travis Caulfield Travel Blog</a>Andy Bochmanhttp://www.blogger.com/profile/16597503314698812234noreply@blogger.com2tag:blogger.com,1999:blog-1975210780854152434.post-28329775528043833232014-01-09T13:08:00.002-05:002014-01-09T13:12:30.440-05:00SANS gets Cyber-Physical with ICS Breach Response Guide<div class="separator" style="clear: both; text-align: center;">
<img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjKm9PpGn04GDJzwi4YKyZ-TdxycR_zZAOnbN0GrBpE3_uHxA6yo5-Y3RtLO19mH22cVvldUaEWrearA8UmpGIK8IVJyWNSlGyryDlKy08sIrbzrk3mGTueUBjt8KTgo0rixTfhEZEHlzM/s1600/Screen+Shot+2014-01-09+at+8.42.40+AM.png" height="320" width="249" /></div>
<br />
With apologies to Olivia Newton John, you may or may not be aware that some bad actors have been helping raise awareness about physical threats to electric infrastructure lately. You might say, "Are we sure about this, or were they merely after some copper ... or groundnuts?"<br />
<div>
<br /></div>
<div>
Of course, it always pays to be skeptical, but in the age of video cameras, motion detectors and similar, it's clear that these were humans not after enrichment or nourishment, but rather, intent on destruction.</div>
<div>
<br /></div>
<div>
Mike Assante and Scott Swartz of security training firm SANS just released a how-to manual describing how you can help your utility proceed in the event of an attack. In particular, they want utilities to be on the lookout for cyber security foul play as they investigate breaches of physical defenses.<br />
<a name='more'></a><br />
<br />
Here's the intro for you:<br />
<div>
<blockquote class="tr_bq">
The plans and success of any malicious cyber actor depend heavily on their target’s daily routine and complacency, and human nature’s tendency to not look beyond the obvious. This paper addresses the problem of blended intrusions by suggesting a cybersecurity response to facility break-ins that critical asset security managers can use to determine whether cyber assets might have been targeted during the physical breach. The response includes a systematic and graduated series of actions or checks for evaluating the integrity of cyberbased equipment once you have discovered evidence of a physical breach. Again, these are only suggestions, and any actions should be carefully considered in light of operational reliability, procedures and particular safety policies of the owners and operators.</blockquote>
So there's some human psychology involved in this too. You can (and should) click <a href="https://www.sans.org/reading-room/analysts-program/ics-cybersecurity-response-to-physical-breach#__utma=195150004.1370555299.1389274763.1389274763.1389274763.1&__utmb=195150004.3.8.1389274858966&__utmc=195150004&__utmx=-&__utmz=195150004.1389274763.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none)&__utmv=-&__utmk=55130859" target="_blank">HERE</a> to read the full paper.<br />
<br /></div>
</div>
Andy Bochmanhttp://www.blogger.com/profile/16597503314698812234noreply@blogger.com0tag:blogger.com,1999:blog-1975210780854152434.post-17647100214458141332014-01-07T10:05:00.006-05:002014-01-07T10:05:54.732-05:00Singer & Brookings on the Security Governance/Ownership VacuumAnalyst and author Peter Singer of the Brookings Institute has a new book out intended for everyman. And everywoman. To include particularly those types who consider themselves non technical, or as I've heard cyber folks in DOD refer to them - tech immigrants (vs. typically younger tech natives).<br />
<br />
The net he casts is wide enough to captures senior government and business leaders too. Below are excerpts from a recent <a href="http://tech.fortune.cnn.com/2014/01/06/cybersecurity-and-cyberwar/" target="_blank">interview with CNN/Fortune</a> that really resonated with me, with particular applicability to our sector:<br />
<blockquote class="tr_bq">
"Stop looking for others to solve it for you, stop looking for silver bullet solutions, and stop ignoring it." <a name='more'></a></blockquote>
<blockquote class="tr_bq">
"I would argue that there's no issue that's become more important that's less understood than cyber. You can see this gap in all sorts of areas, including on the business side." </blockquote>
<blockquote class="tr_bq">
"Cybersecurity and cyberwar questions are going to be with us as long as we use the Internet, so we have to stop being scared and start figuring out how to manage it. And when I say "we," I mean it's not just for the IT crowd anymore." </blockquote>
<blockquote class="tr_bq">
"First, the people that sit in the C-suite, the people sitting on the Supreme Court, the people who are generals -- they likely didn't use computers when they were in college." </blockquote>
<blockquote class="tr_bq">
"It's about getting the human side of this right -- the people and the processes and the way they fit in with the technology." </blockquote>
<blockquote class="tr_bq">
"Whether you're working in the IT department or you're a lawyer or you're working in operations or wherever, you're increasingly going to be dealing with cybersecurity questions, whether it's managing people who work on them or figuring out how to protect yourself and your company from threats to your intellectual property, to your services, to your contract negotiations, or deciding "how much should I spend on this in my budget? Who should I be hiring?"</blockquote>
<div>
And for me this is the biggest / best one, especially for energy sector execs and boards:</div>
<div>
<blockquote class="tr_bq">
"Most worrisome to me is the notion that this is for the IT crowd. This is for the nerds to handle. That's how it's been treated before: 'I don't understand this stuff so I'm going to hand it over to the techies' First, that's an abdication of leadership. Secondly, the IT crowd understands the software and hardware, but they don't understand the wetware. They don't understand the humans and the organizations and the ripple effects around them that are equally, and in many cases more, important."</blockquote>
</div>
<div>
It's a great roll-up of many of the awareness, leadership and governance concepts you've seen on this blog, but in a more visible medium. Hope it sells well and gets read by lots of folks.</div>
<div>
<br /></div>
<div>
Co-authored by Singer and Allan Friedman, the book is called <a href="http://www.amazon.com/gp/product/0199918112/ref=as_li_ss_il?ie=UTF8&camp=1789&creative=390957&creativeASIN=0199918112&linkCode=as2&tag=pwsi-20target=_blank">Cybersecurity and Cyberwar: What EveryOne Needs to Know</a>.<br /></div>
<div>
<br /></div>
Andy Bochmanhttp://www.blogger.com/profile/16597503314698812234noreply@blogger.com0tag:blogger.com,1999:blog-1975210780854152434.post-41995718434555933312013-12-17T15:54:00.000-05:002013-12-17T15:55:12.146-05:00Whitsitt on What's Up with the NIST CSFBefore you click through on the link provided below, I have to tell you that this write-up is not just about the NIST Critical Infrastructure Security Framework (CSF), but it's also a review of the current state of the security profession/practice/belief system, depending on your vantage point.<br />
<br />
Penned by Jack Whitsitt of EnergySec, who among other things helped design the cyber security policies for the Transportation Security Agency (TSA) when it was just getting started. Be forewarned: Jack is no ordinary security guru. Because he's a practicing artist too, he brings both hemispheres to this challenge, and as a result, his perspectives and insights are unlike what you'll likely encounter anywhere else.<br />
<a name='more'></a><br />
<br />
I particularly like that he begins with a 15 point description of the "problem space", something that might have helped the CSF initiative itself get off to a better start. Points 1-3 establish an overall tone of realism that includes references to money and outcomes:<br />
<ol>
<li>We are failing at cybersecurity</li>
<li>We are investing heavily in cyber security</li>
<li>Our organizations are getting breached at unacceptable rates</li>
</ol>
Doesn't sound like a status quo anyone interested in national security would want to maintain much longer. Or the CEO of large power company, for that matter.<br />
<br />
I particularly like point 11, which I'll paraphrase below to suit our purposes:<br />
<blockquote class="tr_bq">
A more likely way of getting at the cultural and business underpinnings of cyber security would be to start with business outcome objectives and then elicit a framework to meet those objectives. <i>AB - now here's the magic part: </i>Do this while assuming a lack of a dedicated security team and without making references to cyber security specific technologies. </blockquote>
As Jack continues, this allows the discussions to remain in plain-English business language, which means the business folks, advocating for their business objectives, remain active participants in the conversation and the solution formulation process throughout.<br />
<div>
<div>
<br /></div>
<div>
There is a ton more to like in his comprehensive treatment of the subject matter. You'll find the full piece, "My comments to NIST on the Preliminary Cybersecurity Framework" right <a href="http://sintixerr.wordpress.com/2013/12/13/my-comments-to-nist-on-the-preliminary-cybersecurity-framework/" target="_blank">HERE</a>.</div>
</div>
Andy Bochmanhttp://www.blogger.com/profile/16597503314698812234noreply@blogger.com0tag:blogger.com,1999:blog-1975210780854152434.post-9828382832501790612013-12-16T10:28:00.001-05:002013-12-16T10:28:06.079-05:00Security at the Edge of the Grid<div class="separator" style="clear: both; text-align: center;">
<a href="http://www.greentechmedia.com/research/report/smart-grid-market-research-subscription" target="_blank"><img border="0" height="206" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgXIwvYMJ0vJ8QMxDJ_8WDFWbtvvVoDk8n7fKRi945srJsfc5OMtIDz8z6GCOhxd69BqSTJrhtiPtS4qY3m2TbQhoqghi0ft7eAI15f_mW35jKkLngFdwKj-XkmbT_hCeWtZ-yQL8FtbKY/s320/Screen+Shot+2013-12-16+at+9.00.57+AM.png" width="320" /></a></div>
<br />
We used to be very concerned about traveling too close to the edge of the world, remember? Then some smart math and science guys figured out, surprisingly, Earth has no edge, so we were free to move about about the globe.<br />
<br />
Now as we approach the end of the beginning of the Smart Grid era, what began as an initiative to add visibility, flexibility, and yes, smarts all over the grid is now seeing change accelerate close to the points of consumption.<br />
<br />
Of course, amid all the excitement about innovation in distributed generation, distribution automation, energy efficiency, demand management, microgrids, storage, etc., one could forget that there's some basic housekeeping to attend to in the categories of power regulation and security.<br />
<br />
The former, which includes maintaining the quality of electricity and keeping dangerous phenomena like harmonics in check, has been the province of utilities and ISO/RTOs and that's not going to change. Ever increasing percentages of distributed generation are, in anything, going to make utilities' capabilities in this area even more essential to safe and reliable power delivery.<br />
<br />
The other housekeeping item, now that it's 2013/2014 and not 1963/1964, is that all the new edge devices have several attributes in common:<br />
<br />
<ul>
<li>They send, receive and store data</li>
<li>They constrain access to their data and/or services to certain other systems</li>
<li>They receive control signals, sometimes from humans (think: iPhone apps) and sometimes from other systems (think: Nest thermostats)</li>
</ul>
<br />
Of course this is an oversimplification, but astute readers will notice that the integrity of all of these activities depends entirely on capabilities from the security domain. My job as part of Greentech Media's new <a href="http://www.greentechmedia.com/research/report/smart-grid-market-research-subscription" target="_blank">Grid Edge Executive Council</a> (see my humble logo above nestled among the titans) is to ensure less-than-sexy security attributes are baked into the functional requirements of all the new products that plan to participate in this edgy arena.<br />
<br />
That way, when 2023/2024 arrives, we'll be powering our homes, businesses and country with power we can depend upon.Andy Bochmanhttp://www.blogger.com/profile/16597503314698812234noreply@blogger.com0tag:blogger.com,1999:blog-1975210780854152434.post-55925536003339930122013-12-05T09:10:00.003-05:002013-12-05T09:11:07.883-05:00Beroset on AMI and Smart Meter Security Considerations - Late 2013Ed Beroset is the Director of Technology and Standards at one of the main smart meter making companies, Elster, and I've had the good fortune of meeting him on several occasions when both had speaking duties at grid security conferences. In this case, tech director also = security strategist and spokesman.<br />
<br />
Recently, as I've started to prepare myself for work with Greentech Media's <a href="http://www.greentechmedia.com/gridedge" target="_blank">Grid Edge</a> council, I wanted to check up on the current state of security thinking around AMI and smart meters.<br />
<br />
Lo and behold, here's Ed who just put it down in pixels with 3 questions to ask yourself, along the lines of what are you protecting and why, and 7 to ask your vendors. In the latter category, I particularly like #1 and the advice that follows:<br />
<blockquote class="tr_bq">
<i>What security measures does your system employ?</i> </blockquote>
<blockquote class="tr_bq">
Don’t settle for vague or imprecise answers to this question. Any reputable vendor will be able to give you a clear and detailed answer. Furthermore, don’t accept the excuse that the security measures are proprietary and top secret. As any security expert can attest, in modern systems, it is not a secret algorithm, but a secret key, that ensures security.</blockquote>
This may be more advanced than your typical energy sector start-up is ready for or need be ready for, but it's a good example of the types of scrutiny mature product suppliers like Elster have come to expect as a matter of doing business with increasingly security-aware customers.<br />
<div>
<br /></div>
<div>
You can read the full article <a href="http://www.smartgridnews.com/artman/publish/Technologies_Security/The-3-ultimate-goals-of-AMI-security-and-how-to-achieve-them-6197.html/" target="_blank">HERE</a>.<br />
<br /></div>
Andy Bochmanhttp://www.blogger.com/profile/16597503314698812234noreply@blogger.com0tag:blogger.com,1999:blog-1975210780854152434.post-37282912265177535952013-11-27T10:29:00.001-05:002013-11-27T10:51:12.184-05:00A Means to a Measured Approach to CybersecurityHaving posted <a href="http://smartgridsecurity.blogspot.com/search?q=metrics" target="_blank">innumerable</a> times on the many benefits the energy and other critical infrastructure sectors would achieve if they would identify a few security metrics and start measuring them, it seems that a practical means to at least partially achieve this objective may be at hand.<br />
<br />
Just came upon a new company that appears to be pursuing a good part of the SGSB playbook, though they appear to have found their way to these ideas by following their own path.<br />
<br />
A few of the principles we seem to share include:<br />
<a name='more'></a><br />
<div>
<ul>
<li>You must measure security if you're ever going to manage it well</li>
<li>Similarly, you must measure security if you're ever going to align security investments and policies with business or mission objectives</li>
<li>Compliance-based approaches provide at best a false sense of security</li>
<li>Significant attention by and involvement of Senior Management and Board is important</li>
</ul>
</div>
<div>
In a <a href="http://blogs.wsj.com/cio/2013/11/25/financial-industry-beats-tech-in-cybersecurity-defense/" target="_blank">recent WSJ article</a>, this company, <a href="http://www.bitsighttech.com/" target="_blank">BitSight</a>, noted a correlation between its findings re: the observable technical security indicators it tracks and the companies that scored the best in its recent study. Top performers had: "a greater focus on cybersecurity by senior management." But of course.<br />
<br />
And here's its critique of compliance approaches to security, published in <a href="http://www.riskmanagementmonitor.com/looking-beyond-compliance-when-assessing-security/" target="_blank">Risk Management Monitor</a> last week. Sounds as if they're channeling many of our thoughts about compliance regimes like the NERC CIPs: </div>
<blockquote class="tr_bq">
A company may be compliant with all the appropriate regulations and have excellent security policies but may be completely ineffective in the day-to-day implementation of these policies .... Also, no matter how complete a checklist or audit is, its results are only a point in time reflection and can’t measure the dynamic nature of the risks it is meant to assess ....</blockquote>
Please note the security measurement techniques developed by BitSight in their early days are neither comprehensive nor perfect. But they needn't be to be of great value to orgs (or their partners, suppliers, regulators, etc.) trying to figure out how they are doing and how to improve over time. Recommend you/we keep an eye on them.Andy Bochmanhttp://www.blogger.com/profile/16597503314698812234noreply@blogger.com10tag:blogger.com,1999:blog-1975210780854152434.post-58856041151497374522013-11-25T10:18:00.002-05:002013-11-25T10:20:14.607-05:00ICS Electric Utility Attack Video and Aegis to the Rescue<br /><table align="center" cellpadding="0" cellspacing="0" class="tr-caption-container" style="margin-left: auto; margin-right: auto; text-align: center;"><tbody>
<tr><td style="text-align: center;"><a href="https://www.securingthehuman.org/cyberattackdemo" style="margin-left: auto; margin-right: auto;" target="_blank"><img border="0" height="204" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEj6KVYi2wP5jjC4wALOJqRw5k1OFjAHvMZanLVlCDfUh0QYCleXW91xZCw_4ArF13EWYBkkil7P3r9RCHnZy9GzVVg0vK6chhwYmvcDRObaGGfkW8uFq5vkwB53egDhn1Riak4vuBt9AIw/s320/Screen+Shot+2013-11-25+at+10.00.48+AM.png" width="320" /></a></td></tr>
<tr><td class="tr-caption" style="text-align: center;">SANS Securing the Human - ICS Attacker</td></tr>
</tbody></table>
The excellent security-mined people at the SANS Institute have produced an 8 minute video that walks you through a control systems attack. The money they saved by using animation instead of Matt Damon or Morgan Freeman was put to good use as you'll see. For such an esoteric subject, this is a first rate video. For more info please visit the Securing the Human site at <a href="http://www.securingthehuman.org/">http://www.securingthehuman.org/</a><br />
<div>
<br />
Meanwhile, to calm you down after the video gets your heart rate up, you should start learning about a new tool that's set for release at the upcoming SANS SCADA Summit. It's called Aegis and it's not an anti-ballistic missile system. It's a testing tool to help ensure systems communicating with one of the most common SCADA and controls systems communications protocols, DNP3, are harder to attack.</div>
<div>
<br /></div>
<div>
You can ready more about Aegis here: <a href="http://www.automatak.com/aegis/">http://www.automatak.com/aegis/</a></div>
<div>
<br /></div>
<div>
And more about the SANS ICS Summit here: <a href="http://www.sans.org/event/north-american-ics-scada-summit-2014">http://www.sans.org/event/north-american-ics-scada-summit-2014</a></div>
Andy Bochmanhttp://www.blogger.com/profile/16597503314698812234noreply@blogger.com1tag:blogger.com,1999:blog-1975210780854152434.post-4001834974910154702013-11-23T12:26:00.002-05:002013-11-25T10:24:04.150-05:00Sandia and Hayden on Cybersecurity Strategies for MicrogridsFirst off, thanks to friend and colleague Ernie Hayden for writing a microgrid security post following his mini-immersion in the topic last week. You can read his write-up <a href="http://infrastructuresecuritytoday.blogspot.com/2013/11/microgrids-and-security-more-news.html?utm_source=feedburner&utm_medium=email&utm_campaign=Feed%3A+InfrastructureSecurityBlog+%28Infrastructure+Security+Blog%29" target="_blank">HERE</a>.<br />
<br />
In particular, want you to see something he linked to: SNL's <a href="http://prod.sandia.gov/techlib/access-control.cgi/2013/135472.pdf" target="_blank">Microgrid Cybersecurity Reference Architecture</a>. That's Sandia National Labs, btw, not Saturday Night Live; talented though he is, Jimmy Fallon is not a contributor to this piece.<br />
<br />
<a name='more'></a><br />
<br />
Note: the microgrid concept described by Sandia is principally for energy security in DOD use cases, for emergency fall-back scenarios. Not necessarily for improving day-to-day operations or achieving efficiencies or cost savings, though you get some of those as part of this.<br />
<br />
An excerpt from the Executive Summary makes that concept clear:<br />
<blockquote class="tr_bq">
The design of a microgrid control system needs to be more robust than that of a traditional industrial control system (ICS) for the following reasons:</blockquote>
<blockquote class="tr_bq">
<ul>
<li>The microgrid is used in emergency situations and may be critical to continuity of operations of an installation </li>
</ul>
</blockquote>
<blockquote class="tr_bq">
<ul>
<li>The microgrid must function during active attack by a capable adversary.</li>
</ul>
</blockquote>
<blockquote class="tr_bq">
As such, the traditional design and implementation for an ICS may not be sufficient for implementing a robust and secure microgrid.</blockquote>
Of course, there are an increasing number of non-military microgrid use cases and a burgeoning technology and integration market that supports them. But my guess is all those civilian applications should go to school on how Sandia and the DOD are hardening theirs, and select from among those approaches security that's right for their own risk tolerance objectives.Andy Bochmanhttp://www.blogger.com/profile/16597503314698812234noreply@blogger.com0tag:blogger.com,1999:blog-1975210780854152434.post-73291409649194236202013-11-21T21:12:00.001-05:002013-11-22T10:12:49.045-05:00SCADA Primers Now for Grades 1-8 and Even More Managers<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhqVgVm0dE0gPH8ztEq7D3rpoOpV3TI8XtkyveWnU07CDG7AUdgTholfjIDw3dlvjWaLJHHa9zHqHHo8gvcP7_Wp47USd4hyphenhyphenIQKZ40ef_c48c3-Koo9nvn6gVCt7mZvGY8zWrkd7YnAASM/s1600/SCADA+and+Me+Goodnight+Moon.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="204" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhqVgVm0dE0gPH8ztEq7D3rpoOpV3TI8XtkyveWnU07CDG7AUdgTholfjIDw3dlvjWaLJHHa9zHqHHo8gvcP7_Wp47USd4hyphenhyphenIQKZ40ef_c48c3-Koo9nvn6gVCt7mZvGY8zWrkd7YnAASM/s320/SCADA+and+Me+Goodnight+Moon.jpg" width="320" /></a></div>
<br />
Earlier this year, the US Air Force's Robert M. Lee brought us <a href="http://www.amazon.com/SCADA-Me-Book-Children-Management/dp/149127512X" target="_blank">SCADA and Me</a>, an intro level graphic novelette optimized for very young children and certain managers. Now comes Haley Wauson of industrial automation company Cimation with a blog post that should help SCADA and Me readers advance to the level of middle school literacy and educate an even more advanced cohort of managers.<br />
<br />
In her succinct post "<a href="http://www.cimation.com/blog/bid/190307/What-is-SCADA-Anyway" target="_blank">What is SCADA Anyway?</a>" Ms. Wauson uses infographic style visuals and multi-syllabic words to take readers to a level of depth that goes well beyond Robert Lee's Goodnight Moon-esque masterpiece.<br />
<br />
Sounds like I'm joking around but actually works like these are just the thing for de-mystifying technology that's foreign to IT-centric folks. SCADA and control systems are of central importance to making good things happen in our increasingly interconnected "Internet of Things" world, or as my recent alma mater IBM has dubbed it, the Smarter Planet.<br />
<br />
Securing these things, now that's another matter. But first you have to know what they are, and where they are, in the first place!Andy Bochmanhttp://www.blogger.com/profile/16597503314698812234noreply@blogger.com17tag:blogger.com,1999:blog-1975210780854152434.post-36885464266674682492013-11-14T20:31:00.002-05:002013-11-14T20:35:16.885-05:00Grid Attack Simulation Just Completed: “It was More Severe than Anything We’ve Drilled"<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgam1FGDCrrnFyXhNRvnH-sbcWwk77shlR-MOWSBLusig9wZ66lo_zn3y9to1Jn5EwpNO5O8U37NXowE1OM9fQSX2fT60OuahCD6QtOmkgl8gHob0f4xJXcRCdh-XvtZB4O2MKQv-zRSDY/s1600/pylons_2027346b.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="200" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgam1FGDCrrnFyXhNRvnH-sbcWwk77shlR-MOWSBLusig9wZ66lo_zn3y9to1Jn5EwpNO5O8U37NXowE1OM9fQSX2fT60OuahCD6QtOmkgl8gHob0f4xJXcRCdh-XvtZB4O2MKQv-zRSDY/s320/pylons_2027346b.jpg" width="320" /></a></div>
<br />
So said the President and COO of AEP subsidiary Southwestern Electric Power Company, of scenario she and her people faced during NERC's second GridEx exercise.<br />
<br />
Sounds like NERC CEO Gerry Cauley and his team brewed up something pretty potent this time. Heck, it even included 7 deaths and 150 casualties ... in quotes of course.<br />
<br />
NERC will issue an "after action" report including objectives, what actually happened, lessons learned and recommendations as soon as they get some sleep. In the meantime, this account from the NY Times Matthew Wald is pretty darn good. You can check it out <a href="http://www.nytimes.com/2013/11/15/us/coast-to-coast-simulating-onslaught-against-power-grid.html" target="_blank">HERE</a>.<br />
<br />
Photo credit: The Guardian<br />
<br />
<br />
<br />Andy Bochmanhttp://www.blogger.com/profile/16597503314698812234noreply@blogger.com0