NERC CIPs Catching up to iPhone Version Numbers

OK, imagine an auction barker: "Bids opening at NERC version 3, do we have a version 3? ..."

"Yes! How about version 4?" Etc.

Well, according to Honeywell's NERC CIP guru Tom Alrich (of the famous, eponymous and quite helpful blog), it now appears that the next version of the CIPs to which utilities must comply will be neither version 4 nor  5 but rather version 6!

I was stunned as were many of the those in online attendance. Tom explains his reasoning on the EnergySec webcast and much more, which you can see HERE. There's a lot of helpful information for utilities of all sizes dispensed in this hour long piece, with some deep dives into the ramifications of high, medium, and low risk assets.

Now, depending on whether we get an iPhone 5s or 6 next month, it's clear that NERC will not allow the CIP versions to lag far behind.

----------------------------

Attended most of this webinar online, but hat tip to my former colleague and (hopefully) current friend, Nebraskan Dave Hemsath of IBM for sending me the replay.

Photo credit: KCRW.com

SANS cyber security awareness training for eager utility employees ... and their regulators

I recently stumbled upon some excellent online training materials from the well respected SANS Institute that could be quite useful to you and your organization.

In a series of online modules, many of them tailored to the particular needs of utilities, SANS "Securing the Human" courseware seems to be an easily digestible, self-paced way to get important cyber security awareness messages across to a large number of users.

Note: NERC CIP content here is constructed around version 3, so with newer versions now approved by NERC and FERC, SANS will want to update certain modules accordingly. But 99% of the material is right on the mark, and would be appropriate for electric sector personnel outside the US as well.

Wherever you fit in the ecosystem, whether you're an executive or a rank and file worker bee, whether you're in a utility, a regulatory agency, a vendor, or just a user of digital technology who wants to stay safe, recommend you check it out.

---------------

SANS URL:

http://www.securingthehuman.org/utility/index

EnergySec Welcomes NERC CIP Virgin Utilities with Version 4 Briefing

Titled "Get Ready for Version 4" the deck linked at the end of my words has some great and helpful info in it, not just for utilities transitioning from version 3, but for brand new utilities who for the first time come under the tender embrace of the CIPs. To them, all of us in the community say, "Welcome aboard !!!"

An all-star energy and security team, including Steve Parker, new President of the Energy Sector Security Consortium (EnergySec), and Honeywellers Tom Alrich and Donovan Tindill, shared some sobering, cold, hard, urgent facts. Those from Tom Alrich were particularly rich:

The Quest to Better Understand the NERC CIP Bright Lines

Tom Aldrich and Rick Kaun have written some of the best material we've seen on the topic of the evolution of the CIPs, and Tom has new piece clarifying the lack of clarity of the Bright Lines language.

This is something of interest to all utilities currently busy achieving and demonstrating compliance with version 3, and grappling with what they should do to best prepare for versions 4 and/or 5 coming at them sooner than they would probably like.

Here's Rick's intro followed by a link to Tom's article. Note: you may not like what Tom has to say, but it's better to get this news now than to go ostrich ....

Security Checklists, Compliance Cultures, and Finding a Better Way

Fixating on responding to a compliance regime is in a sense, like agreeing to not learn. You know how when you're in the passenger seat and even if you go to the same destination a hundred times, if you weren't driving you don't remember how to get there cause you never learned in the first place? Fortunately, the GPS came long just in time to save your butt.

Before I go any further, please note this is not intended as invective against the NERC CIPs. I know why they were made and why we still have to have them. Most of us wish it were otherwise, but if and until the majority of utilities are observed performing the activities the CIPs require (and more) on their own initiative, this is the way it's going to be.

Have to tip the figurative hat again to Ernie H, who once again can be counted on for spotting and forwarding the good stuff. THIS recent Dark Reading article lays bare the downside of a checkbox compliance mindset. In it, I like this analogy from security researcher Lamar Bailey:

[Security] standards are like training missions in video games: They can help you acclimate, but they in no way represent the real game. If you can't pass them with two hands tied behind your back, your need to quit and find another game.

I could see how that might make some folks say Ouch!  Anyway, it prompted me do a search to see if
utilities were embracing or resisting some of the downsides of this mindset. Well, didn't take long before I happened upon this. Imagine you pay the salaries of dozens of folks, as many utilities do, engaged in activities described by one CIP compliance manual this way.

It begins, "Evidence is more than just documentation" and continues:

Demonstrating compliance usually means “corroborating” evidence. In other words, compliance programs should be designed to produce an output of several auditable records for each requirement to demonstrate performance. A documented process is the first part of demonstrating compliance. Additional examples include a log file, a change request form, a visitor log, or an incident response drill attendance sheet. For each requirement, a documented process and at least one other additional record should be available to demonstrate compliance.

There have got to be better ways to run and secure a utility, no? And of course, reading to this point is worth it if it means you get to a gem of an article I posted a link to almost exactly one year ago. Once again, HERE's Stephen Flanagan of FERC, giving a keynote on what he terms compliance cultures vs. cultures of commitment, who even as an auditor, keeps this in mind: "Security, not violations, is the primary focus." Like that.

A Grid Guy's Perspective on James Lewis' Testimony re: the Cybersecurity Act of 2012

James Lewis is Mr. Cybersecurity these days. A colleague (hat tip: Steve O) just sent a note out pointing to a new article appearing front and center on WSJ.com tonight, featuring prominent statements by Dr. Lewis, the Tech Policy Directer of K-Street think tank CSIS.

Two weeks ago I wrote a post that ridiculed as alarmist a few quotes, including one ostensibly made by  Lewis, that appeared on another well known financial media site.

And just last week he testified before a Senate subcommittee about what he likes, and what he finds wanting, in the draft bill that's looking increasingly likely to make it through Congress sometime soon.

You should note that unlike last year's Grid Act which passed the House (HR 5026 Grid Reliability and Infrastructure Defense Act), the focus of the current bill, and therefore of Lewis' testimony, is not energy sector specific. Here's one of his opening sections in which I find nothing not to like:

Reducing risk and vulnerability in cyberspace is a fundamental challenge. In considering this  problem, we have learned through painful experience that market forces will not secure cyberspace and that existing authorities are inadequate for national security and public safety. The list of private sector companies, including technology leaders, whose defense have failed is long and would be longer if all breaches were disclosed. Continuing to use voluntary, market driven approach to this new national security concern is irresponsible and guarantees a successful attack against our nation.

Our sector, of course, has the NERC CIPs. Much derided in some circles, though in my mind a huge improvement over the kind of security we'd likely see from pure "market forces," the NERC CIPS are anything but voluntary. And when versions 4 and/or 5 go into effect, they'll cover many more systems and require more security controls for most.

The 2012 Cybersecurity Act aims to give DHS the lead in securing critical infrastructure and it's unclear to me how it might supplement or complement current the NERC CIPs. More on that later.

Meanwhile, towards, the end of his testimony, Lewis sounds a positive note that quickly turns ominous:

Anyone who tells you that we do not know how to do cybersecurity is sadly out of date. The National Security Agency, the National Institutes of Standards and Technology, and other Federal agencies are pioneering techniques that can strengthen America’s defenses. But while we can require implementation and measure the rate of implementation in the Federal government, there is no comparable ability to measure and secure commercial critical infrastructure. This remains the single largest vulnerability for America in cyberspace. 

So while we have the NERC CIPs, you can take his point about "no comparable ability to measure" critical infrastructure to mean that while audits occur and fines sometimes levied, neither DOE, nor FERC, nor NERC keep track of how the utilities are doing. There's no standard framework that tells us which utilities are doing a great job and which ones are lagging. IMHO that is a problem.

You can read Lewis' full testimony HERE.

And one more thing: on Lewis' CSIS page he also includes a link called Serious Cyber Events. It's a comprehensive list of the most noteworthy known attacks and breaches since 2006 till present. Out of a total of 87 events cited, only 2 involved power systems:

• January 2008. A CIA official said the agency knew of four incidents overseas where hackers were able to disrupt, or threaten to disrupt, the power supply for four foreign cities
• April 2009. Wall Street Journal articles laid out the increasing vulnerability of the U.S. power grid to cyber attack also highlighted was the intrusions into F-35 databases by unknown foreign intruders

2 out of 87 would be a horrible batting average (.023 - yikes!) on any baseball team. But in this game, which really is no game, it's an average I'd like the sector to maintain. So keep one eye on the NERC CIPs and beyond, and keep the other eye on what James Lewis and Congress have in store for us.

The Best Talk Ever on NERC CIPs and Grid Security ... Period

I've read some good stuff over the years, though never at work. In the classics department my favorites are The Heart of Darkness, Moby Dick and The Invisible Man. For somewhat shorter, if not lighter fare, I like Haruki Murakami and the Raymonds: Chandler and Carver.

But the line between pleasure reading and work reading has been big, bright and until recently, very, very bold. That is, until I found Stephen Flanagan's mature (by his own reckoning) perspective on the Critical Infrastructure Protection standards (CIPs), the culture of utilities, and the difference between compliance and commitment:

I have a problem with this term “compliance.”  In fact I think it’s bad terminology for the CIP program and gets us into the entire wrong mindset from the get-go. And why do I think this? Well although the term “compliance” has a more or less precise legal definition, its use among the uninitiated does not have the same connotations.  I fear that when many hear the term they look more to Webster than Black as the dictionary of choice.  And in Webster one is likely to find the word defined as: Compliance: –noun, 1. the act of conforming, acquiescing, or yielding. 2. a tendency to yield readily to others, especially in a weak and subservient way.

He asks "How does that grab you?" and continues:

... in my opinion, for reliability, and I stick CIP into the reliability program as a whole in this discussion, I think the better term would be “commitment” rather than “compliance.” Why “commitment” you may ask. Well again Mr. Webster provides some helpful insights: Commitment: –noun, 1. the act of committing, pledging, or engaging oneself. 2. a pledge or promise; obligation. 3. engagement; involvement. 

Flanagan concludes with "Now doesn’t that sound a whole lot better?" Yes, it sure does.

I've never heard the compliance vs. security conundrum more eloquently and simply put. Compliance mentality is an organizational, cultural disease that undermines real proactive security attitude and action. I'll take engagement and involvement every time.

There's a whole lot more to savor and appreciate in this learned, witty, irreverent article. You may find the occasional typo, and maybe the title's a bit alarmist, but that's likely because this isn't actually a work of great literature. However, in my experience, and in our space, Stephen Flanagan's keynote address is one for the ages ... a grid and Smart Grid security masterpiece.

You can read the whole thing HERE.

FERC's Director of Reliability Speaks Out on Grid Gaps

While you were relaxing and celebrating Cinco de Mayo with cervezas y margaritas and such, FERC's Joe McClelland was on the job (as always), testifying before a Senate committee on what he sees as the current gaps in coverage in grid protections and what should be done about them.

For starters, he laid it out quite simply:

The Commission (FERC) currently does not have sufficient authority to require effective protection of the grid against cyber or physical attacks. If adequate protection is to be provided, legislation is needed and my testimony discusses the key elements that should be included in legislation in this area.

Then proceeded with something you should know about if you didn't it already ... about US cities and 2 entire states:

Currently, the Commission’s jurisdiction and reliability authority is limited to the “bulk power system,” as defined in the Federal Power Act (FPA), and therefore excludes Alaska and Hawaii, including any federal installations located therein.  The current interpretation of “bulk power system” also excludes some transmission and all local distribution facilities, including virtually all of the grid facilities in certain large cities such as New York, thus precluding Commission action to mitigate cyber or other national security threats to reliability that involve such facilities and major population areas.

And beyond the geographic dead-zones he called out above, and the fact that the CIPs miss the majority of the grid by entirely missing the distribution network, there's also the temporal issue ... the current process is slow ... way too slow depending on the nature of the threats to be countered:

The procedures used by NERC ... can be an impediment when measures or actions need to be taken to address threats to national security quickly, effectively and in a manner that protects against the disclosure of security-sensitive information. The current procedures ... do not provide an effective and timely means of addressing urgent cyber or other national security risks to the bulk power system, particularly in emergency situations. Certain circumstances, such as those involving national security, may require immediate action, while the reliability standard procedures take too long to implement efficient and timely corrective steps.

I could go on citing McClelland's sharp observations and recommendations, but maybe it's better for you to get the rest in the complete context. There's a lot more to take in so click HERE for the full transcript. If you're like me, you've got to be glad Joe is on the job.

Photo credit: yngrich on Flickr.com

NERC and NIST Ramp Up Risk Management Collaboration

There are security-related ISO, IEC and IEEE electric grid standards galore, but these are technical standards. I know it's more complicated than this, but I submit that the easiest way to tell regular folks about grid and Smart Grid security standards is to say there are really only two that matter in 2011, and they are:

• NERC CIPs, version 3
• NISTIR 7628, version 1

The first covers cyber security protections of only the most critical generation and transmission assets in the bulk electric system (BES) and has little to do with protecting new Smart Grid systems, most of which deploy in the distribution network, far from the BES. The second boldly attempts to describe how to secure the whole enchilada, albeit at a high level. In short, there isn't a heck of lot the two standards/guidance documents have in common.

We've described each ad nauseum on this blog, so let's look at something more soothing. With the next version of the above standards still over the horizon, let's consider the nascent collaborative effort between NERC and NIST, confirmed by language pulled from a draft budget document submitted by an SGSB reader:

... NERC is collaborating with DOE and the National Institute of Standards and Technology (NIST) to develop comprehensive cyber security risk management process guidelines for the entire electric grid, including the bulk power and distribution systems. This initiative is particularly important with the increasing availability of smart grid technologies. While the majority of technology associated with the smart grid is found within the distribution system, vulnerabilities realized within the distribution system could potentially impact the bulk power system.

So, it seems that some folks in high places have realized the disconnect, and seek to build a risk management bridge between the CIPs and the NISTIR. This is good news, right? Here's the draft NERC 2012 business plan and budget, if you're into this kind of thing.

FERC and NERC: Who Blinks First on Bright-Lines?

This post continues a series where we try to get a fix on where the next versions of the CIPs are going, and exactly when they're coming (see previous posts on this topic from March and April of this year).

You know, if there was some sex or violence, or even a little Ian flemming-esque international intrigue involved, the quest for the next version of the NERC CIPS might merit its own slot on prime time. As it is, however, it can best be called a regulatory reality show.

As this new open letter (registration required) from security consultancy Matrikon reveals, the producer, FERC, seems to be tiring of its wayward plot and may begin inserting a script more to its own liking.

While a full accounting of recent events gets quickly quite complicated, much of the kerfuffle centers on the so-called "bright line criteria" (aka, the rules) used to determine which additional electrical generation and transmission assets will get CIP scrutiny when the long awaited version 4 finally arrives.

I'm over simplifying things, of course, but in a nutshell, FERC wants more bulk power assets monitored, while utilities want fewer. And poor NERC is caught in between, taking too long, and is hamstrung by the rules its actions.

The open letter paints a pretty good picture of this dynamic, and while never claiming certain knowledge of how things will ultimately play out, I think this paragraph imparts the tension of the present impass:

Earlier in the NERC/FERC relationship, FERC would have simply disapproved Version 4 and sent it back to NERC to rewrite, submit for new comments and ballot(s), redo the survey with whatever changes came out of the balloting and then make a new filing to FERC. This would probably take close to a year. Our guess is this will not happen. FERC has been losing patience with the NERC standards process for a while, and they (and members of Congress) have repeatedly stated that the security of the BES is at risk given the current coverage of critical assets in NERC CIP.

Seems like the ball is in FERC's court. All we can do is stay tuned. And of course, if I've misrepresented the current situation in some way, please let me know so I can help get the right knowledge out there.

No Jive: it's 5 (Version 5 of the NERC CIPs, that is)

You know, there's only so much you can do to enliven a discussion on the development of industry standards. Here at the SGSB we do our best to keep it interesting, but when you get right down to it, you've really got to have a major stake in this matter to give a ... hoot.

So if you're still reading, you must have a searing need to know more. Whether you're an outside observer or a utility employee or contractor on the inside, you must really care about the rules intended to help move utilities to become more secure. Else, you're a lost ESL student who happened upon this page and are even now trying to figure out what these words mean. In any case, let's proceed.

A few weeks ago I got the first few dispatches from the most recent NERC Standards Development Team (SDT) meetings and posted a few observations HERE.

Since then, some more info has become available that confirms, corrects, clarifies and/or expands upon the initial stuff. Here are a few of the more important updates focusing entirely on the emerging Version 5 (V5):

• Re impact level classifications, practically speaking, there are only two levels: baseline and high-impact. The high-impact assets are divided into those at control centers and those at generation plants or substations. At any particular facility, there will be only two types of assets
• As the effective date for V4 will be in 2013, it’s a good bet that V5 compliance won't be required until 2014
• While bright-line criteria for risk methodology are a V4 addition, in V5 the criteria determine which cyber assets are high vs. baseline (see first bullet)

A more detailed account called "Version 5: The Fog Starts to Lift" is available at the Matrikon site. You'll have to register if you haven't already, but I think you'll find it's worth a few extra keystrokes.

Photo credit: J/K_lolz on Flickr.com

Next Gen NERC CIPs Taking Shape in early 2011

Previous posts have tried to give readers a hint at what lies beyond the veil re: versions 4 and 5 of the NERC CIPs. More scuttlebutt has been arriving over the past week or so; heard it through the NERC Standards Development Team (SDT) grapevine. As always, please consume this forward looking stuff with a grain or two of NaCl:

• The SDT has decided to leave the impact levels as they originally were designed based on FERC’s request to do so in version 5 of the CIP rules
• This means there will be high, medium and low impact levels
• Encryption will be a requirement in version 5 for all medium and high impact systems
• Utilities will have a few years to implement new version 5 controls since version 5 won’t go into effect until mid 2013 or so. 
• It is estimated that there will be an additional 20-40 new measurements that the medium and high impact systems will have to incorporate…uncertain on what those are going to be at this point
• And this train has been coming for some time now: the terminology for CIP-002 will change from “Risk Based Assessment Methodology” to “Bright-Line Criteria”

Since January 2008's final ruling by FERC on Order No. 706, the industry has been moving, not necessarily steadily or with great speed, towards a more robust articulation of security standards in each subsequent version of the CIPs. From the cyber security practitioner's point of view, it appears the sector is going to be in a stronger position in a few years. Here's to holding it together until then.

NERC CIPS: Latest Updates on Versions 4 and 5 ... and some Sympathy for the Folks Building Them

A few weeks ago I attempted to impart some wisdom on the status of the CIPs. (It remains to be seen whether that was smart.) Now the "Insecurity Culture" blog has an excellent new post, linking you (once you register) to two "open letters" describing in some detail how and why the CIPs are being made.

And while analysts and others grumble about the sporadic output of the Standards Development Team (SDT), the (probably) too many committees, and the cumbersome and confusing approval process, these letters paint a fuller picture of what's really going on. For example:

There are people who think the SDT is a bunch of regulators run amuck, dreaming up one new standard after another just to preserve their jobs. This might be a good criticism, were it not that a) the SDT members are all employees of NERC entities, b) that they aren’t paid for their SDT work, and c) that they all have full-time day jobs they have to do as well .... So why are they starting now to develop a new CIP version that will be a complete revision of the former versions (and thus far more work than even Version 4 was)? The reason is simple: They have to ....

I liked that account, and after reading this stuff all the way though, I'm pretty excited to track the SDT's progress with the ambitious Version 5. And amazed to think how much work utilities have ahead of them to meet the Version 4 requirements deadline. Follow this LINK to the post and look for the cowboy hat.

NERC CIPs: Looking at Version 4 Red-lines and Headlines in early 2011

Back in December 2009, the CIP-002 version 4 draft was called "Cyber Security—BES Cyber System Categorization," and it and sought to break out T&D assets into High, Medium, and Low BES impact systems, as well as define violation levels built off of these categorizations.

Because of the increasingly interconnected and interdependent nature of grid assets in the emerging Smart Grid, regulated protection of the most important systems, while a good starting point, is far from mission complete. Hence, this draft included language that removed the bias towards the subset of systems deemed critical:

"Terms to be retired from the Reliability Standards Glossary of Terms once the standards that use those terms are replaced: Critical Assets, Critical Cyber Assets ..."

This was viewed as a relatively bold step forward at the time by advocates for more granular guidance across a broader range of systems, and as overwhelmingly too much work by asset owners who already felt CIP compliance activities were draining far too many cycles from their already maxed out employees.

A number of industry watchers and bloggers were pretty excited about version 4's new directions, with articles like "DRAFT NERC CIP-002-4 - A Turning Point for NERC CIPs?" and another "Big NERC CIP Changes Looming" foresaw:

"Every requirement will be auditable and not just addressable," and "there are no 'out of scope' bulk electric system assets."

Well, as you can imagine, debates ensued among the members of the standards development team and the language, one year later, is much less ambitious. As this December 2010 red-line copy reveals, CIP-002 version 4 retains its original name: "Cyber Security—Critical Cyber Asset Identification" and only a few things are set to change: 

• The biggest change is that utilities are no longer responsible for identifying critical assets via their own risk based assessments. A new attachment takes care of that for them and brings badly needed uniformity to the process
• A clear call-out that nuclear assets, regulated by the NRC, are definitely not in scope
• A reworking of violation levels is now "to be developed later"

For folks who've followed the process, this seems like a lot of time consumed without very much to show for it, unless regulators and the regulated feel that preserving the grid security standards status quo is in everyone's best interests.

Also, just in from the grapevine, comes word that more is set to change than is revealed in the red-lines. Here's a few unconfirmed but likely items:

• The terms "Electronic Security Perimeter" and "Physical Security Perimeter" are being retired
• High, Medium and Low impacts, based on the total output of each registered facility, will return to CIP-002
• All material black start facilities will be considered High impacts regardless of their generation capabilities

I want to keep the information on the SGSB as accurate and helpful as possible, but as an outsider to the standards development process, my view of what's coming next is far from perfect. So if any readers who've made it this far know more, or know different than what you've read here, please let me know and I'll update the post pronto.

A Few Pointed Suggestions for Improving the NERC CIPs, and in so doing, Grid Cyber Security

This short article released on the ControlGlobal site last week addresses technical issues, but defines its terms and acronyms well enough to be understandable to business readers.

Key points are:

1. Using spot checks on systems to go beyond the current paper chase approach to validating CIP compliance; and,
2. Acknowledging that attackers and malware will find ways around/through current "outer wall" based network defenses, instituting a less perimeter defense-oriented approach to security controls with guidance on use of DMZs in between internal networks

These guys are aiming for "actual security" versus faux security via a pure compliance choreography. You may not agree with all the guidance. Depending on your orientation, you may think this is too much ... or too little. Or you may find that some of the recommendations would increase costs for stakeholders, but overall, I believe this is potentially helpful stuff.

New SGSB Webcast is Live

SGSB Webcast 5: Smart Grid Software Security

View more webinars from Andy Bochman.

While it's fun to think of all the great new gadgets and devices that are enabled by the Smart Grid (and that the Smart Grid enables), none of them could even begin to work without the "invisible glue" out of which the entire enterprise is being constructed: software.

As we rush to deploy Smart Meters by the millions, consumer portals, HANs and iPad applications that can communicate with them, meter data management systems (MDMS) to handle the tons of data that's generated, electric vehicles (EVs) to push local electric infrastructures to the limit, and synchrophasers across the continent to give us a better view of "the greatest engineering achievement of the 20th century", it's important to not forget about software just because we often can't see it.

Misconfiguration of software assets and (usually unintentional) vulnerabilities in code are the primary pathways hackers use to breach systems, alter their behavior and reach sensitive data. This presentation is more of a "why to" than a "how to" manual. There are plenty of the latter and I'd be happy to point you to some. But the reasons for taking on this challenge are compelling, and IMHO, need to get out.  

Enough already, here you go. It's about 17 minutes long, and you'll like it better if you make it bigger (click on "Full" icon in the lower righthand corner).

Clock is Winding Down on NERC CIP 002-4 Mandatory Data "Request"

FYI: Utilities had until today, 7 Sep 2010 to respond to four not-so-simple questions/directives:

1. What is the number of elements in your Existing Critical Asset List?

2. For each element in the list above, use the criteria in the enclosed Attachment 1 (not provided here) to determine how it would be categorized. Each element on the list must be counted only one time. If a particular element could be qualified as multiple criteria, please choose the one that applies most to the element. The sum of the elements included in the answers to question 2 should equal the number of elements provided in the answer in question

3. Use the criteria in Attachment 1 to estimate the Critical Assets and each Critical Assets’ impact level that your Registered Entity would report for its share of the Bulk Electric System. Please count each Critical Asset only once. If a particular Critical Asset could be qualified as multiple criteria, please choose the one that applies most to the Critical Asset. It is understood that, given the time frame, this is a rough estimate and is not necessarily the exact number that you would report given enough time to perform a detailed analysis of your system.

4. Enter all of the NERC Compliance Registry (NCR) numbers that you are reporting on an enterprise-wide basis for.

Will be very interesting to see what comes of this activity. We should begin to get a feel for the version 4-driven increase in scope and complexity for NERC CIPS preparation, auditing and reporting pretty soon.

The NERC survey page can be seen HERE.

Photo credit: laffy4k / Chris Metcalf on Flickr.com

Day One Recap from the 1st Smart Grid Cyber Security Summit

I'm afraid it's a little too late to go for complete coherence, so here are some bleary eyed bullets summarizing a few (but not nearly all) of the first days' highlights:

• Scott Borg of the US Cyber Consequences Unit showed how the US economy can easily weather ~3.5 day outages, but that when you get beyond that duration across a broad region, you get into large and very large effects, as in "massive ... breathtakingly bad." So small, short duration security incidents we can handle and don't need to worry about too much. But we should move (and spend) heaven and earth to ensure we don't experience even one of the very big ones
• Bob Gohn of Pike Research gave us the latest Smart Grid security findings and trends, and announced the release of Pike's latest report on Smart Meter Security
• FERC Commissioner Philip Moeller, whose NERC CIP experience goes back to some of the earliest draft language from the year 2000, acknowledged the challenges NERC faces fielding a uniformly solid field of CIPS auditors, and told us to keep our eyes open for a possible collaborative effort involving FERC and state regulators
• I could do an entire post on Joe Weiss' presentation, but for now let it suffice to say that the Stuxnet virus is much more problematic than initial reports (including one made on this blog) indicated. Here's a decent Stuxnet update from Symantec. Among other things, note the lengths this malware goes to to protect itself from detection
• Joe also made it clear that Smart Grid or no Smart Grid, SCADA/ICS systems are a disaster waiting to happen and that there's not a heck of a lot we can do about it. He supported this point by saying: 1) we have basically zero forensics capabilities to investigate SCADA/ICS attacks; 2) OT hates IT in all sectors, not just energy, and that this culture war gets in the way of migrating good security practices to the SCADA/ICS world; 3) there's nothing at all comprehensive about NERC CIPS; 4) there are 5 or fewer utilities going beyond the security controls required by the CIPS; 5) to work, SCADA/ICS security must be a living program, as every time you change or add something, you impact security; 6) NERC CIPS have made the grid less reliable by enticing some utilities into removing IP connections from some important devices, which makes them exempt from NERC CIP while leaving them dependent on serial connections, which are themselves quite susceptible to attack
• After Joe left the NERC CIPS in smouldering ruins, Rob Shein, HP Cyber Security Architect, coaxed them back to life with a balanced review of what they do and do not cover, and provided reasonable steps orgs can follow to achieve compliance
• Lastly, I moderated a roundtable session on "The Perspective and Path Forward for Energy Utilities" with 3 outstanding panelists: Mike Echols of the Salt River Project, Bobby Brown of Enernex, and Chris Peters from Entergy. They hit a bunch of topics that even late in the day held the audience's attention and responded to lots of questions after they reached the end of my prepared list. But for me, the most memorable of all was also the simplest. Each was asked: would your org be more or less secure in a world without the CIPS? To which the unanimous response was less. So despite all the abuse heaped upon the CIPS during the day (and IMHO, they richly deserve it), the folks fighting this security battle in the trenches say they help far more than they hurt. For me, that fully topped off an already great day, and I'm really looking forward to whatever lessons we can tease out of day 2 of the 1st Smart Grid Cyber Security Summit.

San Jose Photo credit: the_tahoe_guy at Flickr.com

Mid 2010 Snapshot: Utilities in Security and Compliance Double Bind

If you're not the head honcho for security at a medium-to-large utility company in the USA these days, you should consider yourself fortunate that, regardless of your profession, your life is much less complicated than theirs. If you are in such a position, you have my sympathy, and depending on how you're managing, my respect.

Seems to me you are in a damned if you do, damned if you don't situation. On one hand, you must do everything you can to keep the processes in place that have kept the customers' lights on 24/7/365 over the past decades of your career. Moving too far too fast with new technology or methods puts that number one metric at risk. On the other hand, in order to put your organization in position to pass its NERC CIP compliance audits and avoid fines and other negative fallout, you're having to substantially upgrade and update the security controls on some of your most important systems.

Like the oft-referenced complex challenge of repairing an airplane in flight, you face the dilemma above in a time of unprecedented change in an industry ill equipped organizationally to make fast changes. For example:

• In a sector largely insulated from competition, deregulation (in some regions) now adds that factor to the mix. And some of the competitors are from another planet, culturally speaking (see: Google, Microsoft, etc.)
• AMI and Smart Grid initiatives are encouraging you to connect systems that were once protected, in part, through isolation
• Business models look like they're in position to turn inside out and dis-intermediation is a real possibility
• The FERC/NERC CIP cyber security regulatory regime is moving fast; you're given a scant 2 years to turn your ship in the right direction (impossible for some), and rumors of more stringent and burdensome standards coming abound
• And last but not least, what about the GRID Act? Its passage looks like a near certainty. You only thought you had compliance problems before !!!

Just writing this list makes me gets me all worked up. Time to turn to the timeless wisdom of the Ramones; "I wanna be sedated". OK, better now.

So, in this climate, should you err on the side of doing too much? Moving your org rapidly towards better security and compliance but adding an unknown amount of reliability risk even as you seek to reduce it? Or lean towards preserving the steady state status quo and do too little, and risk getting slammed by fines ... or worse (Stuxnet anyone)? Often there's a middle path you can construct that gives you a nice balance of risk and reward, but I'm not sure that's the case here. But whatever you choose, the rest of us on this blog appreciate the tight spot you're in and will do as much as we can to make your world a little simpler.

Danahy on Smart Grid Security in Government Computer News

As power controls take on characteristics more akin to cyber systems, the numbers and types of threats go through the roof. This article in GCN makes the case that FERC's current Critical Infrastructure Protection (CIP) standards and audit practices may be ill-suited to ensure protection of an increasingly Internet-like power grid.

Here's Jack's 2 cents in context:

But some security experts say the standards do not go far enough. The technology of the electric grid was designed with the expectation that it would be a private network rather than an interconnected IP-addressable system, and the security standards focus largely on reliability rather than network integrity.

“I don’t think in today’s world that is even close to being adequate security,” said Jack Danahy, chief technology officer of Ounce Labs. “There has to be a more expansive understanding of what security means.”

The cyber security of the power system is taking on more urgency with development of a new interactive smart grid and recent reports that hackers have compromised the current grid.