Sandia and Hayden on Cybersecurity Strategies for Microgrids

First off, thanks to friend and colleague Ernie Hayden for writing a microgrid security post following his mini-immersion in the topic last week.  You can read his write-up HERE.

In particular, want you to see something he linked to: SNL's Microgrid Cybersecurity Reference Architecture.  That's Sandia National Labs, btw, not Saturday Night Live; talented though he is, Jimmy Fallon is not a contributor to this piece.

Energy sector can learn from DOD's cybersecurity strengths (and weaknesses)

Last year the US DoD released a report by one of its Defense Science Board teams and I've seen it referenced a number of times in recent weeks, especially in articles announcing our loss of the most sensitive systems design details on dozens of current and next generation weapons systems.

See if you think this excerpt from the executive summary would accurately describe the current state at the utility you work for, or regulate, or invest in, or power your home with:

[The conclusion that we must do much better on cyber defense] was developed upon several factors, including the success adversaries have had penetrating our networks; the relative ease that our Red Teams have in disrupting, or completely beating, our forces in exercises using exploits available on the Internet; and the weak cyber hygiene position of DoD networks and systems.

If you think it might, then it's possible that you may find value in digging into the findings and recommendations within. I noticed this one on culture as being particularly relevant to our sector:

Individual and organizational cyber practices result in so many cyber security breaches that many experts believe that DoD networks can never be secure with the current cyber culture. The individual’s immersion in the civil sector cyber culture and the military’s focus on mission objective are the two most important contributors to DoD’s poor cyber culture. In the face of a threat that routinely exploits organizational and personal flaws, DoD leadership must develop a clear vision for the Department’s cyber culture.

It's very likely your utility is not targeted nearly as much as are the DoD's networks and systems, but I'd still say this report has lots of applicability for the way we think and act.

-------------------------

URL for full report:

http://www.acq.osd.mil/dsb/reports/ResilientMilitarySystems.CyberThreat.pdf

USAF Seeking (More than) a Few Good Cyber Men and Women

Thanks to my friend and Academy classmate Chris Davis (USAFA '85) for the heads-up on this recent Air Force news.

Wonder if anyone in DOD has heard of the excellent NBISE, an organization dedicated to cranking out a better breed of cyber defense professional?  Anyone out there know Space Command's General Shelton, quoted within HERE? Maybe he could send some scouts to watch for talent at NBISE's upcoming US Cyber Challenge. It's open for registration now.

Here are a couple of plugs for the event. First, from the Hon. Mike McConnell former Director of National Security and Vice Chairman of Booz Allen Hamilton:

Our government and U.S. commercial companies are being besieged by attempted cyber attacks every day, and the nation needs as many resources as possible to prevent damage and the theft of intellectual capital. The U.S. Cyber Challenge offers a unique and exciting platform to identify the talent we need to defend our nation.

And here's Michael Assante, President & CEO, National Board of Information Security Examiners (NBISE):

The Cyber Quest competition and Cyber Camps are critical as our nation continually undergoes fast-paced changes in technology. Our growing reliance on digital technology requires concentrated efforts, like these, to identify and best develop the next generation of highly skilled cyber security professionals.

Please get the word out on this event if you can.

CNAS Focusing on Smart Grid Security

The DC-based Center for New American Security (CNAS), host of the excellent Natural Security blog that highlights the security interconnectedness of many different domains, is having a Smart Grid Security week. You'll note their particular interest in critical infrastructure in general, and DOD in particular.

And of course, I warm to this part of their non-alarmist opening statement:

Today, we’re beginning to get a better sense of the ground truth, ever-moving as it is. About a month ago we held a workshop on smart grid tech and cyber security, with a great cross-section of experts. My main takeaways were that there are real cyber threats in considering smart grid deployment, but that there are many USG efforts underway to mitigate and manage the risks. The holes that exist seem to be things like improving coordination within DOD on grid security, ensuring interagency communication, and setting consistent standards for DOD contracts that include smart grid and electric infrastructure work (and hopefully standards more rigorous than for anywhere else).

See announcement HERE. And stay tuned for their follow-on posts ... there are already some new ones today.

Military Planning For Prolongued Outages via Smart/Micro Grid Technologies

While the US Department of Defense has many unique tasks and requirements, many of its concerns and challenges re: the current grid, Smart Grid and Smart Grid security are common to all enterprises. Much of what motivates DOD motivates others, including:

• Desire for continuous operation and continuous service to customers by keeping core systems running during (possibly prolonged) power outages impacting local communities
• Energy efficiency savings via reduction in electricity and fossil fuel usage
• Demonstrating proactive/compliance measures vis-a-vis climate change and the increased use of renewable energy sources
• Maintaining confidentiality/privacy of data and doing all of the above is a safe and secure manner

So along those lines, here's an excerpt from a recent post on the DOD Energy Blog on the so-called "brittle grid" problem I believe you'll find interesting:

Eighteen months have now passed since the public release the "Defense Science Board Task Force Report on Energy" This is from the section called "Managing Risks to Installations":

For various reasons, the grid has far less margin today than in earlier years between capacity and demand. The level of spare parts kept in inventory has declined, and spare parts are often co-located with their operational counterparts putting both at risk from a single act. In some cases, industrial capacity to produce critical spares is extremely limited, available only from overseas sources and very slow and difficult to transport due to physical size.

In many cases, installations have not distinguished between critical and non-critical loads when configuring backup power systems, leaving critical missions competing with non-essential loads for power. The Task Force finds that separating critical from noncritical loads is an important first step toward improving the resilience of critical missions using existing backup sources in the event of commercial power outage. The confluence of these trends, namely increased critical load demand, decreased resilience of commercial power, inadequacy of backup generators, and lack of transformer spares in sufficient numbers to enable quick repair, create an unacceptably high risk to our national security from a long-term interruption of commercial power.

Granted, DOD's not the only organization with these concerns ... and the obligation to plan accordingly. Hospitals, police & fire, essential services, etc. all have to think this way. DOD is exploring campus microgrid strategies (including on-site power generation, energy management and energy storage systems, and more) to allow bases to "island" themselves away from commercial grid infrastructure.

The technology is getting to the point where this approach is becoming just as feasible for industry. We'll be investigating further and will post the results right here.

Photo Credit: Kristen Holden on Flickr