Calls for Enhanced Enterprise Security Governance Starting to Steamroll

Though I've been approaching this issue from a sector-specific perspective for years, lots of what's been in the news lately (and I mean lately) is intended for all technology-enabled sectors. Which pretty much means every business and every organization that intends to maintain consistent and reliable operations in the near and mid-term future.

First off, and with origins that predated the Target breach that's credited with generating most of this activity, was DOE's Energy Advisory Committee giving thumbs up in May to a paper on this topic on Security Governance. It proposes that DOE pursue potential upgrades to how energy companies organize and run themselves from a security perspective. Titled: EAC Recommendations for DOE Action Regarding Implementing Effective Enterprise Security Governance - Outline for Energy Sector Executives and Boards, among other things, this paper lists the following "Characteristics of Effective Security Governance":

• Clearly defined responsibilities from the board of directors to senior leadership to employees 
• Presence of an active Security Governance board comprised of senior stakeholders from across 
• the company 
• An executive owner of enterprise security: with purview over IT, OT and physical security policy designated CSO or similar 
• Striving for 100% alignment with of security with business/mission 
• Using measurement of key indicators to increase awareness and drive improvement (with 
• maturity tools like DOE's ES-C2M2) 

Singer & Brookings on the Security Governance/Ownership Vacuum

Analyst and author Peter Singer of the Brookings Institute has a new book out intended for everyman. And everywoman. To include particularly those types who consider themselves non technical, or as I've heard cyber folks in DOD refer to them - tech immigrants (vs. typically younger tech natives).

The net he casts is wide enough to captures senior government and business leaders too.  Below are excerpts from a recent interview with CNN/Fortune that really resonated with me, with particular applicability to our sector:

"Stop looking for others to solve it for you, stop looking for silver bullet solutions, and stop ignoring it." 

ICS Electric Utility Attack Video and Aegis to the Rescue

SANS Securing the Human - ICS Attacker

The excellent security-mined people at the SANS Institute have produced an 8 minute video that walks you through a control systems attack.  The money they saved by using animation instead of Matt Damon or Morgan Freeman was put to good use as you'll see. For such an esoteric subject, this is a first rate video. For more info please visit the Securing the Human site at http://www.securingthehuman.org/

Meanwhile, to calm you down after the video gets your heart rate up, you should start learning about a new tool that's set for release at the upcoming SANS SCADA Summit. It's called Aegis and it's not an anti-ballistic missile system.  It's a testing tool to help ensure systems communicating with one of the most common SCADA and controls systems communications protocols, DNP3, are harder to attack.

You can ready more about Aegis here: http://www.automatak.com/aegis/

And more about the SANS ICS Summit here: http://www.sans.org/event/north-american-ics-scada-summit-2014

A Novel Approach to Grid Cybersecurity Awareness

Not long ago I was in a meeting with the CIO of a large electric utility and when I inquired as to the cybersecurity awareness of the board of directors, was told it had recently skyrocketed.

Why the sudden shift I asked?  Had the company just endured a serious and/or highly public breach? Nope, things had been mercifully static on that front. A classified threat briefing by DHS? No, not that either. Well, what was it then?

Apparently one board member had read the latest Tom Clancy book, Threat Vector and once exposed to Clancy's fictional vision of how the US could be brought low through largely cyber means, it changed his thinking. Spoke in language he could understand, and captured his imagination too. It soon spread to the rest of the board.

Now comes former Senator Byron Dorgan with a cautionary novel of his own, and this one is much more grid-centric, from the title on. I later read Threat Vector myself ... 900 pages or so if I remember right, looking for power sector specific attacks and breaches and they were few. I've read some of the reviews of Gridlock, though, and in it the US grid is front and center and not doing so well.

Dorgan and co-author David Hagberg don't have anywhere near Clancy's readership, not close. But if an executive in your company were to happen upon a copy, well, apparently it's quite a page turner, and you might have a new, more cybersecurity-aware board to work with in a few weeks.

The Things I've Seen Series: Part 2 - Execs Exempted

Last week I posted on an encouraging trend I witnessed over the past 2 years: the emergence in some utilities of security governance boards comprised of security and privacy leaders, often a rep from legal or compliance, and senior stakeholders representing different business lines.  Soon after it went live, I received multiple corroborations from friends in the field who have seen the same thing in their patches. This is all goodness.

But there are other, less uplifting trends you should be aware of if you're not already. I've seen senior executives who have not once met with their cybersecurity leaders and who feel they have no reason to do so. I've had senior state regulators tell me that they haven't really thought about cybersecurity until very recently. 

Declaration of Independence and Intent

I've been warming up and working in this space for years now, and if you've been a Smart Grid Security blog subscriber or an intermittent visitor, you may have noticed an evolution in cyber security thinking of sorts. Well, with changing the world as my goal, it's time to stop treading water and start swimming like I mean it. I just left IBM in order to bring a new type of security advisory service to energy sector organizations. Here’s a brief version of the concept:

You often hear that culture change is the hardest thing to accomplish in an organization. That may be, but to help put our sector’s cybersecurity preparations on a better course, I’m developing an approach focused on increasing organizational awareness and improving internal communications about the security issues that matter. It begins with senior leadership, extends throughout the enterprise and doesn’t stop until it reaches service providers and the supply chain. Most engagements will begin with an in-depth orientation briefing for senior stakeholders, followed by periodic meetings and dedicated hours of access so that I can be a resource whenever my input is needed.

SANS cyber security awareness training for eager utility employees ... and their regulators

I recently stumbled upon some excellent online training materials from the well respected SANS Institute that could be quite useful to you and your organization.

In a series of online modules, many of them tailored to the particular needs of utilities, SANS "Securing the Human" courseware seems to be an easily digestible, self-paced way to get important cyber security awareness messages across to a large number of users.

Note: NERC CIP content here is constructed around version 3, so with newer versions now approved by NERC and FERC, SANS will want to update certain modules accordingly. But 99% of the material is right on the mark, and would be appropriate for electric sector personnel outside the US as well.

Wherever you fit in the ecosystem, whether you're an executive or a rank and file worker bee, whether you're in a utility, a regulatory agency, a vendor, or just a user of digital technology who wants to stay safe, recommend you check it out.

---------------

SANS URL:

http://www.securingthehuman.org/utility/index

Grid Security Keynote of Note at May 2013 ISO Conference

Since you can't be everywhere, there's the SGSB (which can).  Former Seattle City Light CISO and current Verizon control systems security ace Ernie Hayden gave a keynote presentation at the recent ISO New England and New York ISO Energy Conference held in Boston, and we've got it for you.

If you don't know ISO, it stands for Independent System Operator, a term which is often used interchangeably with another acronym: RTO, or Regional Transmission Organization. In North America, these organizations are like referees and traffic cops, trying to keep the peace among utilities and ensure the smooth and reliable flow of appropriately priced electricity across multi-state regions.

It's good to see Security get such a prominent platform at a high profile industry event like this. Certainly a sign of the times.  Ernie's slides will take you through the past, 2013/present and future of grid security, and though some of the info would clearly benefit from his accompanying narration, a lot of this works quite well as is. And if you really want the audio, then I'm sure Ernie will agree to come to you and do it again, as long as you treat him right.  URLs below.

-----------

Ernie Hayden deck

http://www.isoenergyconference.com/pdf/Ernie-Hayden-Keynote.pdf

Conference home page

http://www.isoenergyconference.com

Cyber Achilles Heal Afflicts Electric Sector (and other) Senior Leaders

Just for fun, let's begin with a few quotes from an article in yesterday's Wall Street Journal of the mind-blower variety:

Executives are disconnected from reality when it comes to IT and security.

Top leaders seem particularly inclined to do things their IT departments warn against, such as opening email from unfamiliar senders, or clicking on links.

During ... simulated attacks, top executives are 25% more likely to click on the links that in a real attack could install malware. One reason ... is that most senior leaders skip company programs on developing cautious email habits.

You can visit this WSJ page below for the full article and attribution.

But wow. What a cyber Achilles Heal we've got if the folks with access to the most important, most sensitive info in our companies are the easiest to scam into coughing it up.

Great Video: Latest Utility CEO on Cybersecurity

Another CEO joins the emerging chorus of senior energy sector executives not just tuned in to the strategic nature of cybersecurity and privacy challenges in the Smart Grid era, but willing to speak out about it. Also hits some good notes re: supply chain issues as well.

Thanks to Jessie Knight, Chairman and CEO of San Diego Gas & Electric (SDG&E). And hat tip to IBM colleague Tracy A and SmartGridNews.com for sending me this.

A Spring Deluge of Smart Grid-Related Security Incidents

Last week I posted happy news. (Click HERE to recapture the moment.)

Now I don't want to give you the idea that this is a bi-polar blog or anything, but this week I was going to post on THIS, related to an insider attack at a big utility in the US south east (still awaiting confirmation), but then thought better of it.

Have you noticed lately that the occasional drip or splash of security incident news related to the grid and Smart Grid has become a steady downpour?  It's too much for me to comment on each new event or revelation. And I'm not going to list them here and weigh you down with concern. Besides, you're probably seen this stuff elsewhere already.

But what to make of the up-tick in publicly disclosed incidents? One question to ask is whether there are more (and more successful attacks) happening lately, or whether utilities have improved their ability to detect incidents which have likely been happening all along. I'd put money on it being a combination of both, and the addition of Smart Grid technologies like AMI and distribution automation will only continue to facilitate both trends.

What ramifications can we expect from this? One is that mainstream awareness of grid security risks cannot help but rise from all of this, and that means that there's little chance the fuel that's been stoking the new security legislation fires in Congress is going to run out anytime soon.

A second effect is that many of us, including utility executives, could grow numb as the incidents continue to happen to "the other guy" and their own quarterly reports are unscathed. After all, despite the cold and wet we get in Boston in mid April, the lights are still on, the Red Sox have started to awaken, and my new iPad 2 is fully charged, so life is good, right? ... Right?

Photo credit: K. Kendall on Flickr.com

Massoud Energizes U Minnesota Smart Grid Ad

Nov 22 Update: I'm speaking at the Canadian Smart Grid Summit next week in Toronto, and when I went to check for my time slot, noticed that Massoud is headlining!  See for yourself HERE.

--------------------------------------------------------------

As this Wall Street Journal video points out, the majority of TV ads for colleges shown during football halftime breaks are cookie cutter simple and formulaic.  This spot, though focuses on several recent ones which break the mold. Most notably, from the SGSB's point of view, is the one from University of Minnesota featuring long-time clean tech and Smart Grid security advocate, Dr. Massoud Amin.

Here's the WSJ piece that makes the case:



And for the full 30-second U Minn energy ad they're applauding, click HERE.

Production standards are so high and the content so compelling, you might think you were watching an IBM commercial.

Mainstreaming the Smart Grid

Loved seeing a USA Today front page article this morning on early consumer experiences with the Smart Grid. To me, press like this is an important indicator of the education and mainstreaming process. The piece describes some money saving success stories and some setbacks too (as Jack did earlier here), but overall serves to demystify the Smart Grid.

The article drew over a hundred comments as of tonight, indicating big interest but also continuing big ignorance and paranoia about why the Smart Grid is being built, e.g.:

• "I would rather spend money on solar panels on my roof"
• "Surely you realize that if everyone en masse were to save 15%, the power company will need a rate hike to cover that?"
• "Smart Meters - so smart the utilities can program them remotely to ....er, show increased consumption?"

And there's always this not completely irrational response to consider and address: "Anything that takes control away from the consumer is a threat." 

Sitting back on our skis isn't going to get us where we need to go. As we've said previously (and others have chimed in similarly), before it gets on board, the public's got to get a big dose of openness and confidence from the industry and government. Now would be a great time for all parties to turn up the volume on where we are, where we're going ... and maybe most importantly, why we're on this trip to begin with.