First Look at Cyber Security Incentive Ideas, Companion to NIST's Framework Work

I'll oversimplify this to keep it short, but the President kicked all of this off earlier this year in wake of failed cyber security legislation efforts in 2010 (GRID Act) and 2012 (Cybersecurity Act of 2012).

The two primary vectors on this project have included:

1. Having NIST lead the charge to develop a new cyber security framework (i.e., pattern, roadmap, guidance) made up of references to existing guidance that seem to work well. On twitter this effort is tagged #NISTCSF
2. A parallel initiative to develop incentives that might improve the business case for being more proactive on cyber security.

The incentive categories were just made public, and so far include :

• Cybersecurity Insurance
• Grants
• Process Preference
• Liability Limitation
• Streamline Regulations
• Public Recognition
• Rate Recovery
• Cybersecurity Research

Liability and insurance are going to be the thorniest.  And rate recovery help, if workable, sounds promising.

You ran read The Hill's coverage and the original White House text via URLs below, as well as check out the current status and next activities related to the framework.

----

URLs

The Hill

http://thehill.com/blogs/hillicon-valley/technology/315795-white-house-publishes-preliminary-list-of-cybersecurity-incentives

White House

http://www.whitehouse.gov/blog/2013/08/06/incentives-support-adoption-cybersecurity-framework

NIST CSF

http://www.nist.gov/itl/cyberframework.cfm

Tweeting from GridSec conference this week

Howdy from Dallas. This is the evolution of Mike Ahmadi's Smart Grid Security East and West events, which have been running twice a year since the fiest one in San Jose in 2010. Will shoot to summarize key messages in a post when it's over, but also will blurt out the occasional tweet on the fly using the #GridSec hash tag on Twitter.

Smart Grid Security Conference Alert: GridSec 2012 Coming Soon

Here we go again, with what appears to be the best line-up yet. Noticeably, there's going to be significantly more utility representation this time.

It already started moving in this direction in the last conference or two (San Diego, Knoxville) and hopefully we'll be able to move the center of security discussion from AMI and Smart Meters to securing increasingly automated substations, control centers, SCADA and control systems, and the various juncture points between IT and OT networks.

As usual, I'll be on a panel or two, and moderating some as well. 

Here are deets for you, as well as the means to get a discount if you have yet to register:

• When: 27-29 March 2012 (the 27th is a workshop day)
• Where: the Irving Convention Center in Irving, TX
• Site URL:  http://www.gridsec.com/2012/

Discounts of various sizes are available depending on what kind of work you do. Go HERE and use this code BVAYVN

Photo credit: David Kozlowski on Flickriver.com

He's Baaaaaaack: Jack Danahy on a Courtroom Drama that could Radically Upend the Cyber Security Apple Cart

Just Judy's not working this one, but my colleague, and once and future energy and security blogger Jack Danahy is on the case.

Now new, improved, and more succinct than ever, he writes:

In reading the case of Gaffney et al vs. Tricare Management Activity et al, the question arises: "Is there a price to be paid for the loss of personal, private information of individuals, when it appears that due care may not have been taken for its protection?" With 4.9 million individuals affected, and sought damages of $1,000 per injured party, the potential $5B outcome of this case could very quickly reshape the landscape of investment in security measures.

There's lots of good food for thought in this one. You can read it all, HERE.

New Smart Grid Security Book coming from Sorebo and Echols

This is the first new book on the topic in over a year, and as you know, a lot has transpired over the last 365. Awareness of Stuxnet, Night Dragon and other control system-targeting Advanced Persistent Threats (APTs), for example.

I didnt' have too much exposure to the previous one, but at first glance can tell you that Gib and Mike bring a heaping helping of hands-on industry experience to the table. Prove it, you say? Alright then:

Gib built and has been running SAIC's grid security team for quite a while. He also has been a leader on multiple security standards working groups. And Mike was Security Compliance Manager at the Salt River Project, a big power and water utility in Arizona and a security officer at the Western Area Power Administration.

The title is: Smart Grid Security, an End-to-End View of Security in the New Electrical Grid, and it's coming out on Dec 12 (just in time for Christmas!). You can read more about it and get an order started on Amazon HERE.

I should be getting a copy soon myself, and will do a short review on the SGSB as soon as I am able.

Enernex's Kevin Brown on Intersection of Physical and Cyber Security Challenges in Smart Grid Devices

Thanks to Erich Gunther for promulgating this excellent video Q&A featuring his security-minded colleague, Kevin Brown.

As a cyber guy, I've not imagined physical security as being much more than perimeter fences, surveillance cameras and good locks. Brown's discussions on battery life expectancies, how high you should mount pole-mounted devices, and how easy is to become king of reclosers were all eye openers for me.

Visually, there's not a lot more going on than in My Dinner with Andre. But the content, which truly bridges the physical and cyber worlds, is utterly compelling, fascinating stuff. It's over 20 minutes long, so make sure you find an open spot in your schedule. You won't want to multi-task through this one or you'll miss a lot.


Physical and Cyber Security for a Smart Grid from Erich Gunther on Vimeo.

Webcast: Smart Grid IT Systems Security

Just a reminder - this is a very high level intro to this topic, most appropriate for business folks and new initiates. If you're looking for more meat, much more detailed guidance is referenced in the presentation.

Also, looks like we've found a format that'll work for the webcasts. For best results, recommend you click on the "full screen" icon located in the extreme lower right-hand corner. OK then? Here's the latest from the series ... see what you think:

SGSB Webcast 3: Smart Grid IT Systems Security

View more webinars from Andy Bochman.

Registration Now Open for the Smart Grid Security Blog (SGSB) Monthly Webcast Series Kickoff

We want to alert you of an upcoming series centered around topics from the Smart Grid Security Blog related to the roll-out of new Smart Grid and microgrid capabilities, particularly from a security point of view.

Brought to you courtesy of IBM, the 2010 Smart Grid Security Webcast Series is for anyone interested or involved in making the Smart Grid successful and secure. Our goal is to make actionable information available that will lead to better security, privacy & compliance decision making, and to do so in a way that entertains while it educates.

Webcast 1: Intro to Smart Grid Security and the SGSB webcast series (Apr 28, noon EST)

Agenda

-- Intro to webcast series
-- Current state description of the grid and the organizations who run and maintain it
-- Smart Grid Security intro:

• What is the smart grid and what are the compelling drivers for deploying it?
• What makes it smart?
• What new concerns arrive with smartness?
• How to plan to deal with these threats

Register to get Login and Dial-in information

Only your name and email are required to participate. REGISTER HERE

If clicking a link above does not work, please copy the entire link and paste it into your Web browser. For questions about this event, contact the host at: ashley.hodge@us.ibm.com

Hope to see you there!

Andy & Jack