Calls for Enhanced Enterprise Security Governance Starting to Steamroll

Though I've been approaching this issue from a sector-specific perspective for years, lots of what's been in the news lately (and I mean lately) is intended for all technology-enabled sectors. Which pretty much means every business and every organization that intends to maintain consistent and reliable operations in the near and mid-term future.

First off, and with origins that predated the Target breach that's credited with generating most of this activity, was DOE's Energy Advisory Committee giving thumbs up in May to a paper on this topic on Security Governance. It proposes that DOE pursue potential upgrades to how energy companies organize and run themselves from a security perspective. Titled: EAC Recommendations for DOE Action Regarding Implementing Effective Enterprise Security Governance - Outline for Energy Sector Executives and Boards, among other things, this paper lists the following "Characteristics of Effective Security Governance":

• Clearly defined responsibilities from the board of directors to senior leadership to employees 
• Presence of an active Security Governance board comprised of senior stakeholders from across 
• the company 
• An executive owner of enterprise security: with purview over IT, OT and physical security policy designated CSO or similar 
• Striving for 100% alignment with of security with business/mission 
• Using measurement of key indicators to increase awareness and drive improvement (with 
• maturity tools like DOE's ES-C2M2) 

Declaration of Independence and Intent

I've been warming up and working in this space for years now, and if you've been a Smart Grid Security blog subscriber or an intermittent visitor, you may have noticed an evolution in cyber security thinking of sorts. Well, with changing the world as my goal, it's time to stop treading water and start swimming like I mean it. I just left IBM in order to bring a new type of security advisory service to energy sector organizations. Here’s a brief version of the concept:

You often hear that culture change is the hardest thing to accomplish in an organization. That may be, but to help put our sector’s cybersecurity preparations on a better course, I’m developing an approach focused on increasing organizational awareness and improving internal communications about the security issues that matter. It begins with senior leadership, extends throughout the enterprise and doesn’t stop until it reaches service providers and the supply chain. Most engagements will begin with an in-depth orientation briefing for senior stakeholders, followed by periodic meetings and dedicated hours of access so that I can be a resource whenever my input is needed.

The Future of Naval Installation Energy

Posting this one for SGSB readers who might not otherwise see relevant content on the DOD Energy Blog. There's a lot to admire, and learn from what the Navy is doing in Washington DC and the surrounding region. Check it out ...
-----------------------
As projected several years ago in this great 5-minute video, paving the way for demand management, energy efficiency, microgrids, support for renewables and all manner of support-the-mission, energy security goals (with cybersecurity baked in).



From all accounts, the folks involved with this initiative are right on schedule and are meeting their objectives.  Recommend you keep an eye on this.

Supply Chain Security Awareness on Upswing for Energy and Comm Sectors

10/25/12 Update: Huawei just said it is ready to have all its source code tested for security. Would other vendors be so bold?

------------------

If you don't subscribe to the online version of the Wall Street Journal, you probably don't get its daily CIO feed, which provides a nice topical tapas-sized taste of what's on folk's minds every morning.

One of those folks is me, and I've been stirred up lately by all the press (The Economist, 60 Minutes, etc.) and Capitol Hill attention Chinese communications equipment maker Huawei has been getting. Personally, I haven't have any direct contact with Huawei or its products, but I have a gut-level response when a company gets pilloried solely on where it's headquartered or the nationality of the owner(s).

Asset Owners Speak Out/Up at Smart Grid Security Summit West

What a great start. Five guys charged with improving the security posture of their large utilities all on stage, and fielding questions from conference organizer Mike Amadhi and an audience full of security minded folks from all walks of life.

In no particular order, here are a few notes I took organized by speaker:

Jeff Gooding - Southern California Edison

• Very interested in standards
• Vendor certification would be desirable, though preferably nothing as heavy as the Common Criteria
• Finds it takes approx 2 years for an IT security generalist to get up to speed and be competent in the operational technology (OT) arena

Ward Pyles - Southern Company

• (Partly tongue in cheek, partly not) said Southern Co. doesn't talk security anymore. Rather, it's all about reliability ... doing what's required to keep systems operational and available.
• To do this, he/they use a different, more business oriented vocabulary
• Also, working with vendors towards certification

James Sample - Pacific Gas & Electric

• Security is much more a people than an technology issue
• Would like to see more standards baked into products at time of manufacture
• Like Ward, increasingly uses reliability versus pure security in conversations across the business lines
• Spends significant amount of time pushing vendors to deliver secure solutions
• Wishes he could spend less time on vendors (above) and more time working with his people

Christopher Peters - Entergy

• Security pro's must be good communicators and tailor language to fit their audiences
• Bridging silos is one of his main jobs
• Having a CXO as a boss is very helpful in accomplishing the above

Stephen Mikovits - San Diego Gas & Electric

• Very thankful for CPUC's order that CA IOUs generate 10-year forward looking Smart Grid deployment plans, including a major emphasis on security
• This really helped SDG&E as well as the other utilities by giving them a platform to communicate security  requirements and recommended actions

So there you have it. Several themes emerge: security as reliability, language and communications, silo busting, supplier security and certification, importance of security standards. Seems like most in the audience felt like these were the right notes. I sure did.

BTW - I was working pretty fast. If you spot any typos or inaccuracies here, please let me know and I'll update the post asap.

Texas Rolling Black Outs and the Not-Yet-Smart Grid

Analyst Chet Geschickter of Greentech Media wrote a nice piece about the blackouts Texas experienced earlier this month. You might say, hey, weather-induced power outages aren't caused by security problems. To which I would reply, oh yeah? The brittleness of the grid is one of its most significant vulnerabilities ... one that we now have the means to repair, though not necessarily the will to do so in the short term.

So may we continue? Here's Chet:

Rolling blackouts are a last-resort load shed tool ... [but while] demand response provides more orderly demand cascading ... it is limited to a few businesses with discretionary power needs -- like refrigeration compressors in supermarkets. A hefty chunk of the business sector is more sensitive. 

Then he continues ...

The residential market has huge potential for both electricity and natural gas peak curtailment, especially if and when large-scale consumer Home Area Network (HAN) technology adoption occurs.

That's a big "if" ... and maybe even a bigger "when". Now let's turn to an actual official in the thick of this event in Texas, quoted in a piece from the Wall Street Journal:

Many users didn't know their power was coming down, and officials said they should have issued more alerts so customers could prepare."It is something we have never experienced before," said Trip Doggett, the grid operator's chief executive, adding that "dramatically more" plants shut at one time than ever before. 

The good news?

By turning to the use of rolling outages, the grid operator prevented a statewide blackout that could have lasted at least 50 hours, Mr. Doggett said.

The bad news? The detail that that grid operators either couldn't communicate with their customers en masse, or else forgot to. I'd bet on the former. The Smart Grid is, if nothing else, about improving efficiency of operations and customer experience via better communications throughout the system. Ahem (throat clearing sound) ... I said, better communications.

Photo credit: (Texas based) J-5 Electric

Life's Rich Pageant: Smart Grid Resistance Movements

Since I've been covering their emergence, Smart Meters, the gateway drug for the Smart Grid, have been  alleged to do some or all of the following:

• Cause confusion or brain cancer
• Facilitate attack by foreign nations
• Help utilities get rich by cranking up rates forever
• Give Barack Obama control of your house
• Signal criminals when your house is ready to be robbed
• Reveal to the government when you're doing naughty things
• Reduce fertility in laboratory mice

These stories pop up all over, but here's the latest from Maine and California. And lest you think this is a phenomenon unique to the USA alone, here's a vigilant gentleman chiming in from north of the border:

... these so-called 'Smart Meters' may be deliberately 'tricked' to register a higher consumption reading than is actually true. Obviously, this would produce more revenue for the greedy utilities and the greedy governments which are constantly looking for new ways to screw the people.

Well said Sir! And tell you what - if after reading these you find yourself converted, you can go HERE for all your anti-Smart Meter propaganda needs including bumper stickers and yard signs.

We're trying to update the grid for the 21st century: bringing better efficiencies, improving reliability, and enabling greatly increased use of renewables and EVs, and this is the response from some folks.

As Charlie Brown used to say, "Good grief."

Photo credit: "Radio Waves" by Thomas Anderson on Flickr.com

Car Companies and Utilities at the Dawn of the Smart Grid: Twins Separated at Birth?

Like fraternal twins separated at birth, these two seemingly unrelated and elderly sectors of the US economy have more in common than you might think. Both are poised for immense change as “Smart” technologies are completely re-writing the workflows and even the business models of these formerly static industries. One way to know they’ve haven’t changed much over the last century: their 2010 products would be instantly recognizable to their inventors (though this Shelby SuperCar might induce Henry Ford to do a double, or maybe a triple) take. Another thing they have in common is that they have viewed their customers’ usage data as primarily their own.

Some More Similarities

While both car companies and utilities manage their business functions with modern data centers and IT, it’s the OT that makes them their money. That’s operational technology, and for utilities OT refers to the infrastructure control system components that make the grid go: generators, power lines, transformers, substations, etc. The Smart Meters, currently being deployed and networked in the millions by many large-market utilities to enable remote trouble detection and billing, can also considered OT systems.

Internal Smart car systems behave less like data centers and more like control systems. On board performance monitoring and diagnostic computers and sensors, coupled with wireless communications systems, are beginning to allow car companies to detect and sometimes resolve problems without requiring that the car be brought into a garage for repair.

Similarly Siloed: Meter Rolls vs. Rolling Meters

Looking at the two platforms from a customer data perspective, the similarities are even stronger. Electricity usage data was the reason utility trucks ventured to homes and businesses across the country. Utilities had no other way of knowing how much electricity was used at a given address, and they needed that data to calculate how much they were owed. You could make a case that this usage data belonged to the utilities, or to the customers themselves, or both. And today, different states have different rules on this issue.

Prior to the advent of wireless car communications networks (e.g. GM’s OnStar, Ford’s Sync, Bluetooth, Wifi, etc.), automotive performance and diagnostic data remained in on board computers until technicians accessed them during visits to the repair shop. In-between regularly scheduled oil changes or check-ups, or without a break-down or crack-up, this data was out of reach. Now with communications enabled, daily access to this data is a new possibility. And as data on total electricity consumption and usage patterns in homes, the car companies clearly have rights, but the owner/drivers also have a stake as they own and operate the cars (especially if their identity is connected to the data).

But in both industries, there hasn’t previously been much thought given to the ownership or role of data in these scenarios. Or how that data might have value for new business lines or 3rd parties. Or how to protect that data in scenarios where multiple 3rd parties are allowed access.

Complexity

What cars and utilities shared in the past, even as they came to rely more and more on electronics, was that these systems were relatively simple, understandable, and isolated from the networks bad guys are known to frequent. The hardware and software in most OT systems are not familiar to most of us, as their functions are not related to web apps, productivity or back office management, but to control sensors, actuators and other types of real-time devices.

Trends over the past few years, however, indicate complexity and connectedness will soon rule both of these worlds. Note that current cars of the standard combustion engine variety now depend upon 200+ million lines of software code in applications from a variety of sources with dozens of interfaces. Once “dumb” disconnected meters are being replaced by Smart Meters - networked computers on the side of homes and buildings which communicate with utility systems as well as systems on the inside, like Home Area networks (HANs) and Smart appliances. And all over, IT and OT systems are increasingly being interconnected.

That’s only going to increase as we enter the Vehicle to Grid (V2G) and Smart Grid worlds, with individuals and new companies clamoring for ways to gain access to and open up these systems, access their data, and re-invigorate these previously stagnant sectors with innovative new technologies, capabilities and business models. Open standards (and advocacy campaigns like OpenOtto) will hasten the arrival of all of the above, but in both the power and the car worlds, the impulse to open up has been largely absent, at least until recently.

Security

Ah, we’ve saved the best for last. It’s been said before on this blog but it bears repeating: connecting systems that were once protected, in large part, by their isolation, creates many new vectors for attackers, and in general, many new ways to be insecure.

Designers of both Smart cars and Smart Meters share the objective that upgrades to software and firmware can be performed remotely, prolonging the lives, and increasing the flexibility, of these systems.

There are also use cases where the ability to remotely shut down meters or cars is highly desirable, and include, for utilities when they don’t get paid, or when a residence is changing owners or occupants; and for car companies, the ability to team with the police to stop car thieves and other criminals. These capabilities, like so much related to the Smart Grid, Smart Meters and Smart cars, open new pathways for attackers.

And the temptation to share customer usage data complicates both car and utilities’ thinking about their own data security measures. Ensuring proper data protections are in place in every entity that eventually has access, even with customer permission, is going to be a tough challenge. So let's get on it!

Photo credit: Bill Jacobus on Flickr.com

Inviting Smart Grid Consumers to the Dance

I may miss a few, but the list of the biggest threats to the success of the emerging Smart Grid includes:

• Complex technology
• Well equipped, sophisticated attackers and other bad actors
• Pressure to deploy ahead of still-forming standards
• Immature or hastily conceived business plans/model
• Aging equipment and aging workforces
• Organizational and cultural rifts inside utility companies (e.g., IT vs. operational)
• Inter-state legal and other jurisdiction challenges

But perhaps the greatest is also the simplest to understand and articulate: achieving real two-way communications between utilities and their customers. And I'm not talking about bi-directional digital networks; I'm talking old school ... meaning starting from zero and taking deliberate steps to forge and maintain real working relationships between providers and customers.

Maybe a little bit on the late-side (considering the recent, less-than-optimal experiences of PG&E, Xcel and Oncor customers) but better late than never, this article in Smart Grid News announces the formation of the non-profit Smart Grid Consumer Collaborative (SGCC).

It's going to take more than this to get the word out. Many worldly and well educated peers in other sectors still draw a blank when they hear the term. Others have heard of the Smart Grid, but don't have the foggiest notion of what it is or why it's coming. I know because because, to their chagrin, I ask folks all the time. The formation of the SGCC isn't a full solution to the Smart Grid customer communications challenge by any means, but it sure smacks of a move in the right direction.

You can visit the SGCC site here and we recommend you do.

Photo Credit: The Seattle Municipal Archives on Flickr

Smart Grid Communications: It's about More than Wires ...

... it's about wireless, including how today there's not nearly enough wireless coverage to go around:

Coverage is indeed one of the challenges as some utilities have up to 50% of their service area not covered by their existing networks. Utilities often operate in a mix of dense urban to extreme rural areas and need to flexibility of operating in both.

2-way comms and robust security will likely require far more bandwidth than this offering can provide, but it's a start towards a solution we didn't even know we needed a few years ago. See more: here.