A Social Summary of SANS ICS Security Summit 2014

Since I went solo there's been less time for blogging but I hope to catch up a little with this mega post on the just-concluded, 9th annual SANS ICS Security Summit which took place in the Contemporary Hotel at Disney.

Where I can I'll include Twitter IDs, as for many of us, Twitter is how we stay abreast of what we find interesting and what we're thinking about in between real world meet-ups. (Note: I only include these when they're unique to the individual and not shared by a company or org.)

I won't cover all the talks because I didn't attend all of them, and I apologize to those presenters I don't cover here. Nor was I at "Game Night" (though I wish I was) which from what I heard later was a fantastic and grueling hack-fest that extended into the wee hours before champions finally emerged.

Security and other Notes from a Cold Distributech 2014

Cross-posted from the new Bochman Advisors' Blog.

What a wonderful thing a Distributech is.  Held alternatively in San Diego and San Antonio, the vibrant but relatively conservative host communities are a near perfect match for the demographics it attracts in the dead of winter.  What I'm saying is it's warm but it's not a jungle ... it's not Vegas, there's no Hangover.

This one, my fourth, was in San Antonio, and unfortunately, thanks to the Polar Vortex, or Son of Polar Vortex, it was too cold to sip cocktails by the River Walk, or run along the River Walk, or really to do anything outside besides hurry to the next dwelling.  Suffice it to say, most attendees, remembering balmy Distributechs past, did not bring the right clothes, and I for one left with a parting gift of H1N1.

Conference Alert: SmartSec Europe 2014

There's not much time left, but here's an exciting conference for if you're not going to Distributech in San Antonio, but still want to visit a historic city with picturesque waterways.

Location: Amsterdam
Dates: 29-30 January 2014
For more info, click HERE
To register, click HERE

Bonus #1: My friend Johan Rambi and grid security superstar Annabelle Lee will be speaking

Bonus #2: All SmartSec attendees are invited to stay on one more day to help set the course for Europe's new ISAC and situational awareness organization, DENSEK.  It convenes at 1000 hours on Friday the 31st at the same venue.

And in case you're wondering DENSEK includes but is not focused on Denmark. DENSEK stands for Distributed ENenergy SEcurity Knowledge ... capiche?

Photo credit: The Travis Caulfield Travel Blog

Wrap Up: The 13th Annual ICS Cybersecurity Conference

Another Industrial Control Systems Cybersecurity conference is behind us and, as usual, as documented by founder Joe Weiss, there were signs of a slow awakening to the importance of this topic, mixed with persistent inertia.

You can read highlights from first two days HERE, and Joe's final day summary HERE.

It was nice to hear that my friend (and very good guy) Johan Rambi from large utility Alliander (based in The Netherlands) was playing such an active role.  And this note below reminds everyone that ICS security is not only an energy or power sector problem.  As Joe tells it:

Jeffrey Smith from American Axle gave a great presentation about how they have secured (or very significantly improved security) in their factories world-wide. What I felt was so important is their focus was on productivity and worker safety. Security was simply a threat that needed to be addressed so they could operate safely and efficiently.

This is reminiscent of others who point to the two goals one finds most highly valued in a power co, reliability and safety, and urge the security community to tie physical and cybersecurity tightly to those domains from messaging and business case perspectives.

Security practices are funded and run not merely to check compliance boxes, but to give businesses and government orgs Confidentiality, Integrity, and Availability (CIA) for their systems, networks, apps and data ... so they can continue to pursue their missions with confidence and efficiency.

Or to call out a potential ICS-specific update to the perennial security triad the conference produced: adding O for Operational Controls.  For this very important and highly specialized domain, it might make sense to reverse the prioritized order of CIA and get the O in there too: AIOC.  Ayy-Awk.

Conference Alert: FIRST Energy Symposium - Energy Sector Incident Response

Sorry for the late announcement, but in the spirit of better late than never ...

In cooperation with ISC2, ICS-ISAC and EnergySec, the Forum of Incident Response and Security Teams (FIRST) brings you its first energy sector focused event.

As the FIRST folks put it:

This conference will bring together computer security incident response and security team professionals from all over the world and provide a forum for experts to promote, share, and discuss issues relating to developments in the field of Incident Response relating to the Energy Sector.

When: 28 + 29 October, 2013

Where: Lansdowne resort, Leesburg, VA (Not be be confused with Lansdowne Street in Boston)

To register: Click HERE (Save $100 using this code: Energy13)

BONUS: the agenda shows presentations by Jack Whitsitt and Chris Blask. If you don't know them, they are two of the more brilliant and idiosyncratic personalities in the business.  Worth the price of admission alone, IMHO.

Special Conference Alert: Risk Management-Focused NARUC Annual Meeting

This NARUC Annual Meeting is called "Managing Risk: Protecting Consumers and Critical Assets" and yours truly will have the honor of participating as a panelist.

As per usual, here are basics:

• Where: Orlando Hilton Bonnet Creek, FL
• When: 17-20 November 2013
• To Register: click HERE

Here's a press release for more flavor, and here's the agenda.

The Sunday afternoon panel I'm on is called: "Risk Management in Action: Challenges and Opportunities for Implementation", and here's the narrative description of what we'll be discussing:

There’s a lot of talk about the benefits of risk management processes to address cybersecurity, but how familiar are we with the actual implementation of these processes? Come hear panelists discuss the resources necessary to implement and maintain risk management processes for cybersecurity of our critical infrastructure. What are the bottom line impacts on owners’ and operators’ resources for implementing risk management? Hear from subject matter experts about the opportunities and challenges.

Should be great.  Hope some of you can make it.

Photo credit: TripAdvisor.com

Heads-Up: The 2013 ICS Cybersecurity Summit is Closing In

We talked about this conference and many of its concerns a few weeks ago at the EnergySec Summit, and among things, got a great presentation showing how one utility has built and gotten great value from its OT security test-bed.

There's going to be a talk on test-beds plus a bunch of other great presentations at the annual "Joe Weiss" summit, so if you have interest, and the ability to get there,  I highly recommend you do.

Here are the basics:

Dates: 21-24 October 2013 

Venue: Conference location: GTRI Conference Center, 250 14th Street NW, Atlanta, GA 30318 

LINK for more info and to register 

LINK to register

Photo credit: Jomi Thomas Mani @ Flickr.com

Several Scenes from EnergySec Summit 2013

Click for much Gibber ... I mean, bigger

Was in Denver not far from flooded Boulder last week at the 9th annual EnergySec Summit ... my first.  I'm sure we'll be seeing more articles and posts from EnergySec scribes and some of the other 150 or so attendees soon, but wanted to get my observations out.

I missed a number of presentations due to a mid day arrival on Wednesday and missed a few others to field a few intermittent phone calls, but got to hear most of them (my apologies to speakers not covered below).

First off, Patrick Miller and Steve Parker, EnergySec Presidents past and present, were both outstanding ringmasters and herders of wandering speakers.

Conference Alert: EnergySec and NESCO Town Hall next Week

Ok, so usually I'm giving a heads-up about some conference or seminar you might want to know about, or even attend. But this time I'm saying that, but also revealing I'll be there too.

And I note, in the town where Peyton Manning recently threw 7 TD passes in one game and one can easily procure Rocky Mountain Oysters, I'll be joining luminaries from industry and a number of utilities too.

Here are the deets:

• Where: Magnolia Hotel, Denver, CO
• When: 17 - 19 September, 2013
• What: Lots of stuff. Agenda HERE
• How: Easy. You can still register HERE

For your edutainment, I'll be moderating a town hall style discussion about the current state and future of the cyber security workforce in the energy sector. We'll be considering full life (as in human life) cycle issues, from birth to tablet training, from kindergarten to college curriculum, from entry level security practitioners to ICS forensics wizards and all the way up the managerial stack to CSOs and CISOs.

Hope to break some new ground and capture some new ideas we can share with all and will do here on the SGSB during and/or right after. Will also tweet whenever possible using the hashtag #ess13.

Hope to see some of you there!

Photo credit: Daily Mail online

Energy Security Conference Alert: IAGS' Target Energy 2013

UPDATE: Conference Cancelled ... Sorry about that.

-----------------------

What is IAGS you say? I'll answer briskly: the Institute for the Analysis of of Global Security. Teaming with NATO's Energy Security Center of Excellence, IAGS is hosting a conference called Target Energy that includes but goes well beyond cybersecurity and the grid.

For those SGSB readers whose professional lives are circumscribed by electric sector security, this is a chance to stretch a bit. Here's how the organizers describe the focus:

The cost of securing energy supplies is increasing due to threats from terrorists, hackers, activists and hostile nations. What is the impact of attacks against energy, and how can companies, organizations, and governments work with NATO to increase security?

Early Conference Alert: EnergySec Call for Speakers

If you have potent ideas that could help utilities, regulators or other members of our tight-knit community, a rich vocabulary and a booming, resonant voice, are somewhat animated and can make dramatic hand gestures, then you may have a place in the line-up at the next EnergySec conference.

Here's the content of just-received email in case you didn't get or see it directly:

The EnergySec Annual Security Summit has been privileged to host some of the most intriguing, informative, technical and entertaining cyber security presentations and panels this industry has seen. But we think we can do better.

Conference Alert: European Smart Grid Cyber and SCADA Security

The European wing of our global grid security tribe is gathering soon in London. Some great speakers and plenty of utility participation at this one.

Recommend you check it out - here are the basic deets:

• When: March 11 & 12
• Where: The Copthorne Tara Hotel, Scarsdale Place, Kensington, London, W8 5SR
• For more info and registration, click HERE

SGSB point of contact: Jamison Nesbitt, jnesbitt@smi-online.co.uk

Photo credit: Magnet Magazine

Conference Alert: AGRION Energy & Sustainability

On Feb 19, one of the year's best energy and sustainability conferences will be kicking off in NYC. It's organized  by a great org I've become familiar with recently: AGRION, a global business network for energy, cleantech and corporate sustainability.

On the second day, following a morning keynote by PSE&G CEO Ralph Izzo, I'll be moderating a panel of experts on the topic "Smart Grid Market: Scope and Scale":

• Kevin Genieser, Managing Director & Head of Clean Energy & Renewables, Morgan Stanley
• Joe Callis, Sr. Applied Solutions Engineer, PJM Interconnection
• David Groarke, Smart Grid Senior Analyst, Greentech Media

To be sure, I'll work in an appropriate amount of security substance. After all, you can't deploy a Smart Grid that's easy to disrupt, right?

You can see the full agenda, list of speakers and venue details HERE. Hope some SGSB readers can make it.

Alrich on Distributech's 2013 Cybersecurity Focus Panels

I couldn't make it to the panel sessions but fortunately Tom Alrich could and did. Here's are his short-takes on 3 different panels:

Substation Integration and Automation: The Cybersecurity Landscape is Changing - Didier Giarratano of Schneider Electric discussed Role Based Access Control (RBAC) and how to do good job applying RBAC to the challenges of substations. Anthony Eshpeter of SUBNET Solutions discussed “Complexities of Substation Cyber Security”. He provided a very good, lucid discussion – pointing out the need for solutions like those SUBNET sells but without ever making a sales pitch. Bradley Tips of Cisco addressed “Real-world Deployment of Network Security for NERC CIP Compliance”. A good overview of what CIP requires for a substation these days.

Conference Alert: SANS ICS Summit coming up fast

Smart Grid Security Blog readers: heads-up. I've decided that this year the time has come to do a massive press on Operational Technology (OT) Security issues.  I think the reason for the timing is obvious, but I'll make my case in a future post when I have more time.

And this won't be just for the US and North America, and it won't be limited solely to the electric sector. We'll look at OT security challenges and efforts in other industrial equipment-oriented critical infrastructure sectors.

But for now, get ready to see some announcements for upcoming conferences and webinars on this topic by some of the best and most experienced folks in the business. Details on the first one are right here:

Name

The 8th Annual SCADA and Process Control System Security Summit

Dates

Feb 6-11: Pre-Summit Courses
Feb 12-13: Summit (click HERE for Summit agenda)
Feb 14-15 :Post-Summit Courses

Venue

Walt Disney World Disney's Yacht & Beach Club
1700 Epcot Resorts Boulevard
Lake Buena Vista, FL 32830

To Register

Click HERE to register for Summit
Disney Website: Walt Disney World Disney's Yacht & Beach Club
Reservations & Discounted Park Tickets: http://www.mydisneymeetings.com/sans2013

This week and half would enable one to really immerse themselves in the topic. And maybe enjoy a little Disney time too.

Electric Sector Security Observations from Distributech 2013

The show is over for me as I'm up in LA for some IBM training, but it was a very good 2 days. Here's a few of the highlights I took away:

• Saw a great new product with immediate applicability to AMI (and other wireless network) security with crossover applications in restoration, routing and reliability
• Patrica Hoffman, DOE's Assistant Secretary for the Office of Electricity Delivery and Energy Reliability (OE), following great, largely renewable-energy oriented keynotes from senior executives at SDG&E and Cal ISO, gave her perspective on the world and beat a drum loudly for improved cybersecurity awareness and action towards the end of her talk
• Speaking of DOE, after visiting several security vendor booths found a remote outpost DOE cybersecurity booth in the far corner of the big hall. Those folks seemed glad to have any human contact :)
• One industry security guru whose knowledge I implicitly trust said he would like to see a greater emphasis on security architectures this year. Too many point products are being bought and strung together with little consideration for the bigger, enterprise protection picture. And that's a recipe for weakness and inefficiency, and for the folks recommending or doing the buying, a formula for losing credibility and trust
• I couldn't make the conference's security focus panel but if someone did and has some impressions to share, please do and I'll post them here.
• Lastly, from my extended family at IBM flown in from all over the world, definitely detecting heightened security awareness and interest from utilities that until recently weren't all that active.

For those still in town and/or next time you're in town, highly recommend the new Blind Burro restaurant ... ate their twice and it's fantastic. So far, scores a ridiculously high 4.5 our of 5 stars on Yelp. Mmmm tasty.

The Cybersecurity Crew at Distributech 2013

First off, let me say that for those travelling to San Diego from northern or northeastern USA, or northern Europe or Russia for instance, this conference is worth it simply as a respite from persistent cold temps and dreary midwinter landscapes.

Now this may sound a bit gossipy, but so far, in terms of our small community of energy sector cyber security practitioners, I've already meet up with some old acquaintances and and have met for the first time, face to face, others.

Met up with Liza, Darren, Slade, and has a great talk over dinner with Ernie. Though with Darren it was really just eye contact because by the time my IBM theater preso on security breaches with Steve Dougherty was done, Darren had, Jason Bourne-like, vanished into crowd.

Will get to travel more widely through the exhibit hall today and will craft a more security content-laden post later today or tomorrow, I promise.  Cheers, Andy

Conference Alert: Security at Distributech 2013

The annual electric sector conference in North America is coming up next week in San Diego. Called Distributech, the 7,500 or so attendees will peruse booths featuring the latest reclosers, transformers, comm gear, outage management systems, etc.

They can also peruse me, as I'll be at the large IBM booth alongside colleagues discussing solutions for:

• Smart Metering and AMI
• Distributed Energy and Electric Vehicles (EVs)
• Asset Management
• Grid Operations
• Communications and Cloud

And of course, security, privacy and compliance. I'll be there with my security consulting services colleague and industry veteran, Steve Dougherty. Will also be doing a 30-minute auditorium session called "Utility Cyber Breach Scenarios & Responses" which should be a good one.

If you can make it, here are the details:

• Dates: 29-31 January
• Venue: San Diego Convention Center 
• URL: http://www.distributech.com/index.html

While the conference is going on, will be tweeting highlights from @sgsblog. Lastly, if you aren't attending, will be happy to share findings and observations afterwards on the blog and/or via other means.

Photo credit: Wikimedia.org

Is the Smart Grid a Homeland Security Problem?

Last week I had the privilege of being on a IEEE/Department of Homeland Security (DHS) panel discussing the topic: Smart Grid: A Homeland Security Problem or Not? Talk about a title that begs the question.

My sharp co-panelists hailed from DHS, the Utilities Telecom Council (UTC), MIT, the University of Vermont and MITRE, and we were masterfully moderated by Emily Frye, also of MITRE.

Anyway, all I want to say here is that we got a great question from an audience member (and it was a very interactive audience!) that we were hard pressed to answer. It went basically like this:

If each utility was somehow given an infusion of $1 million (Dr. Evil's preferred amount) what would be the best, most security impacting way for them to spend it?

Conference Alert: Smart Grid & Control Systems Security for Europe

Sometimes I don't give enough lead time, here's a case where maybe I'm giving you too much lead time. Anyway, you know how time flies when you're having fun, so 5 short months from now, you might want to be here:

• What: 3rd European Smart Grid and SCADA Security Forum
• Where: The Copthorne Tara Hotel, London
• When: 11-12 March 2013
• Web: For more info and to register, click HERE