Sandia and Hayden on Cybersecurity Strategies for Microgrids

First off, thanks to friend and colleague Ernie Hayden for writing a microgrid security post following his mini-immersion in the topic last week.  You can read his write-up HERE.

In particular, want you to see something he linked to: SNL's Microgrid Cybersecurity Reference Architecture.  That's Sandia National Labs, btw, not Saturday Night Live; talented though he is, Jimmy Fallon is not a contributor to this piece.

SCADA Primers Now for Grades 1-8 and Even More Managers

Earlier this year, the US Air Force's Robert M. Lee brought us SCADA and Me, an intro level graphic novelette optimized for very young children and certain managers. Now comes Haley Wauson of industrial automation company Cimation with a blog post that should help SCADA and Me readers advance to the level of middle school literacy and educate an even more advanced cohort of managers.

In her succinct post "What is SCADA Anyway?" Ms. Wauson uses infographic style visuals and multi-syllabic words to take readers to a level of depth that goes well beyond Robert Lee's Goodnight Moon-esque masterpiece.

Sounds like I'm joking around but actually works like these are just the thing for de-mystifying technology that's foreign to IT-centric folks.  SCADA and control systems are of central importance to making good things happen in our increasingly interconnected "Internet of Things" world, or as my recent alma mater IBM has dubbed it, the Smarter Planet.

Securing these things, now that's another matter. But first you have to know what they are, and where they are, in the first place!

Wrap Up: The 13th Annual ICS Cybersecurity Conference

Another Industrial Control Systems Cybersecurity conference is behind us and, as usual, as documented by founder Joe Weiss, there were signs of a slow awakening to the importance of this topic, mixed with persistent inertia.

You can read highlights from first two days HERE, and Joe's final day summary HERE.

It was nice to hear that my friend (and very good guy) Johan Rambi from large utility Alliander (based in The Netherlands) was playing such an active role.  And this note below reminds everyone that ICS security is not only an energy or power sector problem.  As Joe tells it:

Jeffrey Smith from American Axle gave a great presentation about how they have secured (or very significantly improved security) in their factories world-wide. What I felt was so important is their focus was on productivity and worker safety. Security was simply a threat that needed to be addressed so they could operate safely and efficiently.

This is reminiscent of others who point to the two goals one finds most highly valued in a power co, reliability and safety, and urge the security community to tie physical and cybersecurity tightly to those domains from messaging and business case perspectives.

Security practices are funded and run not merely to check compliance boxes, but to give businesses and government orgs Confidentiality, Integrity, and Availability (CIA) for their systems, networks, apps and data ... so they can continue to pursue their missions with confidence and efficiency.

Or to call out a potential ICS-specific update to the perennial security triad the conference produced: adding O for Operational Controls.  For this very important and highly specialized domain, it might make sense to reverse the prioritized order of CIA and get the O in there too: AIOC.  Ayy-Awk.

Webinar Alert: Energy Sector Learning to Speak a New and Secure Procurement Language

Hat tip to UTC's Nadya Bartol (Twitter @NadyaBartol) for the heads-up on this upcoming webinar to unveil a draft document as follows:

Title: Cybersecurity Procurement Language for Energy Delivery Systems

Project Description: This effort seeks to promote cybersecurity by design through procurement language tailored to the specific needs of the energy sector. Updated language for the energy sector can aid in addressing some of the evolving challenges by helping asset owners, operators, and suppliers establish a baseline of minimum cybersecurity requirements.

When: Monday, October 28, 2013 @ 3:00 - 4:00 PM EDT

Register: HERE

For more info on this effort: click HERE

POC: Eric Wagner at eric.wagner@utc.org

Several Scenes from EnergySec Summit 2013

Click for much Gibber ... I mean, bigger

Was in Denver not far from flooded Boulder last week at the 9th annual EnergySec Summit ... my first.  I'm sure we'll be seeing more articles and posts from EnergySec scribes and some of the other 150 or so attendees soon, but wanted to get my observations out.

I missed a number of presentations due to a mid day arrival on Wednesday and missed a few others to field a few intermittent phone calls, but got to hear most of them (my apologies to speakers not covered below).

First off, Patrick Miller and Steve Parker, EnergySec Presidents past and present, were both outstanding ringmasters and herders of wandering speakers.

Rapidly Approaching Training Alert: SANS Control Systems Security

Depending on where you sit at the cyber security table, this might be for you or someone in your org.

Here's how the SANS folks describe it:

A rising number of cyber threats impacting industrial systems have increased the urgency to address security challenges for Industrial Control Systems. Learn how to develop an effective and comprehensive cyber security strategy and equip yourself with the technical know-how and skills to apply in these unique applications. Cyber security is an important element to achieve highly reliable and safe operations. SANS Hosted ICS training courses equip both security professionals and control system engineers with the knowledge and skills they need to safeguard these important systems.

Available classes: SCADA Security Training, Critical Infrastructure and Control System Cybersecurity, and Assessing and Exploiting Control Systems

OK now the details:

• What: SANS Industrial Control Systems Training
• When: 12-16 August 2013
• Where (Generally speaking): Washington DC
• Where (More specifically) : the Westin hotel in Georgetown

You can register here: http://www.sans.org/event/ics-security-training-washington-dc and if you use this code you'll get a discount: SANSICS_SGSB5

Major SPIDERS (DOD Secure Microgrid) Update

This post just in from Mr. Harold Sanborn, Program Manager at Construction Engineering Research Lab (CERL), US Army and technical manager for the SPIDERS Joint Capability Technology Demonstration (JCTD).  I've removed most of the defense industry speak from a longer version you can find on the DOD Energy Blog.  FYI SPIDERS = an ongoing DOD distributed energy program and the acronym stands for Smart Power Infrastructure Demonstration for Energy Reliability and Security. ab

Here's Harold:

SPIDERS Phase I has finished the "history tour" as we codify and publish the lessons learned.

SPIDERS results demonstrated additional capability for Joint Base Pear Harbor Hickam, including:

• Synchronizing with the utility service power signal while pushing electricity back on to the base distribution system
• Operational viewing of other circuits in the substation in addition to the one controlled by the micro-grid, and
• Power factor improvements and the opportunity to test generators at load

Super Cyber Security Reading: 2Q ICS-CERT Monitor

Unfortunately, the Energy Sector wins this competition over last 12 months

There are few publications you can read that will tell you more about the current state of cyber awareness and attacks on critical infrastructure orgs and systems than this than the Monitor.

Training Alert: ICS / 2 Control Systems Security Sessions Coming Up

SGSB readers: first a brief housekeeping note. Due to a dose of awareness I just received yesterday, I'll no longer be including live links in posts. When I want to recommend a web page for you to visit I'll give you the full URL, which you can paste into the browser of your choice (see below).

OK moving on. SANS is developing an ICS & utility focused security practice with NIPSCO's Tim Conway assisting.  And this effort is already bearing fruit, with training classes coming up next month.  Here are the deets for you:

• When: June 11, 2013 (Saturday)
• Where: Westin Houston Memorial City, Houston, TX USA
• What: two courses:

1) SCADA Security Training 

2) Pen testing ICS and Smart Grid

For more info and to register, do what you need to do with the following URL: 

http://www.sans.org/event/scada-training-houston-2013

Special SGSB Offer: use the code SmartGrid2013 when you register and you'll receive $150 off the Pentesting ICS or the Smart Grid or the SCADA Security Training course.

Webcast Alert: Establishing Security Baselines at Industrial Facilities

I love good baselines, and I'm not the only one. When famous jazz composer arranger Gil Evans (see Sketches of Spain) heard the early Police playing Walking on the Moon, he took time to personally compliment the stunned base player, Gordon Sumner aka Sting.

Now another baseline for you, less musical but more actionable, courtesy of the new ICS-ISAC:

• Title: Raising All Boats: Establishing Security Baselines at Industrial Facilities
• Date: Monday April 29th, 2013
• Time: 1:00-2:00pm USA Eastern Time
• Registration and more info here: http://ics-isac.org/events.html

Hope you can make it. Oh, and here's Miles for you: http://www.youtube.com/watch?v=7KDQNoqKya0

ICS Lab for Grid Security Research, Training and Demonstrations

In case you're not already tuned into this community, but might want to be, I submit for your review the contents of an email I received yesterday.  It goes like this:

Greetings ICS-ISAC Members and partners! 

The ICS-ISAC and MS-ISAC are partnering with several key Members to create an ICS Security Lab as a shared asset for research, training and demonstrations. Physically hosted in Livermore, CA by Robot Garden the Lab is now in Phase One of procuring equipment and establishing the virtual capabilities that Members can have access to. 

If you are interested in participating in this activity or have equipment that would be of benefit to this endeavor please send a note to ICS-ISAC Chair Chris Blask at chris@ics-isac.org
There is also a LinkedIn group for collaboration at http://www.linkedin.com/groups?home=&gid=4932821&trk=anet_ug_hm&goback=%2Emyg

Acronym Legend:

ICS-ISAC = Industrial Control Systems Information Sharing and Analysis Center

MS-ISAC = Multi-State Information Sharing and Analysis Center

That's all I got.

NatGas Cybersecurity getting a lot more Visibility

Thanks to colleague H. Chantz for spotting this article and sending this way.

As has been the case quite a bit this year, once again we are in the realm of SCADA/Control System security. William Rush of the Gas Technology Institute states it plainly, if somewhat dramatically:

Anyone can blow up a gas pipeline with dynamite. But with this stolen information, if I wanted to blow up not one, but 1,000 compressor stations, I could,” he adds. “I could put the attack vectors in place, let them sit there for years, and set them all off at the same time. I don’t have to worry about getting people physically in place to do the job, I just pull the trigger with one mouse click.

There are no NERC CIPs for the gas industry, but with 25-30% of US electric power and a whole lot of home heating coming from gas, it's time to get moving on better securing this infrastructure.

Pipeline operators, now alerted to the fact that sensitive access control information to important subsystems is in the hands of folks outside the industry (and outside the country it seems), need to get moving. And I'm sure they will, but it's a BIG job.

The whole Christian Science Monitor article is HERE.

Photo credit: War News Updates

Recommended Reading: Industrial Safety and Security Source

3/8/13 Flash update - SGSB reader and contributor Ernie H suggests you visit Joel Langill's www.scadahacker.com site as well to further enrich your budding control systems security knowledge.
--------------------------------

As I've mentioned a few times before, this year I'm working on getting my OT security chops up to speed, and that means getting a lot more familiar with the way SCADA and ICS systems work when they're functioning properly, to better appreciate how they can be exploited when reached by those with impure thoughts and nefarious motives.

To that end I reach out to folks who seem to know more about this part of the world than I do (sadly, a group that must number in the hundreds of millions). I'm not always successful, but when I am, am happy to share my success so you can advance your own understanding, if necessar, as well.

Conference Alert: European Smart Grid Cyber and SCADA Security

The European wing of our global grid security tribe is gathering soon in London. Some great speakers and plenty of utility participation at this one.

Recommend you check it out - here are the basic deets:

• When: March 11 & 12
• Where: The Copthorne Tara Hotel, Scarsdale Place, Kensington, London, W8 5SR
• For more info and registration, click HERE

SGSB point of contact: Jamison Nesbitt, jnesbitt@smi-online.co.uk

Photo credit: Magnet Magazine

ICS-ISAC Webinar on Municipal Utility Control Systems Security

The ICS-ISAC (that's Industrial Control Systems Information Sharing and Analysis Center if you want it spelled out for you) has a webinar coming up soon if you want a bite-sized dose of control systems security best practice knowledge. As the site says:

ICS-ISAC Member Briefing Miki Calero, Chief Security Officer for the City of Columbus Ohio, will provide a first-hand assessment of the challenges and opportunities presented to those responsible for securing municipal infrastructures.

For me, this is interesting because in addition to getting more info out on control systems security, we'll also get to hear the municipal (or "muni") point of view. Muni's are everywhere and are often below the radar of the sector press, who like to focus on  the large investor owned utilities (IOUs). Yet muni's, responsible for medium sized cities and above, play a critical role in keeping the lights on for millions (maybe billions) around the world, especially at the distribution level.

The webinar will also include ICS-ISAC Chair Chris Blask brief ISAC members on new developments at the Center.

When: February 20, 1-2 pm ET

Here's a LINK to learn more and register.

Conference Alert: SANS ICS Summit coming up fast

Smart Grid Security Blog readers: heads-up. I've decided that this year the time has come to do a massive press on Operational Technology (OT) Security issues.  I think the reason for the timing is obvious, but I'll make my case in a future post when I have more time.

And this won't be just for the US and North America, and it won't be limited solely to the electric sector. We'll look at OT security challenges and efforts in other industrial equipment-oriented critical infrastructure sectors.

But for now, get ready to see some announcements for upcoming conferences and webinars on this topic by some of the best and most experienced folks in the business. Details on the first one are right here:

Name

The 8th Annual SCADA and Process Control System Security Summit

Dates

Feb 6-11: Pre-Summit Courses
Feb 12-13: Summit (click HERE for Summit agenda)
Feb 14-15 :Post-Summit Courses

Venue

Walt Disney World Disney's Yacht & Beach Club
1700 Epcot Resorts Boulevard
Lake Buena Vista, FL 32830

To Register

Click HERE to register for Summit
Disney Website: Walt Disney World Disney's Yacht & Beach Club
Reservations & Discounted Park Tickets: http://www.mydisneymeetings.com/sans2013

This week and half would enable one to really immerse themselves in the topic. And maybe enjoy a little Disney time too.

Security Double Dutch: Shodan Points out Critical Infrastructure Gaps in the Netherlands

Hat tip to friend and colleague Steve D for shooting this my way.

Security researcher Oscar Koeroo, working for the Dutch nuclear physics institute NIKHEF, found out that national infrastructural systems were listed on Shodan, (a database of cyber security vulnerabilities) and could be easily accessed remotely. Those systems, controlling pumping stations and sluices, are vital for the water management of a large part of the Netherlands. Because a large part of the country lies below sea-level, those systems keep the Dutch feet dry!

I've been to the Netherlands several times and saw the country in the news a lot recently when UberStorm Sandy raised concerns that New York City should perhaps get similar types of protective systems. I can assure you that this is about much more than a preference for dry feet.

Read on to find out how control system search engine Shodan once again reveals what systems are directly connected to the Internet. Warning, it paints a full picture, but it's not a pretty picture, and hopefully you won't find systems in your charge popping up in the findings window!

Here's the complete article from Tofino, replete with lurid details of password mismanagement, accusations, denials and counter-accusations, and that sort of thing. Best keep a Heineken or two handy.

Photo credit: nrc.nl

DHS ICS-CERT reports malware on power control systems

Happy 2013!

OK, enough frivolity. Let's turn down the Nat King Cole, step out from under the mistletoe, and get down to brass tacks.

First, in case that compound acronym is new to you, it stands for: the Industrial Control System - Computer Emergency Readiness Team, and it lives in the US Department of Homeland Defense.

This organization just issued a public quarterly report that describes, at a high level, a recent incident at a power generation company you'll be interested in. I'll get out of the way and let you read the first bits for yourself:

MALWARE INFECTIONS IN THE CONTROL ENVIRONMENT

ICS-CERT recently provided onsite support at a power generation facility where both common and sophisticated malware had been discovered in the industrial control system environment. The malware was discovered when an employee asked company IT staff to inspect his USB drive after experiencing intermittent issues with the drive’s operation.

Thoughts on the Explosive MI6 OT Breach in Skyfall

Have you seen the new 007 movie yet, the third of the series that features Daniel Craig as Bond? Called Skyfall, one of its key plot drivers occurs when the evil mastermind blows up part of British spy headquarters, MI6, in London, with a handful of deft key strokes. By the way, OT in the title of this post = Operational Technology, as differentiated from business information technology or IT.

Stuxnet this is not, but it is clearly depicted as a cyber attack on physical assets, and others who have weighed in on the plausibility/authenticity of this depiction (see HERE and HERE) cannot help but point to Stuxnet as the real world proof of concept.

To free up more time for mayhem, Javier Bardem's well played psychopath might have started with Shodan, the online search engine that helps both good guys and charismatic bad guys quickly locate internet-connected control systems.

Conference Alert: Smart Grid & Control Systems Security for Europe

Sometimes I don't give enough lead time, here's a case where maybe I'm giving you too much lead time. Anyway, you know how time flies when you're having fun, so 5 short months from now, you might want to be here:

• What: 3rd European Smart Grid and SCADA Security Forum
• Where: The Copthorne Tara Hotel, London
• When: 11-12 March 2013
• Web: For more info and to register, click HERE