Get Schooled on ICS Sec by SANS at SERC in Charlotte

Here's the facts, just the facts:

Legendary cyber training institute SANS has joined forces with industry leaders to equip security professionals and control system engineers with the cybersecurity skills they need to defend national critical infrastructure.

Course name: ICS410 -- ICS/SCADA Security Essentials 

Course description: ICS410 provides a set of standardized skills and knowledge for industrial cybersecurity professionals. The course is designed to ensure that the workforce involved in supporting and defending industrial control systems is trained to keep the operational environment safe, secure, and resilient against current and emerging cyber threats.

The discount: Receive a massive 5% off with discount code: SANSICS_SGSB5

To register: http://www.sans.org/info/161395

Venue and date: SERC Reliability Corporation, July 14 – 18 in Charlotte, NC

SCADA Primers Now for Grades 1-8 and Even More Managers

Earlier this year, the US Air Force's Robert M. Lee brought us SCADA and Me, an intro level graphic novelette optimized for very young children and certain managers. Now comes Haley Wauson of industrial automation company Cimation with a blog post that should help SCADA and Me readers advance to the level of middle school literacy and educate an even more advanced cohort of managers.

In her succinct post "What is SCADA Anyway?" Ms. Wauson uses infographic style visuals and multi-syllabic words to take readers to a level of depth that goes well beyond Robert Lee's Goodnight Moon-esque masterpiece.

Sounds like I'm joking around but actually works like these are just the thing for de-mystifying technology that's foreign to IT-centric folks.  SCADA and control systems are of central importance to making good things happen in our increasingly interconnected "Internet of Things" world, or as my recent alma mater IBM has dubbed it, the Smarter Planet.

Securing these things, now that's another matter. But first you have to know what they are, and where they are, in the first place!

Conference Alert: EnergySec and NESCO Town Hall next Week

Ok, so usually I'm giving a heads-up about some conference or seminar you might want to know about, or even attend. But this time I'm saying that, but also revealing I'll be there too.

And I note, in the town where Peyton Manning recently threw 7 TD passes in one game and one can easily procure Rocky Mountain Oysters, I'll be joining luminaries from industry and a number of utilities too.

Here are the deets:

• Where: Magnolia Hotel, Denver, CO
• When: 17 - 19 September, 2013
• What: Lots of stuff. Agenda HERE
• How: Easy. You can still register HERE

For your edutainment, I'll be moderating a town hall style discussion about the current state and future of the cyber security workforce in the energy sector. We'll be considering full life (as in human life) cycle issues, from birth to tablet training, from kindergarten to college curriculum, from entry level security practitioners to ICS forensics wizards and all the way up the managerial stack to CSOs and CISOs.

Hope to break some new ground and capture some new ideas we can share with all and will do here on the SGSB during and/or right after. Will also tweet whenever possible using the hashtag #ess13.

Hope to see some of you there!

Photo credit: Daily Mail online

Cybersecurity Workforce Developers Need You, Part Deux

Yes we can. The following is number 2 in a series of 2 un-paid public service announcements from what remains one of my favorite organizations. It begins, as it did the first time on March 2, thusly:

Power industry security stakeholders (if you read this blog, that means you!),

The National Board of Information Security Examiners (NBISE) is partnering with the Pacific Northwest National Laboratory to contribute to the development of the U.S. cybersecurity workforce. Toward this effort, a utility SME panel has mapped power system cybersecurity job responsibilities to the objectives of two workforce frameworks (NICE and ES-C2M2), the domains of training/education programs, and the objectives of key certifications. 

Recommended Reading: Industrial Safety and Security Source

3/8/13 Flash update - SGSB reader and contributor Ernie H suggests you visit Joel Langill's www.scadahacker.com site as well to further enrich your budding control systems security knowledge.
--------------------------------

As I've mentioned a few times before, this year I'm working on getting my OT security chops up to speed, and that means getting a lot more familiar with the way SCADA and ICS systems work when they're functioning properly, to better appreciate how they can be exploited when reached by those with impure thoughts and nefarious motives.

To that end I reach out to folks who seem to know more about this part of the world than I do (sadly, a group that must number in the hundreds of millions). I'm not always successful, but when I am, am happy to share my success so you can advance your own understanding, if necessar, as well.

Cybersecurity Workforce Developers Need You !!!

The following is an un-paid public service announcement from one of my favorite organizations (note: while this is intended for US-based cybersecurity professionals,  there's a lot to learn, and a lot of similar tasks that need to be accomplished, if you live and/or do your work in other regions):

Power industry security stakeholders!

The National Board of Information Security Examiners (NBISE) is partnering with the Pacific Northwest National Laboratory to contribute to the development of the U.S. cybersecurity workforce. Toward this effort, a utility SME panel has mapped power system cybersecurity job responsibilities to the objectives of two workforce frameworks (NICE and ES-C2M2), the domains of training/education programs, and the objectives of key certifications.

NARUC Releases a Timely Cybersecurity Guide

I didn't like the tone of my original piece on this so have made a few mods. Content is essentially the same.

Here's a LINK to the National Association of Regulatory Utility Commissioners (NARUC)'s new Cybersecurity for State Regulators

Before I begin to comment on and critique some of the contents, I just want to say I have no ax to grind against NARUC. From my interaction with its members, including several of the folks named as authors of this document, these folks do a fantastic job, state by state by state, keeping the gigantic and sprawling US grid, reliably and economically up and running.

And let's continue with a little more praise. Very few state regulators have hands-on experience with cybersecurity. Giving them a guide that both teaches them, at an intro level, and arms them with good starting-point questions, is a wonderful and necessary thing. Major kudos for that.

However, this paraphrase from an article introducing the guide gave me initial pause:

NARUC advised state commissioners to work with utilities to increase their investment in cybersecurity protections for the smart grid.

This statement makes it sound like someone knows what the right amount of spending is. And that would suggest that that same someone knows a lot about the evolving threats, as well as the requirements for the right types of correctly deployed and configured technical and human protections, and has converted them to USDs (money). These are all things the energy sector security community is working on, but quantifying down to the right level of dollars spent is beyond us still, I think.

Now here's a direct quote from the guide:

Regulators have to determine whether the amount being invested is insufficient or excessive and whether it is allocated appropriately.

I know it's their job in general, but also think that specific to cybersecurity, this is a burden (on the regulators themselves) too far. Determining appropriate allocation is definitely a worthy pursuit, and the matter has great import for all stakeholder including customers. But man, without some commonly agreed frameworks or metrics to measure against, it's a tough one.

Now I'll do a quick pass at a couple of the proposed questions in the appendix.The first one is about budget:

Q26. Is cybersecurity budgeted for? What is the current budget for cybersecurity activities relative to the overall security spending?

Good stuff generally, and really core when it comes time to rate case justification. But I'd also want to know how is the budget arrived at? Like an elementary school teacher, I want you to step up to the board and show me the math. And not sure the second question is all that relevant ... is there a correct or helpful answer to that one?

Q27. Are individuals specifically assigned cybersecurity responsibility? Do you have a Chief Security Officer and do they have explicit cybersecurity responsibilities?

I hope that in even the smallest utilities (and some are mighty small) the answer to the first question is yes. And I know that in even the largest utilities, the answer to the second question is almost always no.

Now here are a couple of other questions I might have suggested." In addition to Q27, I would have liked to see questions that poke into other governance issues, like:

• QAB1: Related to applications: How many applications do you have? What are the top 10 most important ones? Who owns them? Who developed them? Who patches them? How are they secured? When was the last time they were tested and how did they do? Who tested them?
• QAB2: Related to data: Have you inventoried your data assets? Developed a classification scheme? Identified data owners? Developed data lifecycle and protection policies? Practiced responding to a data breach? Who owns Privacy?
• QAB3: Related to money (again): Beyond pen testing, how do you evaluate the effectiveness of your cybersecurity policies and programs? Related to Q26, what methods do you use for prioritizing your cybersecurity expenditures?

OK, I'll leave off there. This is simply going too long. But would like to end by saying that this was a document that could never fully please everyone, and if we remember it's a 1.0 version, then in that context it's an ambitious and excellent start. Let's start providing feedback now so that 2.0 can be even better.

SGCC Releases Smart Grid Privacy Fact Sheet

In January of this year we gave you a privacy post related to the Smart Grid Consumer Collaborative (SGCC) from a panel session it organized the day before the Distributech conference in San Antonio.

Time has passed and now the same great org has produced a short, sweet, and very helpful fact sheet on Privacy for the layman, also known as the "man on the street", the "generalist", the "consumer" or from the electric utility industry's point of view: THE CUSTOMER.

The 2-sided sheet contains lots of helpful orienting bits like what's a "smart grid" and "what is a smart meter", but the part I like best comes near the end:

The privacy of electricity usage data is protected now and that will not change with the use of smart meters. Electric companies, the federal government, and the suppliers of critical electric grid systems and components are working together to strengthen consumer safeguards, develop a best-in-class data security model and enforce its implementation.

Talk about a pure pro-education / anti-FUD message. I am think I am in love.

Photo credit: Roland at Flickr.com

USAF Seeking (More than) a Few Good Cyber Men and Women

Thanks to my friend and Academy classmate Chris Davis (USAFA '85) for the heads-up on this recent Air Force news.

Wonder if anyone in DOD has heard of the excellent NBISE, an organization dedicated to cranking out a better breed of cyber defense professional?  Anyone out there know Space Command's General Shelton, quoted within HERE? Maybe he could send some scouts to watch for talent at NBISE's upcoming US Cyber Challenge. It's open for registration now.

Here are a couple of plugs for the event. First, from the Hon. Mike McConnell former Director of National Security and Vice Chairman of Booz Allen Hamilton:

Our government and U.S. commercial companies are being besieged by attempted cyber attacks every day, and the nation needs as many resources as possible to prevent damage and the theft of intellectual capital. The U.S. Cyber Challenge offers a unique and exciting platform to identify the talent we need to defend our nation.

And here's Michael Assante, President & CEO, National Board of Information Security Examiners (NBISE):

The Cyber Quest competition and Cyber Camps are critical as our nation continually undergoes fast-paced changes in technology. Our growing reliance on digital technology requires concentrated efforts, like these, to identify and best develop the next generation of highly skilled cyber security professionals.

Please get the word out on this event if you can.

Webcast Alert: NESCO on PKI for AMI, Smart Grid and ICS Networks

For those unfamiliar, NESCO = National Electric Sector Cybersecurity Organization (NESCO). And NESCO is running an upcoming webinar on Public Key Infrastructure (PKI) in the context of modernized (and modernizing) grid systems and networks, including control systems.

Here are the details you need:

• When: Tuesday, March 27, 2012 at 10:00 AM - 11:00 AM ET
• Link to Register: Click HERE
• Associated NESCO PKI white paper is HERE

For more about NESCO, including how to get involved, click HERE

I'm getting a little tired of these all-capital HERE links, but let's do one more before calling it a night:

Click HERE to find out how New England fans feel about Tim Tebow joining the Jets today.

Fifteen Minutes for a Better Grid Security Workforce

Not too long I ago we posted on the NBISE effort to build a better security professional for critical infrastructure sectors like ours. A lot of work (especially ground work) has been done since then and now NBISE is ready to take it up a notch, with broader input from the wider world ... including potentially: you.

Check this out:

The National Board of Information Security Examiners (NBISE) is partnering with the Pacific Northwest National Laboratory to contribute to the development of the U.S. cybersecurity workforce by developing a detailed Job Performance Model (JPM) for Smart Grid cybersecurity personnel in the functional areas of security operations, intrusion analysis, and incident response.

NBISE and PNNL manage the Smart Grid Cybersecurity (SGC) Panel, which oversees and contributes to the Department of Energy’s efforts to develop a job competency model and assessment focused on the job responsibilities and unique skill set of Smart Grid cybersecurity specialists. This SGC survey seeks to determine the critical cybersecurity job tasks in the Smart Grid environment.

This survey is an important step towards the development of a job performance model for cybersecurity roles necessary to secure and protect the Smart Grid. If your expertise and experience is related to security operations, intrusion analysis, and/or incident response, then this survey is for.  Details: 

• The survey will require approximately 15 minutes 

• You may participate in this survey using any web browser and will require no special software 

• This survey is anonymous. The record kept of your survey responses does not contain any identifying information about you unless a specific question in the survey has asked for this. If you have responded to a survey that used an identifying token to allow you to access the survey, you can rest assured that the identifying token is not kept with your responses. It is managed in a separate database, and will only be updated to indicate that you have (or haven't) completed this survey. There is no way of matching identification tokens with survey responses in this survey.

Got it? Ready? Well here you go ... 

TO PARTICIPATE IN THIS SURVEY, PLEASE CLICK HERE.

For further information regarding the Smart Grid Cybersecurity Panel Job Analysis Questionnaire, please click HERE.  Additional information on NBISE and its Job Performance Methodology may be obtained by clicking HERE.

Photo credit: Dave Stokes on Flickr.com

New Book Educates and Guides Smart Grid Security Stakeholders

Between them, authors Gib Sorebo, energy sector security lead for SAIC and Michael Echols, expert security consultant to many utilities including, recently, the Salt River Project in Arizona, have the chops to go deep into the technical weeds of grid security risks, challenges and solutions. Fortunately, however, in their just-published book on the subject, their aim is quite different than a technical tour de force:

For those who argue that one cannot secure a system without knowing how it works or the consequences of implementing the wrong security, this book is for you. Our goal is to make the Smart Grid and all its warts accessible to not only cyber security practitioners, but also to media, policymakers, regulators, engineers, utility executives, and even to consumers to understand the interplay between the automation of the electric grid and security.

Titled Smart Grid Security: an End-to-End View of Security in the New Electrical Grid, the book is very current, having just become available for purchase on Amazon and elsewhere in December.

There's much I could point out to you that's worthwhile, but the job of the blog is to alert you to the availability of a resource, and give you an opinion on whether it might be worth your time, not to do a full book review.

But to give you a feel for the types of topics Sorebo and Echols reach, consider this piece pulled from a chapter on operations and outsourcing:

Monitoring for cyber-threats through an incident identification and response strategy should extend beyond the traditional boundaries of the utility itself .... Vendors are typically connected to multiple utilities that are connected to multiple vendors ... the question becomes: if Vendor A is compromised,  how many utilities does it affect? And how would those utilities know if they were affected or not?

Sounds pretty overwhelming, but this is not a scare book. Throughout the nearly 300 pages, they keep their descriptions of cyber risks, vulnerabilities and other challenges as dispassionate as possible. The passage above is followed by:

To mitigate [risks like these], utilities and vendors must begin to insert cyber security into their maintenance and support contracts .... If a vendor loses information deemed to be private, then they are generally required to report the fact that there was a breach .... However, there appears to be no legal requirements for a vendor that is compromised and that has direct access to a utilities' control system .... As part of a good incident response security posture, [increased] collaboration may be necessary in the highly interconnected organizations that support the bulk electric system including utilities, vendors and service providers.

So there you go. And there's more helpful details on this and many other topics for folks charged with bringing security capabilities to fruition. I highly recommend this book for anyone for who cares that their grid is as reliable,  efficient and secure as possible, even as it goes through the many changes involved in becoming a Smart Grid.

2011 Smart Grid Security Summer School Announced

Summer school this year, so maybe there'll be an Outward Bound Smart Grid adventure camp in 2012? Here are the details:

With support from DOE and DHS, we are proud to present the "Cyber Security for Smart Energy Systems" Summer School organized by the Trustworthy Cyber Infrastructure for the Power Grid (TCIPG) Center. The summer school will be held in the Q Center, St. Charles, Illinois, which is less than an hour away from Chicago's O'Hare Airport, June 13-17. 

An overview of the objectives and topics for the summer school is provided in the attached document. Details on registration, the program, and travel logistics will be available soon HERE.

You may contact Rakesh Bobba (rbobba@illinois.edu) or Scott Pickard (spickard@illinois.edu) if you have questions, comments, or suggestions. We very much hope that you can join us, and we look forward to an exciting summer school.

Teaching the Old Grid New Tricks ...

... will require students versed in the art and science of engineering, including (but not limited to) electrical engineering. We used to say that in the future we'd need these folks. Well, with the recent passing of 2010, the future is beginning to look more and more like the present.

A present in which ...

A great deal depends on whether power companies can find and attract a sufficient number of engineers capable of designing, managing and maintaining the new systems the smart grid demands. And that’s by no means certain. The Center for Energy Workforce Development estimates that by 2015, 51 percent of the power-engineering workforce will need to be replaced because of retirement or attrition. And that’s just to maintain current levels. To drag our aging grid into the 21st century will require power engineers trained in the most sophisticated communications and control concepts.

Seems like the old immovable object about to be whacked by an irresistible force. In a tough job market, this much need can't and won't go unfulfilled for long.

This article quotes a manager at AEP as saying these vacant engineering roles will be filled by new personnel from one of three sources: re-trained internal folks, university programs and vendors. University investment in new teachers and courses has been constrained to say the least. Though the last word may belong to the DOE, which just slapped down a cool $100 million on the counter for Smart Grid training programs.

At the bottom of the article you may notice one reader asks "Just engineers?" The answer, of course, is of course not. Increasingly, folks with training in business and economics are called for as the old business models are poised for a most thorough revision.

And as for cyber security pro's to watch over the systems designed and built by the new crop of inspired engineers and business folks, they're going to likely come from vendors for a while longer, until organizations like SANS and the new NBISE can get a bunch more out the door with the requisite energy sector chops ... like a firm grounding in SCADA/ICS, for instance.

Photo credit: USAFA (my alma mater) graduation by Beverly & Pack on Flickr.com

We Don't Need No Smart Grid Education

Wrong. If you've ever taken the time to read beneath the articles about Smart Meter vulnerabilities or other looming forms of grid insecurity, you'll suspect that the teaming masses, at least those who read these pieces and have the gumption to respond, are intensely opposed to the whole Smart Grid idea. Here's a couple of random selections for you culled from a recent article on Smart Meter "holes":

Random Comment #1:

We have a smart meter on our home. So far, the only thing that it has been able to do is let me monitor my weekly consumption and get weekly updates on my projected monthly bill. Any savings that I get for off-peak usage has been eaten up by rate increases by my electric utility. As far as I can see, the only thing these meters will do is enhance the profits of the utility companies by letting them sell their power more efficiently. In the long run, it's not really helping the consumer in the wallet.

Random Comment #2:

Wait a minute. Everyone here has missed the point. If I can hack your meter and shut off your power, there is nothing stopping me from shutting off your neighborhood, your town, city, etc. These things are all connected - to each other and to the mother-ship. A hacker isn't interested in turning off your coffee maker, he wants to own all the meters in the city.

Imagine:

Hacker: Give me $10m or I'm going to shut down Seattle

Seattle: Go jump in a lake

Hacker: brings down the city for 2 minutes

Hacker: Wire the money within 60 min or I'll shut down the city for 24 hours.

Seattle: Where would you like it?

Where's Jack Bauer when you need him, eh?

Is the Smart Grid a scheme dreamed up by utilities to rob us blind? No. Are steps being taken to ensure that Smart Meters and the Smart Grid are secure? Yes. But the average consumer, if he/she takes the time to read about the Smart Grid, sees ten negative messages for every positive one. Jack and I have been advocating for much more and better messaging and education to consumers on the who/what/why/when and how's of the Smart Meters that are landing on their houses, and the Smart Grid drivers that have set this all in motion. See: the Smart Grid Confidence Game.

In the "National Power Grid that Thinks" by Alex Kingsbury of US News and World Report, we get a concise statement demonstrating Kingsbury's spot-on situational awareness of the present state of the Smart Grid's image:

Smartening the public is as critical as smartening the grid itself.

We couldn't agree more. Too much is made of the technology and too little effort (by far) is spent educating and socializing the public re: the coming Smart Grid. To that end, we urge the recently formed Smart Grid Consumer Collaborative to pump up the volume asap.

Image Credit: Flickr Creative Commons

Mainstreaming the Smart Grid

Loved seeing a USA Today front page article this morning on early consumer experiences with the Smart Grid. To me, press like this is an important indicator of the education and mainstreaming process. The piece describes some money saving success stories and some setbacks too (as Jack did earlier here), but overall serves to demystify the Smart Grid.

The article drew over a hundred comments as of tonight, indicating big interest but also continuing big ignorance and paranoia about why the Smart Grid is being built, e.g.:

• "I would rather spend money on solar panels on my roof"
• "Surely you realize that if everyone en masse were to save 15%, the power company will need a rate hike to cover that?"
• "Smart Meters - so smart the utilities can program them remotely to ....er, show increased consumption?"

And there's always this not completely irrational response to consider and address: "Anything that takes control away from the consumer is a threat." 

Sitting back on our skis isn't going to get us where we need to go. As we've said previously (and others have chimed in similarly), before it gets on board, the public's got to get a big dose of openness and confidence from the industry and government. Now would be a great time for all parties to turn up the volume on where we are, where we're going ... and maybe most importantly, why we're on this trip to begin with.

NERC's Cyber Education Role

Online tech mag Ars Technica recently wrote up the results of two reports on US energy infrastructure, one from the North American Electrical Reliability Corporation (NERC), and the other from a small cyber security company named LogLogic. The sum, for me, was a reminder of how far we have to go on enterprise Smart Grid cyber protection policy and implementation, and how little time we have to get there.

Referenced within the Ars article, is NERC Chief Security Officer (CSO) Michael Assante's April 2009 memo to electrical industry players. His calls for increased attention to cyber risks are still at the basic education level, as many of the targets of his guidance are from operations, and are still relatively new to the IT and cyber security domains:

... as we consider cyber security, a host of new considerations arise. Rather than considering the unexpected failure of a digital protection and control device within a substation, for example, system planners and operators will need to consider the potential for the simultaneous manipulation of all devices in the substation or, worse yet, across multiple substations. I have intentionally used the word “manipulate” here, as it is very important to consider the misuse, not just loss or denial, of a cyber asset and the resulting consequences, to accurately identify CAs under this new “cyber security” paradigm.

Excellent here that Assante keys on manipulation, as cyber attackers oftentimes achieve greater effects through means that at first appear quite subtle ... or aren't visible at all. At some point he's going to have to point out that a precursor to manipulation or outright attack is monitoring, often done by placing apparently benign software agents on target systems to collect data and await further instructions.

Assante also attempts to update industry thinking on the current grid's design that can usually handle large single points of failure. Cyber threats are often targeted less like sniper rifles and more like shotguns:

One of the more significant elements of a cyber threat, contributing to the uniqueness of cyber risk, is the cross-cutting and horizontal nature of networked technology that provides the means for an intelligent cyber attacker to impact multiple assets at once, and from a distance. The majority of reliability risks that challenge the bulk power system today result in probabilistic failures that can be studied and accounted for in planning and operating assumptions. For cyber security, we must recognize the potential for simultaneous loss of assets and common modal failure in scale in identifying what needs to be protected. This is why protection planning requires additional, new thinking on top of sound operating and planning analysis.

Thinking? Excellent. New thinking ... even better !!!

Discover(y) the Smart Grid

If you don't feel you've mastered all Smart Grid fundamentals yet, the Discovery Channel always makes learning a very engaging and entertaining experience.  This week they're focusing on the Smart Grid, so check it out here if you want to get even smarter than you are now.

Smart Grid Learning Institute Posts Dr. Massoud Amin's 23 June 09 Presentation

Here's a link to the Smart Grid Learning Institute, an org with which I was unaware until they hosted a great webinar from Smart Grid guru Massoud Amin.  You'll see a link to Massoud's 80 slide powerpoint front and center. Security is touched upon lightly, and you might have to speak with Dr. Amin in person if you want to get a better feel for his Smart Grid security knowledge learned at EPRI and elsewhere ... which is extensive.