Conference Alert: SmartSec Europe 2014

There's not much time left, but here's an exciting conference for if you're not going to Distributech in San Antonio, but still want to visit a historic city with picturesque waterways.

Location: Amsterdam
Dates: 29-30 January 2014
For more info, click HERE
To register, click HERE

Bonus #1: My friend Johan Rambi and grid security superstar Annabelle Lee will be speaking

Bonus #2: All SmartSec attendees are invited to stay on one more day to help set the course for Europe's new ISAC and situational awareness organization, DENSEK.  It convenes at 1000 hours on Friday the 31st at the same venue.

And in case you're wondering DENSEK includes but is not focused on Denmark. DENSEK stands for Distributed ENenergy SEcurity Knowledge ... capiche?

Photo credit: The Travis Caulfield Travel Blog

Conference Alert: European Smart Grid Cyber and SCADA Security

The European wing of our global grid security tribe is gathering soon in London. Some great speakers and plenty of utility participation at this one.

Recommend you check it out - here are the basic deets:

• When: March 11 & 12
• Where: The Copthorne Tara Hotel, Scarsdale Place, Kensington, London, W8 5SR
• For more info and registration, click HERE

SGSB point of contact: Jamison Nesbitt, jnesbitt@smi-online.co.uk

Photo credit: Magnet Magazine

ENISA Again: 3rd Time's the Charm re European Grid and Smart Grid Security Policy

8/29 Update:

You still have a few days to register and get your plane or train tickets to Amsterdam. In one fell swoop, the existence of this 10/15 workshop, in itself, fully refutes charges of lack of US-European cooperation, as well as claims that control system security is ignored. Go HERE to learn more and register.

---------------------------------------

While of monologues many great political speech or play are constructed, it's through dialogue we reach understanding and consensus. Wait, who said that?

This blog first posted on the European Network and Information Security Agency (ENISA) and its recent recommendations for EU energy sector security earlier this month.

Perhaps Better Fettered: 2nd Thoughts on ENISA's Cybersecurity Report from this Side of the Pond

Had a number of reader responses to this week's post on the European information security organization's proclamation of intent and recommendations for the electric sector and Smart Grid. 

My post welcomed the attention to the issue by the EU, but expressed, hopefully in a mainly professional way, that this feels, to invoke a common American idiom, a day late and a dollar short.

Here are two additional observations I got:

1. One US respondent says "It contains no call for cooperation with US-CERT, FERC or equivalent body on problems that are clearly of interest to both sides. Compare with various DHS initiatives (such as DHS ICSJWG) which have included foreign participants."

Concur. References to SANS, NIST and DHS in the bibliography notwithstanding, it does appear that explicit calls for trans Atlantic, interagency cooperation are missing, and that this should be rectified in a next version.

2. Another true blue American notes "ENISA reports do not adequately address control systems."

While the bibliography is littered with entries for SCADA and Control Systems-related texts, it doesn't seem like much of that research made it into the final document. Still, while most of the 10 recommendations involve getting ready to get ready to do something, and control system security seems to be largely glossed over, there is, in requirement 6, language that might point to operational systems at some point:

Recommendation 6. Both the EC and the MS competent authorities should promote the development of security certification schemes for components, products and organisational security.

So I'll leave it at that for now. Would welcome an ENISA response. I always try to not be too hard on 1.0 documents because there's always the chance, if not the likelihood, that we'll see them improve in subsequent versions.

I know it doesn't want to be a fetterer, but my sense is that Europe will come to see the wisdom of getting a bit more explicit and comprehensive in these matters.  I know from experience that some of its utilities are looking for more guidance. OK? Back to the Olympics!

Unfettered: ENISA Announces European Smart Grid Security Intentions

Here's how the European Network and Information Security Agency put it a few weeks ago:

We are happy to inform you that ENISA has recently published a new study on smart grids’ security. This study makes 10 recommendations to the public and private sector involved in the definition and implementation of smart grids. These recommendations intend to provide useful and practical advice aimed at improving current initiatives, enhancing co-operation, raising awareness, developing new measures and good practices, and reducing barriers to information sharing. This guidance is based on the results of a thorough analysis of the opinions of the experts who participated in the study.

Couldn't possibly be softer, gentler, or less threatening, I'd say. Sort of like what some of the North America utilities wish they had to deal with instead of the teethy and time consuming NERC CIPs. Certainly this ENISA stuff is much higher level, earlier stage guidance than the NISTIR 7628 which has now been available in some form for over 2 years.

But I note that we're hearing of no more significant cybersecurity breaches in the European electric sector than we are at utilities in the US. Maybe what some say, that expensive and time consuming compliance burdens and activities cut into the utilities' own cybersecurity efforts. The argument goes that if it weren't for the NERC CIPs, utilities might be able to better secure themselves.

At this point, it's hard to discern a difference in effectiveness between the European laissez faire approach to setting electric sector security rules and the more prescriptive North American one. Maybe the pluses and minuses of each roughly cancel out and for the moment, both are in reasonably good shape.

Although I bet that's a message you're not going to hear at the ICS CyberSecurity Conference coming up in October.

You can download the ENISA document HERE.

Europa Image credit: Wikipedia Commons

Workshop Alert: ENISA Flexing Grid Security Muscles in Brussels

This announcement, from the European Network and Information Security Agency (ENISA) hit my inbox earlier today and you might like to see it, especially if you are based in Europe (or would like a reason to visit). I reduced it down for your more rapid consumption:

• Title: Workshop on “Security Certification of Smart Grid Components”
• When: June 27, 2012
• Where: Rue de la Loi, 130-1040 - Bruxelles (that's Brussels, Belgium, for you non Euro types)
• Who (should attend): Participants and speakers of the workshop would be national certification authorities, EU officials, hardware and software manufacturers, energy service providers and certification laboratories from EU and US
• Organizers: ENISA in cooperation with the European Commission
• For details and to register, click HERE

The stated objectives of the workshop are to:

• Support the Member States in better understanding the challenges of the Smart Grid component certification process 
• Contribute in the harmonization of different certification policies followed by the Member States 
• Invite Member States to present their national certification schemes and private sector to present their views on the matter 
• Debate about the possible steps to take, at national and EU level, to speed up the secure introduction of Smart Grids

Sounds somewhat akin to IEC 62443 2-4. Perhaps there's some overlap or potential to leverage existing work. Anyway, if you've got something to contribute, or a desire to learn, go if you can ... and don't skip the mussels.

IBM UK on Smart Grid Pluses and Challenges

With thanks to the Security and Business Intelligence Blog :