The Things I've Seen Series: Part 1 - Utility Security Governance Boards

In the final moments of Blade Runner, Rutger Hauer's character, close to death, tells Harrison Ford: "I've seen things you people wouldn't believe."

Over the course of the next several posts I'm going to go through some of my sanitized field notes and let you see things you may or may not believe, some good, some not so good.  Nothing quite as cosmic as what Hauer relates in his final moments, but probably should be interesting if you're in or work with the industry.

Let's start off the series on a positive note with the formation of Security Advisory Boards.  Investor Owned Utilities (IOUs) typically have a number of boards: executive, safety, governance, audit & compliance, etc. However, you can dig through annual reports and review the investor information sections on company web sites for a long time and you likely won't find much if anything relating to cybersecurity risk strategies, concerns or activities.

One Step Closer: Announcing NARUC's Cybersecurity Guide for State Regulators 2.0

My last post on NARUC*, from June of 2012, was on the first version of their cybersecurity guide for state regulators, and the somewhat sprawling piece ended thusly:

I would like to end by saying that this was a document that could never fully please everyone, and if we remember it's a 1.0 version, then in that context it's an ambitious and excellent start. Let's start providing feedback now so that 2.0 can be even better.

Well guess what readers? Some of you and maybe some others provided feedback, so well and fully in fact that we find ourselves fewer than 9 months later with a new and improved 2.0 version, just released by NARUC after announcing it at its Winter Meetings (note sublime, almost hypnotic snowflake animation on landing page).

Conference(s) Alert: EnergySec and GridSec coming up

These are the two longest running energy + cybersecurity conference tracks in North America and both have  summits coming up this Fall:

http://www.energysec.org/summit
Sep 25-18, 2012
Portland, OR

http://www.gridsec.com/2012/summit/
Oct 22-24, 2012
San Francisco, CA

Click through and you'll see that both agendas are forming and speaker rosters are still being firmed up, but utility participation is on the rise and these are the real deal.

Also there's much more focus now on the security of operational systems, not just IT/Business.

Recommend you attend one of these, and if you can't, then at least pay attention to the articles, blogs and videos that come out of them ... some, hopefully, right here.

Mid 2012 GAO Update on Grid Security ... and a Mea Culpa

Before teeing up the most recent GAO report on electric sector cybersecurity, I'd like to use this pixelated platform to speak back to a quote attributed to me last week that raised the hackles of some utility professionals (and it should have).

First, I'm neither a security-focused PR flack for the electricity industry, nor a gotcha journalist trying to capture eyeballs by vilifying utilities and scaring readers. Rather, I'm a member, supporter, advocate, and hopefully, sometimes, a constructive critic of the enterprise of keeping the grid safe and secure while updating it for the 21st century.

So here's the thing: a recent interviewer quoted me as saying senior management doesn't have a very good understanding of their security posture. While I'm sure I've said something like this a hundred different ways on the blog, it's never been intended as an insult or attack, but rather as observation of the current state of affairs at many but not all utilities. The way  this was captured and framed in the article, however, losing nuance and a few other qualifying words along the way, it definitely came off as a blunt attack ... and I'm not the only one who noticed. Sorry about that ... wasn't my intent.

However, support for this type of generic observation comes from things everyone in the industry already knows, and that the GAO lists on the highlights page of its July 2012 report. Here are the last 4 challenges, partially addressing utilities, partially the larger industry ecosystem:

• A focus by utilities on regulatory compliance instead of comprehensive security
• A lack of security features consistently built into smart grid systems
• The electricity industry did not have an effective mechanism for sharing information on cybersecurity and other issues
• The electricity industry did not have metrics for evaluating cybersecurity (AB: of course I'll come back to this one before the post is over!)

All of these things make sense to folks who've either been in a utility or have worked with utilities and/or regulators for some time. There's a logical history to each of them that explains where they came from and why they remain challenges to be solved. 

And you'll note (and it angers some of the more concerned security pundits when I say this), that whatever US utilities have done so far has apparently been enough to keep cyber attackers from having major successes to date.

As this post is now getting too long and trying to do too many things, let's end with another invocation on the benefits of business-oriented metrics, this time courtesy of the GAO itself:

... Having metrics would help utilities develop a business case for cybersecurity by helping to show the return on a particular investment. Until such metrics are developed, there is increased risk that utilities will not invest in security in a cost-effective manner, or have the information needed to make informed decisions on their cybersecurity investments.

The GAO, I think, comes from a similar position, in some ways anyway, as this blog. The cited report mentions not just shortcomings but positive actions taken so far. The GAO, the SGSB (this blog) and plenty of other groups and individuals simply want to see utilities and the industry be safe and successful while they modernize to meet the demands of our times. Neither are interested in criticism for criticism's sake, but only to suggest better possible methods. I'll leave it at that for now.

Talking Back to the CMU/Cylab Report's Energy Sector Findings

The report in question is the CyLab 2012 Report - Governance of Enterprise Security: How Boards & Senior Executives Are Managing Cyber Risks. Posted on this report recently, HERE, which includes links to it.

Have gotten some less-than-happy feedback from a number of readers, so in the interest of giving you access to additional points of view, here's a bulletized critique from a concerned utility industry professional:

• Survey size is too small to produce meaningful results/findings (e.g. 108 respondents, with only 14 or so in the "utility/energy" category)
• Not sure what types of companies fell in the “Energy and utility companies” bucket. It's unclear if many or any are electric power
• In addition, the survey was global, with a minority of respondents (40%) based in North America and it's unclear whether there were any energy/utility co's from North America
• The survey states opinion (vs. evidence) concerning the adequacy of corporate board and senior executive review of risk
• The survey makes erroneous judgments about an organization’s ability to manage cyber security and privacy risks regarding the presence or absence of corporate officers with particular titles or the composition of corporate audit/risk committee structure

I found many of these points well founded and worthy of airing here. In order to provide valuable insights for our sector, and particularly for the US and North America, one would want hundreds if not thousands of data points. That, I'm afraid, was beyond the budget, scope and/or timeline of the team doing this research.

More Datapoints on the Current State of Electric Sector Cybersecurity Governance

In March we covered the preliminary CyLab report on the state of cross sector Security governance and one of the things it taught me was that electric sector cybersecurity professionals are not alone in their quest to improve/increase the level of interaction and communication with senior executives in their companies, including the CEO and Board of Directors (BoD).

Other than financial services sector companies, whose reputation for being in the lead on security and privacy governance matters is corroborated, none of the other sectors covered (IT/Telecom, Energy/Utilities, Industrial) fares particularly well.

Well, the final Carnegie Mellon/CyLab report is out now, and it provides a lot more detail into which to sink one's teeth. You can begin with the press release HERE, or move straight into the 28-page full report HERE.

But with your limited time in mind, electric sector reader, I've cherry picked a few salient nuggets for your more rapid consumption. First, an opening statement:

Interestingly, none of the energy/utilities sector respondents indicated that they have a Chief Risk Officer (CRO) even though their risks are high. The energy/utilities sector also places a much lower value on board member IT though their risks are high. The energy/utilities sector also places a much lower value on board member IT experience than the other sectors, which is puzzling since their operations are so dependent upon complex experience than the other sectors, which is puzzling since their operations are so dependent upon complex supervisory control and data acquisition (SCADA) systems.

Interesting: connecting IT experience with a foundation for grasping control systems security fundamentals. Certainly better than having no information systems background. And I didn't know CRO's where rare in large utilities. Maybe the utilities that participated in this survey are not representative of the larger population for some reason. But I would have thought CROs were commonplace, even if their attention wasn't trained on cybersecurity risks.

Now lets go straightaway to electric sector conclusions:

• The energy/utilities and IT/telecom respondents indicated that their organizations never rely upon insurance brokers to provide outside risk expertise, while the industrials sector relies upon them 100%
• Energy/utilities and IT/telecom sector boards are not adequately reviewing cyber insurance coverage
• The energy/utilities sector places a much lower value on board member IT experience than financial, IT/telecom, and industrials industry sectors

And let's conclude with this recommendation, since it squares so nicely with one of the oft-repeated themes of this blog:

Review existing top-level policies to create a culture of security and respect for privacy

This CyLab report is an interesting complement to the recently release IBM CISO Survey, the results of which were discussed HERE last month. I'm always glad to add others' takes on how our sector is faring, even if the findingss are less than glowing. The truth, as they say, and presuming it's present to some degree in these reports, will set you free. Hopefully free to make things better.

Image credit: Magnetbox at Flickr.com

WSJ on Speaking Cybersecurity Truth to Power

This is a short post with a security message that appeared in a prominent place, a message worth repeating.

In the Wall Street Journal's relatively new CIO Journal, editor Michael Hickins highlighted recent statements from a local Boston-area healthcare CIO, and pointed to preliminary findings in a Carnegie Mellon cyber security and corporate governance report.

In "Speak Cybersecurity Truth to Power", Hickins said:

Boards of directors are clueless when it comes to cybersecurity — and that’s a great opportunity for CIOs to prove their worth. John Halamka, the highly regarded CIO of Beth Israel Deaconess Medical Center in Boston, tells CIO Journal that “cybersecurity is a great way to stay in touch with the board because there’s high visibility.”