House of Reps Report Reams Utilities on Cybersecurity

Was trying to capture spirit of Jesse Berst's headline on the same subject:

Utilities to FERC: Take your security measures and shove it

That's not very nice, is it?  I think they toned it down with a later change, but this headline was what was in my inbox in this morning's SmartGridNews.com newsletter. The subject is a recent report published by the House of Representatives that's highly critical of electric utilities behavior to date re: grid cybersecurity.

Moving on! The Wall Street Journal's Rachel King did a fine write-up of recent testimony from the CEO of the American Gas Association (AGA), Dave McCurdy. King began by noting that:

The oil and gas sector faces many of the same cyber security challenges as the electric industry. Yet, there’s one major difference between the industries, both of which need to secure software-based industrial control systems from intruders. There are no regulations governing cyber security among the oil and gas companies.

One Step Closer: Announcing NARUC's Cybersecurity Guide for State Regulators 2.0

My last post on NARUC*, from June of 2012, was on the first version of their cybersecurity guide for state regulators, and the somewhat sprawling piece ended thusly:

I would like to end by saying that this was a document that could never fully please everyone, and if we remember it's a 1.0 version, then in that context it's an ambitious and excellent start. Let's start providing feedback now so that 2.0 can be even better.

Well guess what readers? Some of you and maybe some others provided feedback, so well and fully in fact that we find ourselves fewer than 9 months later with a new and improved 2.0 version, just released by NARUC after announcing it at its Winter Meetings (note sublime, almost hypnotic snowflake animation on landing page).

Thoughts on the Explosive MI6 OT Breach in Skyfall

Have you seen the new 007 movie yet, the third of the series that features Daniel Craig as Bond? Called Skyfall, one of its key plot drivers occurs when the evil mastermind blows up part of British spy headquarters, MI6, in London, with a handful of deft key strokes. By the way, OT in the title of this post = Operational Technology, as differentiated from business information technology or IT.

Stuxnet this is not, but it is clearly depicted as a cyber attack on physical assets, and others who have weighed in on the plausibility/authenticity of this depiction (see HERE and HERE) cannot help but point to Stuxnet as the real world proof of concept.

To free up more time for mayhem, Javier Bardem's well played psychopath might have started with Shodan, the online search engine that helps both good guys and charismatic bad guys quickly locate internet-connected control systems.

Utilities to Commerce Chairman Rockefeller: Let's Talk and Team on Cybersecurity

We've been watching the back and forth for several years now.  2010's GRID Act didn't make it across the legislative finish line, and a similar fate just befell the Cybersecurity Act of 2012.

In response to a recent letter (read THIS first if you can) from Senate Commerce Committee Chair Jay Rockefeller, the four most significant electric utility groups banded together to craft a response.  And what a great response it is!

State Exemplar Colorado gets Well Deserved Cyber Security Leadership Attaboy

Sorry, but I was a little slow on the uptake on this one.  Not an exemplary blogger, am I, that's for sure.

But self flagellation aside, want you to know that there's at least one US State out there that's done what myself and others have been urging for large utilities. Namely, appoint and empower a CSO or CISO with enterprise-wide policy setting and enforcement authority.

For Colorado, that's Travis Schack, who's at the helm as CISO. It's important to note that Colorado didn't have to make this position, it chose to. That's right, and it neither regulator nor competitive pressure that drove this decision. Colorado has a CISO because it thinks its operations require, and its citizens deserve one.

Weird, huh?

Well check this out, from Travis's own blog, and you'll see that he's asking questions near and dear to our sector right now. Of government agencies he asks:

... do you have a data classification process in your organization? Do you know what systems process, store, and/or transmit each type of data within your organization? Do you know who has access to each type of data, where is the data being accessed from, when is the data being access, and what is being done to your data?

Ahem and Amen. Nice job, Colorado. And thanks to the Center for Digital Government for shining a light on these folks.