Energy Security Postscript and Next Chapter

Long-time readers of the SGSB might have wondered if they'd ever see another post. Me too. After producing an average of 1+ posts per week since its inception 5 years ago, I cut way back after leaving IBM in 2013 to give myself more time to focus on consulting. And now there's a new development to report.

4 month ago I shuttered my security strategy business and began my first day on the job at Idaho National Laboratory (INL). It's one of the Department of Energy's national labs, and it's the one most squarely positioned at the intersection of energy infrastructure and national security. Let's call that energy security.

My INL title: Senior Cyber & Energy Security Strategist - may sound a little pretentious, but it pretty accurately captures what I was hired to do. If you visit the lab's home page or the INL Twitter feed it seems like nuclear energy research and related nuclear work are its dominant activities. But while nuclear energy research and fuels fabrication were its origin in the 1940's and its historic mission, with the help of its massive and remote test range that includes grid-scale transmission, distribution and communications assets, the lab I just joined does a ton of research and applied work on power and industrial control systems, Smart Grid and wireless communications, cyber and physical security and resilience, renewables, microgrids, energy storage and more.

Nuclear energy R&D, and full nuclear fuel lifecycle work (including non proliferation) will always be a significant part of that nation's requirements, and the INL mission, but nuclear energy is arguably the most reliable portion of our non fossil fuel baseload, but INL is quietly becoming something much more - and more important - than its nuclear legacy might suggest.

Without going into too much detail, the lab's customers now include not just DOE's nuclear energy organizations, but also DOE's renewables, resilience and cyber-physical security components too. DHS has become a major customer, as the lab hosts the ICS-CERT cyber security overwatch function for the US grid and other critical infrastructures, and performs other leading edge cyber and physical security roles as well. DoD is a very large customer too, for energy, security and communications test functions, rounded out by direct work with utilities and energy and telecom technology suppliers.

In short, INL in 2014 is not the lab many people think it is. While it's yet to update its image online, a visit to Idaho Falls quickly confirms that this is one of the nation's preeminent Energy Security lab resources. Nuclear energy is and likely always will be a key element, but without making much noise about it, INL has become so much more, and I'm very very lucky to be a part of it.

------------------------------

Postscript to the Postscript post: Though my blogs are in suspended animation, I continue to speak in public, and albeit more frequently and tersely, on Twitter @andybochman. As the Twitter profile reveals, I continue to work out of my home office in Boston while hitting the road most often for DC, and of course, now, Idaho.

Get Schooled on ICS Sec by SANS at SERC in Charlotte

Here's the facts, just the facts:

Legendary cyber training institute SANS has joined forces with industry leaders to equip security professionals and control system engineers with the cybersecurity skills they need to defend national critical infrastructure.

Course name: ICS410 -- ICS/SCADA Security Essentials 

Course description: ICS410 provides a set of standardized skills and knowledge for industrial cybersecurity professionals. The course is designed to ensure that the workforce involved in supporting and defending industrial control systems is trained to keep the operational environment safe, secure, and resilient against current and emerging cyber threats.

The discount: Receive a massive 5% off with discount code: SANSICS_SGSB5

To register: http://www.sans.org/info/161395

Venue and date: SERC Reliability Corporation, July 14 – 18 in Charlotte, NC

A Social Summary of SANS ICS Security Summit 2014

Since I went solo there's been less time for blogging but I hope to catch up a little with this mega post on the just-concluded, 9th annual SANS ICS Security Summit which took place in the Contemporary Hotel at Disney.

Where I can I'll include Twitter IDs, as for many of us, Twitter is how we stay abreast of what we find interesting and what we're thinking about in between real world meet-ups. (Note: I only include these when they're unique to the individual and not shared by a company or org.)

I won't cover all the talks because I didn't attend all of them, and I apologize to those presenters I don't cover here. Nor was I at "Game Night" (though I wish I was) which from what I heard later was a fantastic and grueling hack-fest that extended into the wee hours before champions finally emerged.

ICS Electric Utility Attack Video and Aegis to the Rescue

SANS Securing the Human - ICS Attacker

The excellent security-mined people at the SANS Institute have produced an 8 minute video that walks you through a control systems attack.  The money they saved by using animation instead of Matt Damon or Morgan Freeman was put to good use as you'll see. For such an esoteric subject, this is a first rate video. For more info please visit the Securing the Human site at http://www.securingthehuman.org/

Meanwhile, to calm you down after the video gets your heart rate up, you should start learning about a new tool that's set for release at the upcoming SANS SCADA Summit. It's called Aegis and it's not an anti-ballistic missile system.  It's a testing tool to help ensure systems communicating with one of the most common SCADA and controls systems communications protocols, DNP3, are harder to attack.

You can ready more about Aegis here: http://www.automatak.com/aegis/

And more about the SANS ICS Summit here: http://www.sans.org/event/north-american-ics-scada-summit-2014

Sandia and Hayden on Cybersecurity Strategies for Microgrids

First off, thanks to friend and colleague Ernie Hayden for writing a microgrid security post following his mini-immersion in the topic last week.  You can read his write-up HERE.

In particular, want you to see something he linked to: SNL's Microgrid Cybersecurity Reference Architecture.  That's Sandia National Labs, btw, not Saturday Night Live; talented though he is, Jimmy Fallon is not a contributor to this piece.

Because Excercise is Good for US, GridEx II is Coming

In case you've been wondering what kind of shape our North American grid incident response and information sharing system is in, now's your chance to find out.  You can click HERE for more details on what's coming up and register to participate if you're an asset owner one of the other types of orgs that have an official role to play.

• When: 13-14 November
• Where: North America
• Dress: Business Casual

While you're here, here are a few other items of possible interest:

• You can read a decent GridEx II intro HERE, from the NYTimes
• Findings and recommendations from the first GridEx begin on page 10 of the After Action Report
• Click HERE for news on a recent disruptive control system cyber attack on a tunnel traffic system in Israel

Poster image courtesy of Crossfit.com

Wrap Up: The 13th Annual ICS Cybersecurity Conference

Another Industrial Control Systems Cybersecurity conference is behind us and, as usual, as documented by founder Joe Weiss, there were signs of a slow awakening to the importance of this topic, mixed with persistent inertia.

You can read highlights from first two days HERE, and Joe's final day summary HERE.

It was nice to hear that my friend (and very good guy) Johan Rambi from large utility Alliander (based in The Netherlands) was playing such an active role.  And this note below reminds everyone that ICS security is not only an energy or power sector problem.  As Joe tells it:

Jeffrey Smith from American Axle gave a great presentation about how they have secured (or very significantly improved security) in their factories world-wide. What I felt was so important is their focus was on productivity and worker safety. Security was simply a threat that needed to be addressed so they could operate safely and efficiently.

This is reminiscent of others who point to the two goals one finds most highly valued in a power co, reliability and safety, and urge the security community to tie physical and cybersecurity tightly to those domains from messaging and business case perspectives.

Security practices are funded and run not merely to check compliance boxes, but to give businesses and government orgs Confidentiality, Integrity, and Availability (CIA) for their systems, networks, apps and data ... so they can continue to pursue their missions with confidence and efficiency.

Or to call out a potential ICS-specific update to the perennial security triad the conference produced: adding O for Operational Controls.  For this very important and highly specialized domain, it might make sense to reverse the prioritized order of CIA and get the O in there too: AIOC.  Ayy-Awk.

Conference Alert: FIRST Energy Symposium - Energy Sector Incident Response

Sorry for the late announcement, but in the spirit of better late than never ...

In cooperation with ISC2, ICS-ISAC and EnergySec, the Forum of Incident Response and Security Teams (FIRST) brings you its first energy sector focused event.

As the FIRST folks put it:

This conference will bring together computer security incident response and security team professionals from all over the world and provide a forum for experts to promote, share, and discuss issues relating to developments in the field of Incident Response relating to the Energy Sector.

When: 28 + 29 October, 2013

Where: Lansdowne resort, Leesburg, VA (Not be be confused with Lansdowne Street in Boston)

To register: Click HERE (Save $100 using this code: Energy13)

BONUS: the agenda shows presentations by Jack Whitsitt and Chris Blask. If you don't know them, they are two of the more brilliant and idiosyncratic personalities in the business.  Worth the price of admission alone, IMHO.

Job Posting: Senior Power Systems Strategist

If you have ICS engineering credentials, you're not already in Idaho, and you want a change, can you picture yourself in Idaho? Or maybe you know someone qualified, and would be happier if they were in Idaho?

Either way, there's an opening at Idaho National Labs (INL) and if you could help fill it, one way or another, I'll be happy to give you contact information and mail you the full position description upon request.

Photo credit: VisitIdaho.org

Heads-Up: The 2013 ICS Cybersecurity Summit is Closing In

We talked about this conference and many of its concerns a few weeks ago at the EnergySec Summit, and among things, got a great presentation showing how one utility has built and gotten great value from its OT security test-bed.

There's going to be a talk on test-beds plus a bunch of other great presentations at the annual "Joe Weiss" summit, so if you have interest, and the ability to get there,  I highly recommend you do.

Here are the basics:

Dates: 21-24 October 2013 

Venue: Conference location: GTRI Conference Center, 250 14th Street NW, Atlanta, GA 30318 

LINK for more info and to register 

LINK to register

Photo credit: Jomi Thomas Mani @ Flickr.com

Rapidly Approaching Training Alert: SANS Control Systems Security

Depending on where you sit at the cyber security table, this might be for you or someone in your org.

Here's how the SANS folks describe it:

A rising number of cyber threats impacting industrial systems have increased the urgency to address security challenges for Industrial Control Systems. Learn how to develop an effective and comprehensive cyber security strategy and equip yourself with the technical know-how and skills to apply in these unique applications. Cyber security is an important element to achieve highly reliable and safe operations. SANS Hosted ICS training courses equip both security professionals and control system engineers with the knowledge and skills they need to safeguard these important systems.

Available classes: SCADA Security Training, Critical Infrastructure and Control System Cybersecurity, and Assessing and Exploiting Control Systems

OK now the details:

• What: SANS Industrial Control Systems Training
• When: 12-16 August 2013
• Where (Generally speaking): Washington DC
• Where (More specifically) : the Westin hotel in Georgetown

You can register here: http://www.sans.org/event/ics-security-training-washington-dc and if you use this code you'll get a discount: SANSICS_SGSB5

Training Alert: ICS / 2 Control Systems Security Sessions Coming Up

SGSB readers: first a brief housekeeping note. Due to a dose of awareness I just received yesterday, I'll no longer be including live links in posts. When I want to recommend a web page for you to visit I'll give you the full URL, which you can paste into the browser of your choice (see below).

OK moving on. SANS is developing an ICS & utility focused security practice with NIPSCO's Tim Conway assisting.  And this effort is already bearing fruit, with training classes coming up next month.  Here are the deets for you:

• When: June 11, 2013 (Saturday)
• Where: Westin Houston Memorial City, Houston, TX USA
• What: two courses:

1) SCADA Security Training 

2) Pen testing ICS and Smart Grid

For more info and to register, do what you need to do with the following URL: 

http://www.sans.org/event/scada-training-houston-2013

Special SGSB Offer: use the code SmartGrid2013 when you register and you'll receive $150 off the Pentesting ICS or the Smart Grid or the SCADA Security Training course.

Webcast Alert: Establishing Security Baselines at Industrial Facilities

I love good baselines, and I'm not the only one. When famous jazz composer arranger Gil Evans (see Sketches of Spain) heard the early Police playing Walking on the Moon, he took time to personally compliment the stunned base player, Gordon Sumner aka Sting.

Now another baseline for you, less musical but more actionable, courtesy of the new ICS-ISAC:

• Title: Raising All Boats: Establishing Security Baselines at Industrial Facilities
• Date: Monday April 29th, 2013
• Time: 1:00-2:00pm USA Eastern Time
• Registration and more info here: http://ics-isac.org/events.html

Hope you can make it. Oh, and here's Miles for you: http://www.youtube.com/watch?v=7KDQNoqKya0

ICS Lab for Grid Security Research, Training and Demonstrations

In case you're not already tuned into this community, but might want to be, I submit for your review the contents of an email I received yesterday.  It goes like this:

Greetings ICS-ISAC Members and partners! 

The ICS-ISAC and MS-ISAC are partnering with several key Members to create an ICS Security Lab as a shared asset for research, training and demonstrations. Physically hosted in Livermore, CA by Robot Garden the Lab is now in Phase One of procuring equipment and establishing the virtual capabilities that Members can have access to. 

If you are interested in participating in this activity or have equipment that would be of benefit to this endeavor please send a note to ICS-ISAC Chair Chris Blask at chris@ics-isac.org
There is also a LinkedIn group for collaboration at http://www.linkedin.com/groups?home=&gid=4932821&trk=anet_ug_hm&goback=%2Emyg

Acronym Legend:

ICS-ISAC = Industrial Control Systems Information Sharing and Analysis Center

MS-ISAC = Multi-State Information Sharing and Analysis Center

That's all I got.

ICS-ISAC Webinar on Municipal Utility Control Systems Security

The ICS-ISAC (that's Industrial Control Systems Information Sharing and Analysis Center if you want it spelled out for you) has a webinar coming up soon if you want a bite-sized dose of control systems security best practice knowledge. As the site says:

ICS-ISAC Member Briefing Miki Calero, Chief Security Officer for the City of Columbus Ohio, will provide a first-hand assessment of the challenges and opportunities presented to those responsible for securing municipal infrastructures.

For me, this is interesting because in addition to getting more info out on control systems security, we'll also get to hear the municipal (or "muni") point of view. Muni's are everywhere and are often below the radar of the sector press, who like to focus on  the large investor owned utilities (IOUs). Yet muni's, responsible for medium sized cities and above, play a critical role in keeping the lights on for millions (maybe billions) around the world, especially at the distribution level.

The webinar will also include ICS-ISAC Chair Chris Blask brief ISAC members on new developments at the Center.

When: February 20, 1-2 pm ET

Here's a LINK to learn more and register.

Conference Alert: SANS ICS Summit coming up fast

Smart Grid Security Blog readers: heads-up. I've decided that this year the time has come to do a massive press on Operational Technology (OT) Security issues.  I think the reason for the timing is obvious, but I'll make my case in a future post when I have more time.

And this won't be just for the US and North America, and it won't be limited solely to the electric sector. We'll look at OT security challenges and efforts in other industrial equipment-oriented critical infrastructure sectors.

But for now, get ready to see some announcements for upcoming conferences and webinars on this topic by some of the best and most experienced folks in the business. Details on the first one are right here:

Name

The 8th Annual SCADA and Process Control System Security Summit

Dates

Feb 6-11: Pre-Summit Courses
Feb 12-13: Summit (click HERE for Summit agenda)
Feb 14-15 :Post-Summit Courses

Venue

Walt Disney World Disney's Yacht & Beach Club
1700 Epcot Resorts Boulevard
Lake Buena Vista, FL 32830

To Register

Click HERE to register for Summit
Disney Website: Walt Disney World Disney's Yacht & Beach Club
Reservations & Discounted Park Tickets: http://www.mydisneymeetings.com/sans2013

This week and half would enable one to really immerse themselves in the topic. And maybe enjoy a little Disney time too.

The Cybersecurity Crew at Distributech 2013

First off, let me say that for those travelling to San Diego from northern or northeastern USA, or northern Europe or Russia for instance, this conference is worth it simply as a respite from persistent cold temps and dreary midwinter landscapes.

Now this may sound a bit gossipy, but so far, in terms of our small community of energy sector cyber security practitioners, I've already meet up with some old acquaintances and and have met for the first time, face to face, others.

Met up with Liza, Darren, Slade, and has a great talk over dinner with Ernie. Though with Darren it was really just eye contact because by the time my IBM theater preso on security breaches with Steve Dougherty was done, Darren had, Jason Bourne-like, vanished into crowd.

Will get to travel more widely through the exhibit hall today and will craft a more security content-laden post later today or tomorrow, I promise.  Cheers, Andy

Security Double Dutch: Shodan Points out Critical Infrastructure Gaps in the Netherlands

Hat tip to friend and colleague Steve D for shooting this my way.

Security researcher Oscar Koeroo, working for the Dutch nuclear physics institute NIKHEF, found out that national infrastructural systems were listed on Shodan, (a database of cyber security vulnerabilities) and could be easily accessed remotely. Those systems, controlling pumping stations and sluices, are vital for the water management of a large part of the Netherlands. Because a large part of the country lies below sea-level, those systems keep the Dutch feet dry!

I've been to the Netherlands several times and saw the country in the news a lot recently when UberStorm Sandy raised concerns that New York City should perhaps get similar types of protective systems. I can assure you that this is about much more than a preference for dry feet.

Read on to find out how control system search engine Shodan once again reveals what systems are directly connected to the Internet. Warning, it paints a full picture, but it's not a pretty picture, and hopefully you won't find systems in your charge popping up in the findings window!

Here's the complete article from Tofino, replete with lurid details of password mismanagement, accusations, denials and counter-accusations, and that sort of thing. Best keep a Heineken or two handy.

Photo credit: nrc.nl

DHS ICS-CERT reports malware on power control systems

Happy 2013!

OK, enough frivolity. Let's turn down the Nat King Cole, step out from under the mistletoe, and get down to brass tacks.

First, in case that compound acronym is new to you, it stands for: the Industrial Control System - Computer Emergency Readiness Team, and it lives in the US Department of Homeland Defense.

This organization just issued a public quarterly report that describes, at a high level, a recent incident at a power generation company you'll be interested in. I'll get out of the way and let you read the first bits for yourself:

MALWARE INFECTIONS IN THE CONTROL ENVIRONMENT

ICS-CERT recently provided onsite support at a power generation facility where both common and sophisticated malware had been discovered in the industrial control system environment. The malware was discovered when an employee asked company IT staff to inspect his USB drive after experiencing intermittent issues with the drive’s operation.

So Much New SCADA Goodness ... So Few Words on Security

Hat tip to EnergySec's Patrick Miller for finding and tweeting this article so I could find it. Please note before you read this post that it's not intended to be critical of the article it cites. I think it's great and if I didn't have to think about security it would feel like pure, unadulterated progress to me.

The article, "Web-based SCADA Gathers More Fans" which appeared recently in Automation World, describes many excellent new capabilities that are arriving in the SCADA world, many of which are related to new higher bandwidth communications between substations and other remote assets, often based on web technologies. As Honeywell engineer Gerry Browne says:

A few years ago, field equipment would have only a serial port. Today, the same equipment might have its own Web server and methods that expose all its operating parameters. Remote data is now available immediately, allowing users to make better decisions.