Oil and Natural Gas Co's became Primary Attack Targets Last Year

At least according to analysis from cyber security company Alert Logic. This detail and more is captured in a report just released by the US Council on Foreign Relations (CFR).

According to authors Blake Clayton and Adam Segal:

Cyber attacks on energy companies are increasing in both frequency and sophistication, making them more difficult to detect and defend against. Cyber espionage is being carried out by foreign intelligence and defense agencies, even organized crime or freelance hackers.

Sanity Check: Nuclear Cyber Security Should be the Best, Right?

A few recent missile launchings notwithstanding, you may recall a little over a month ago things were hot and heavy in the North vs. South Korea showdown. On April 15th Japan Times published this account: South Korea Bolsters Security of Nuclear Plant Network, which opened thusly:

SEOUL – The state-run operator of South Korea’s nuclear power plants has separated its internal computer network from the Internet in an effort to guard against possible North Korean cyber attacks, Yonhap News Agency reported Sunday.

and continued:

It said Korea Hydro & Nuclear Power Co. has also completely divided its nuclear plant control systems from its internal computer networks and restricted both systems’ access to the Internet, while USB ports of the plant control systems have also been sealed.

Energy Security Conference Alert: IAGS' Target Energy 2013

UPDATE: Conference Cancelled ... Sorry about that.

-----------------------

What is IAGS you say? I'll answer briskly: the Institute for the Analysis of of Global Security. Teaming with NATO's Energy Security Center of Excellence, IAGS is hosting a conference called Target Energy that includes but goes well beyond cybersecurity and the grid.

For those SGSB readers whose professional lives are circumscribed by electric sector security, this is a chance to stretch a bit. Here's how the organizers describe the focus:

The cost of securing energy supplies is increasing due to threats from terrorists, hackers, activists and hostile nations. What is the impact of attacks against energy, and how can companies, organizations, and governments work with NATO to increase security?

Smart Grid Security 2012 Highlights and 2013 Look Forward

As a chronic complainer re: the lack of grid security metrics (see post from nearly 2 years ago: "Smart Grid Security Truth: You Can't Do What You Don't Measure"), this has been the most amazing and surprising year for me.

By far the most important development this year was that it began with only a few specific guidance documents from NIST and NRECA) and is now ending with a comparative landslide of guidance, including some directly aimed at helping utilities assess their current security posture and plot future courses for improvement.

I documented most of these in an October post but for those who missed, forgot or avoided it, here are the new ones for North America published in 2012:

• DOE's Electricity Subsector Cybersecurity Maturity Model (Jun 2012)
• DOE’s Electricity Subsector Risk Management Process (May 2012)
• NARUC's Cybersecurity for State Regulators (Jun 2012)
• NIST’s NISTIR 7628 Assessment Guide (Aug 2012)
• California's Cybersecurity and the Evolving Role of State Regulation (Sep 2012)

China's (Apparently) Looming Grid Security Spending Spree

China Electric Power Research Institute (CEPRI) test center 

There are a few lines in the press release to which Jesse Berst links that give me agita (about the quality of the report he references), but it is worth pondering how much money China is spending to protect government orgs, businesses and citizens from cyber threats to its mostly brand new grid architecture.

$50 billion vs. $16 billion for North America and Europe combined, says research firm GlobalData.

Jesse calls China "nervous," but depending on where you stand, others might call them prudent. Of course we at the SGSB see things a little differently. I'm more interested in what people (in China and elsewhere) think are the most effective things to spend cybersecurity money on vs. just looking at the total amounts budgeted or spent.

Wonder if the Chinese will have better luck with cybersecurity metrics, measurement and information sharing than their North American and European counterparts have so far?

Here's the LINK to SmartGridNews.com.

Photo credit: Perspektive Mittelstand

Tweeting from GridSec conference this week

Howdy from Dallas. This is the evolution of Mike Ahmadi's Smart Grid Security East and West events, which have been running twice a year since the fiest one in San Jose in 2010. Will shoot to summarize key messages in a post when it's over, but also will blurt out the occasional tweet on the fly using the #GridSec hash tag on Twitter.

Takes Two (or more) to Tango: Building a Foundation for Smart Grid Security with International Allies

Anyone who's pondered the enoromous challenges ahead of us immediately recognizes that Smart Grid security is a team sport. We struggle to get the US's smart grid standards house in order, with a mix of Federal leadership and hopeful cooperation among the 50 state utility commissions and across our dozen or so regions. It remains to be seen how much team spirit emerges from this effort. Yet even if we make good progress, electrical infrastructure security at home is no guarantee of national energy security.

Fossil fuel sourcing and climate change issues aside, US economic (and to a lesser extent, military) well being would be significantly impaired if our key allies and trading partners had their grids knocked out by successful and sustained cyber attacks.

While many may grumble that the NERC CIPS are not nearly robust enough, a scouring of available online documents reveals much less attention is paid to cyber security requirements in E&U project planning. I will be travelling to Europe this week to deliver some training so will attempt to get my own first hand findings from the field, and will report accordingly.

But a look at some of our closest international buddies: Australia, Canada, New Zealand, and the United Kingdom reveals a desire to leverage US resources and lessons learned to the benefit of all. The International Electricity Infrastructure Association (IEIA) recently met in Washington, DC, and from what I heard through the grapevine, these folks are all interested in knowing more about what we're doing, and in some cases, will base their moves on what they see us doing.

Here's what the IEIA lists as its objectives:

• Founding participants defined the following objectives for the IEIA Forum, as directed by an international Steering Committee representative of participants:
• Enhance protection of the electric infrastructure of Australia, Canada, New Zealand, the United Kingdom and the United States.
• Stimulate active involvement of electric sector and government stakeholders and participants
• Provide a framework for collaboration among represented countries on a government-to-government, industry-to-industry and government-to-industry basis
• Identify and address infrastructure assurance priorities
• Align government and industry participant efforts to identify common initiatives and deliverables
• Share experience, information, solutions and other mutually identified resources

What's not to like on this list? I'd like to see something comparable covering Europe via the EU, and for our friends and allies in East Asia, something similar. Sorry if this is a little too kumbaya for some of you, but that way it goes sometimes. Will get some extra rugged individualism into the blog soon.

Photo credit: http://www.flickr.com/photos/zabara_tango/

Is International Collaboration in the Cards for the Smart Grid?

There are currently Smart Grid conferences, planning committees and pilot deployments happening on every continent except maybe Antarctica. Yet most everything I've read to date concerns work being done in the US. I can tell you, however, that many of the readers of the Smart Grid Security Blog are from Europe and Asia. I can also relate that after moderating a Smart Grid panel at a recent clean tech conference in Boston, I was approached by a gentleman who wanted to ensure I knew about a big RFP coming out soon to build a Smart Grid for the city-state of Singapore. (Here's a link to a conference that just took place there.)

So, with that said, here's a short post on the international angle: le Smart Grid. Warning: if you favor answers, this post is light on them and chock-a-block full of questions. Here's a few starters to get us started:

• Will the fully deployed Smart Grid have borders?
• In North America, will the Smart Grid eventually transcend the current regional topology of Regional Transmission Operators (RTO's) and Independent Systems Operators (ISO's)?
• While the electrons that constitute my emails transit the continent (heck, most of the globe) with ease, the same cannot be said for the electrons currently bringing my monitor to life. Will the Smart Grid change this?
• Is there anything the US can learn from early international efforts in Europe, where Germany was a first mover?

According to this recent article from Smart Grid News, seems like current thinking, in the US anyway, may not be very collaborative ... at least not as far as security is concerned. Here's a recent statement from a Canadian Electricity Association (CEA) VP on how current Smart Grid security legislation and standards make no mention of working as a team with our partners in the Great White North:

[The US has] got to realize that the North American grid is international, it's interconnected, it's integrated. Consultations, cooperation between governmental authorities on both sides of the border is going to be imperative, otherwise you won't be able to ensure system reliability and you'll probably undermine system reliability.

I realize my understanding of these issues is likely simplistic. Yet the ability to quickly "island off" healthy portions of the grid from unhealthy ones is key functionality every region and every nation is shooting for. But islanding should be an emergency response, not the square one status quo inside the US or among close allies.

Danahy: Not So Shocking News on the Grid

JD: Last Wednesday, the Wall Street Journal announced "US Electricity Grid in US Penetrated by Spies." While this is not good news by any stretch of the imagination, it may be a stretch to consider it new. 

Read full post here.