Oil and Natural Gas Co's became Primary Attack Targets Last Year

At least according to analysis from cyber security company Alert Logic. This detail and more is captured in a report just released by the US Council on Foreign Relations (CFR).

According to authors Blake Clayton and Adam Segal:

Cyber attacks on energy companies are increasing in both frequency and sophistication, making them more difficult to detect and defend against. Cyber espionage is being carried out by foreign intelligence and defense agencies, even organized crime or freelance hackers.

Grid Security Keynote of Note at May 2013 ISO Conference

Since you can't be everywhere, there's the SGSB (which can).  Former Seattle City Light CISO and current Verizon control systems security ace Ernie Hayden gave a keynote presentation at the recent ISO New England and New York ISO Energy Conference held in Boston, and we've got it for you.

If you don't know ISO, it stands for Independent System Operator, a term which is often used interchangeably with another acronym: RTO, or Regional Transmission Organization. In North America, these organizations are like referees and traffic cops, trying to keep the peace among utilities and ensure the smooth and reliable flow of appropriately priced electricity across multi-state regions.

It's good to see Security get such a prominent platform at a high profile industry event like this. Certainly a sign of the times.  Ernie's slides will take you through the past, 2013/present and future of grid security, and though some of the info would clearly benefit from his accompanying narration, a lot of this works quite well as is. And if you really want the audio, then I'm sure Ernie will agree to come to you and do it again, as long as you treat him right.  URLs below.

-----------

Ernie Hayden deck

http://www.isoenergyconference.com/pdf/Ernie-Hayden-Keynote.pdf

Conference home page

http://www.isoenergyconference.com

Looking Again at the Markey-Waxman Grid Vulnerability Publication

Where would I be without feedback? Many thanks to SGSB readers who chimed in on this.

I recently published a post titled "House of Reps Report Reams Utilities on Cybersecurity." Not accurate and all you have to do is read the cover page which, just below the House seal, says "A Report written by the staff of congressmen Edward J. Markey (D-MA) and Henry A. Waxman (D-CA)". Mea Gulpa.

So on second look I looked a little closer and found some things to like and some things I had to wonder about. For example, I'm happy to see congressmen seeking more information about the current state of security in our sector. Who could argue with that?

But their methods are not fully sound.

House of Reps Report Reams Utilities on Cybersecurity

Was trying to capture spirit of Jesse Berst's headline on the same subject:

Utilities to FERC: Take your security measures and shove it

That's not very nice, is it?  I think they toned it down with a later change, but this headline was what was in my inbox in this morning's SmartGridNews.com newsletter. The subject is a recent report published by the House of Representatives that's highly critical of electric utilities behavior to date re: grid cybersecurity.

Moving on! The Wall Street Journal's Rachel King did a fine write-up of recent testimony from the CEO of the American Gas Association (AGA), Dave McCurdy. King began by noting that:

The oil and gas sector faces many of the same cyber security challenges as the electric industry. Yet, there’s one major difference between the industries, both of which need to secure software-based industrial control systems from intruders. There are no regulations governing cyber security among the oil and gas companies.

CNAS Provides a Good Way to Grok the Executive Order

First of all, Happy Valentines Day, SGSB readers.  Hope you are finding as much success in your love lives as you are in your careers securing (or caring about securing) the most critical of critical infrastructures.

Yesterday found me walking down the street in Washington DC a little before noon, when suddenly I ran into some friends, old and new, who had just popped out of the US Department of Commerce. They witnessed directly, and gave me a  first-hand account, of the birth of the administration's Executive Order (EO) on better securing the nation's critical infrastructures.

Supply Chain Security Awareness on Upswing for Energy and Comm Sectors

10/25/12 Update: Huawei just said it is ready to have all its source code tested for security. Would other vendors be so bold?

------------------

If you don't subscribe to the online version of the Wall Street Journal, you probably don't get its daily CIO feed, which provides a nice topical tapas-sized taste of what's on folk's minds every morning.

One of those folks is me, and I've been stirred up lately by all the press (The Economist, 60 Minutes, etc.) and Capitol Hill attention Chinese communications equipment maker Huawei has been getting. Personally, I haven't have any direct contact with Huawei or its products, but I have a gut-level response when a company gets pilloried solely on where it's headquartered or the nationality of the owner(s).

Utilities to Commerce Chairman Rockefeller: Let's Talk and Team on Cybersecurity

We've been watching the back and forth for several years now.  2010's GRID Act didn't make it across the legislative finish line, and a similar fate just befell the Cybersecurity Act of 2012.

In response to a recent letter (read THIS first if you can) from Senate Commerce Committee Chair Jay Rockefeller, the four most significant electric utility groups banded together to craft a response.  And what a great response it is!

Tweeting from GridSec conference this week

Howdy from Dallas. This is the evolution of Mike Ahmadi's Smart Grid Security East and West events, which have been running twice a year since the fiest one in San Jose in 2010. Will shoot to summarize key messages in a post when it's over, but also will blurt out the occasional tweet on the fly using the #GridSec hash tag on Twitter.

Wishful CERAWeek 2012 Energy Sector Security Thoughts

Had the great pleasure of participating in CERA's 31st annual energy conference last week in Houston. I was only there for one day, Wednesday, as I participated in a security panel that evening.

Earlier, the lunch keynote presentation was delivered by Royal Dutch Shell CEO Peter Voser, who addressed environmental and community concerns about the new natural gas recovery technique called fracking.

He suggested that the best approach was for the the industry to be as up-front and transparent as possible, and cited his own company's self-policing policy called the "Tight sands/shale oil & gas operating principles", posted on Shell's website for all to see.

Essentially, Voser asserted that Shell's safety, environmental protection, and community partnering policies around fracking were not just a sound strategy for getting "out in front" of a potential PR problem, they were simply good business.

It struck me that perhaps here was a model here for electric utility self policing re: cybersecurity and privacy. Maybe if  more companies in our sector would get out in front of cybersecurity fears and concerns with clearly broadcast policy and messaging, Congress and other oversight orgs (NERC, for example) would feel less compulsion to legislate additional layers of compliance requirements.

As my colleague Matt F pointed out, it may be too late to stop the 2012 Cybersecurity Act from becoming law. Utilities would have had to start their self-policing campaigns much earlier to stay Congress' hand. And with the recent mock attack on NYC, demonstrating, among other things, that current regulations like NERC CIP version 3 don't cover distribution networks, it looks like a fait accompli.

All full of speculation and wishful thinking here, but I definitely have a sense that this could have played out differently. And who knows, maybe the utility security self-policing idea, if it caught on and went wide, could begin to obviate and undo the need for the legislation, and lead to its eventual repeal.

High Impact Cyber Security Legislation Looming for Utilities

My previous post referenced a recent preliminary report documenting how companies from all sectors are moving slowly to elevate security matters to the CEO and Board of Directors level. And hardly a day goes by where I don't suggest having more than a few empowered CSOs in our industry might start to turn the actual cyber security strategy tide as well as signal a culture change to all the grid's many stakeholders.

Like Congress for example.

Congress in 2011 seemed pretty sure that utilities and their regulators needed a few additional sticks to goad them into tightening up the overall security posture of the grid. That was the GRID Act, and when it passed the House but didn't get a Senate vote, the stage was set for a sequel.

And so here it is: the cross-sector Cybersecurity Act of 2012.

If you're a utility with too much on your plate today what with modernization initiatives, aging workforce and aging equipment issues, PUCs starting to impose new rules on how you handle and protect customer data, NERC CIP version 3 looking like it's going to morph into a much more burdensome version 4 or 5 soon, the last thing you need is another oversight agency asking you to demonstrate compliance with new regulations.

Well, that's exactly what the DHS-centered new act is. And if it passes in anything like its current form, utilities are likely to like it about as much as you'd think they would. According to Jody Westby writing in Forbes ... not much. For example:

With overtones of Sarbanes-Oxley, the bill also requires the owners of these systems to either certify annually to DHS and their sector agency whether they have implemented security measures to satisfy the performance requirements or submit a third-party assessment. Even if a company subject to the provisions of the bill can obtain an exemption by demonstrating that it is sufficiently secured or in compliance with the risk-based performance requirements, it must undergo this process every three years.

I recommend you read her whole Forbes article, take 4 Advil, and call me in the morning. Or better yet, email, if you think Westby is making a mountain out of a legislative molehill. Or vice versa.

A Grid Guy's Perspective on James Lewis' Testimony re: the Cybersecurity Act of 2012

James Lewis is Mr. Cybersecurity these days. A colleague (hat tip: Steve O) just sent a note out pointing to a new article appearing front and center on WSJ.com tonight, featuring prominent statements by Dr. Lewis, the Tech Policy Directer of K-Street think tank CSIS.

Two weeks ago I wrote a post that ridiculed as alarmist a few quotes, including one ostensibly made by  Lewis, that appeared on another well known financial media site.

And just last week he testified before a Senate subcommittee about what he likes, and what he finds wanting, in the draft bill that's looking increasingly likely to make it through Congress sometime soon.

You should note that unlike last year's Grid Act which passed the House (HR 5026 Grid Reliability and Infrastructure Defense Act), the focus of the current bill, and therefore of Lewis' testimony, is not energy sector specific. Here's one of his opening sections in which I find nothing not to like:

Reducing risk and vulnerability in cyberspace is a fundamental challenge. In considering this  problem, we have learned through painful experience that market forces will not secure cyberspace and that existing authorities are inadequate for national security and public safety. The list of private sector companies, including technology leaders, whose defense have failed is long and would be longer if all breaches were disclosed. Continuing to use voluntary, market driven approach to this new national security concern is irresponsible and guarantees a successful attack against our nation.

Our sector, of course, has the NERC CIPs. Much derided in some circles, though in my mind a huge improvement over the kind of security we'd likely see from pure "market forces," the NERC CIPS are anything but voluntary. And when versions 4 and/or 5 go into effect, they'll cover many more systems and require more security controls for most.

The 2012 Cybersecurity Act aims to give DHS the lead in securing critical infrastructure and it's unclear to me how it might supplement or complement current the NERC CIPs. More on that later.

Meanwhile, towards, the end of his testimony, Lewis sounds a positive note that quickly turns ominous:

Anyone who tells you that we do not know how to do cybersecurity is sadly out of date. The National Security Agency, the National Institutes of Standards and Technology, and other Federal agencies are pioneering techniques that can strengthen America’s defenses. But while we can require implementation and measure the rate of implementation in the Federal government, there is no comparable ability to measure and secure commercial critical infrastructure. This remains the single largest vulnerability for America in cyberspace. 

So while we have the NERC CIPs, you can take his point about "no comparable ability to measure" critical infrastructure to mean that while audits occur and fines sometimes levied, neither DOE, nor FERC, nor NERC keep track of how the utilities are doing. There's no standard framework that tells us which utilities are doing a great job and which ones are lagging. IMHO that is a problem.

You can read Lewis' full testimony HERE.

And one more thing: on Lewis' CSIS page he also includes a link called Serious Cyber Events. It's a comprehensive list of the most noteworthy known attacks and breaches since 2006 till present. Out of a total of 87 events cited, only 2 involved power systems:

• January 2008. A CIA official said the agency knew of four incidents overseas where hackers were able to disrupt, or threaten to disrupt, the power supply for four foreign cities
• April 2009. Wall Street Journal articles laid out the increasing vulnerability of the U.S. power grid to cyber attack also highlighted was the intrusions into F-35 databases by unknown foreign intruders

2 out of 87 would be a horrible batting average (.023 - yikes!) on any baseball team. But in this game, which really is no game, it's an average I'd like the sector to maintain. So keep one eye on the NERC CIPs and beyond, and keep the other eye on what James Lewis and Congress have in store for us.

Webcast Alert: Discussing 2012 Smart Grid Security this Morning on Virtual Energy Forum

I'm the warm up act this morning (2/9/12) for the main show, Dr. Peter Fuhr of DOE, who'll be doing a talk on "The Implications Of Cyber Security For Smart Grid Tech Development".

Show starts at 11 am ET (USA). You can get the details, as well as register to attend, right HERE.

This will be recorded too, so if you come to this post after the fact, it'll be available on demand.

California Shows the Way with Customer Electricity Usage Data Security & Privacy Ruling

Show me another state (or country for that matter) that's doing this much. The California Public Utilities Commission (CPUC)'s proposed decision became a decided decision while I was away, so if you haven't had time to check it out yet, here's a good short summary from IDC's Usman Sindhu.

In play are:

• HAN networks (for real)
• Real-time pricing signals for consumers
• 3rd party access to usage data with customer consent
• New security and privacy rules for the big 3 CA IOU utilities with CPUC oversight

But if you insist on reading the entire ruling, then by all means, click HERE for it. I won't try to stop you.

FERC's Director of Reliability Speaks Out on Grid Gaps

While you were relaxing and celebrating Cinco de Mayo with cervezas y margaritas and such, FERC's Joe McClelland was on the job (as always), testifying before a Senate committee on what he sees as the current gaps in coverage in grid protections and what should be done about them.

For starters, he laid it out quite simply:

The Commission (FERC) currently does not have sufficient authority to require effective protection of the grid against cyber or physical attacks. If adequate protection is to be provided, legislation is needed and my testimony discusses the key elements that should be included in legislation in this area.

Then proceeded with something you should know about if you didn't it already ... about US cities and 2 entire states:

Currently, the Commission’s jurisdiction and reliability authority is limited to the “bulk power system,” as defined in the Federal Power Act (FPA), and therefore excludes Alaska and Hawaii, including any federal installations located therein.  The current interpretation of “bulk power system” also excludes some transmission and all local distribution facilities, including virtually all of the grid facilities in certain large cities such as New York, thus precluding Commission action to mitigate cyber or other national security threats to reliability that involve such facilities and major population areas.

And beyond the geographic dead-zones he called out above, and the fact that the CIPs miss the majority of the grid by entirely missing the distribution network, there's also the temporal issue ... the current process is slow ... way too slow depending on the nature of the threats to be countered:

The procedures used by NERC ... can be an impediment when measures or actions need to be taken to address threats to national security quickly, effectively and in a manner that protects against the disclosure of security-sensitive information. The current procedures ... do not provide an effective and timely means of addressing urgent cyber or other national security risks to the bulk power system, particularly in emergency situations. Certain circumstances, such as those involving national security, may require immediate action, while the reliability standard procedures take too long to implement efficient and timely corrective steps.

I could go on citing McClelland's sharp observations and recommendations, but maybe it's better for you to get the rest in the complete context. There's a lot more to take in so click HERE for the full transcript. If you're like me, you've got to be glad Joe is on the job.

Photo credit: yngrich on Flickr.com

Grid Cyber Security and the Kill Switch Concept

Egypt's recent Internet "full stop" got us started, and now it seems like esoteric electrical grid security concepts are slowly transitioning from obscurity to mainstream, via a bunch of new bills on Capitol Hill and a provocative Scientific American article. 

In a recent SciAm piece titled "What Is the Best Way to Protect U.S. Critical Infrastructure from a Cyber Attack?", we learn that Senator Lieberman's "Protecting Cyberspace as a National Asset Act" is vying with last year's Grid Act, and as interpreted by James Lewis, senior fellow at CSIS, is going several steps further:

The central part is that voluntary action is no longer sufficient for national security and that the private sector cannot secure their networks against advanced opponents.

OK, I've got to throw the first flag here. Show me evidence that the public sector is better at cyber security than the private sector. Good luck with that. In my opinion while there's some value in discussing the merits of voluntary vs. enforced cyber security, we're not going sleep better by having private sector security leadership emulate their government counterparts.

And then there's this, again from Mr. Lewis:

We're in a transitional moment, and this debate over an Internet kill switch is part of that. You have the old-school Internet thinkers who are wedded to this pioneering vision that we have to keep the Internet open and unstructured because that will empower innovation. People really believe that. People also believe in flying saucers, and these ideas are about equal.

Wow. No offense is intended, but unless he was seriously misquoted, Mr. Lewis is equating one of the key engines of our economy, innovation, with the amusing yet unhinged true believers in Close Encounters of the Third Kind, and that makes him seem, to me at least, a somewhat less-than-serious scholar. My second flag is thrown. 

Once again, mainstream media is aiding and abetting alarmists who want the US rank and file to believe that we're just moments away from a complete cyber meltdown. In this case, it's more than a little disturbing as I've always viewed SciAm as the sober middle ground between heavy duty, peer-reviewed science journals and more overtly entertaining, though also more sensationalist publications like Popular Science and Popular Mechanics. 

For the record let me repeat: in the electric sector we have a lot of work to do re: shoring up cyber security, and (mainly) we're doing it. We're far from bullet proof, yet the work proceeds, and every day we learn a little more and make our systems a little better at weathering cyber storms. Sometimes I wish that story would command half as much attention as one's like these.

Hat tip to cyber security colleague Dave Hemsath (linchpin of the Boston-Austin connection) for this.

FERC and NERC Down the 2010 Cyber Security Standards Home Stretch

Been saying it all year: tension is building between those who want to tighten up security standards faster and those who was to take a gentler, but more predictable path. FERC and NERC have been the primary protagonists in this struggle, as described a few months ago HERE.

For those who are paying attention, a few items that have surfaced as the year winds down, and here's a short summary for you:

First we have the so-called "bright line" ruling in which FERC says we (especially NERC) need a new and crisper definition of the bulk electric system (BES). Here's an excerpt in their own words:

Today's final rule directs NERC to revise its definition of the term “bulk electric system” to ensure that the definition encompasses all facilities necessary for operating an interconnected electric transmission network .... FERC said the ultimate goal ... is to eliminate inconsistencies across regions, eliminate the ambiguity created by the current characterization of the 100 kilovolt (kV) threshold as a general guideline, provide a backstop review to ensure that any variations do not compromise reliability, and ensure that facilities that could significantly affect reliability are subject to mandatory rules. 

So the ball's in NERC's court on that one. A few days after that press was released, FERC Commssioner Jon Wellinghof spoke out on security and the Smart Grid for Forbes.com. Seems like he really wishes things could go a lot further and a lot faster than they have so far, and that Congress hasn't come through yet:

... there have been a number of legislative proposals put forward, none of which have been passed….

Without mentioning it by name, he also plugs the GRID Act which is still stuck half-way through Congress:

We do believe that there’s some additional authority necessary with respect to cyber-security, especially with respect to an imminent threat or vulnerability. We think FERC needs the authority to issue an order to the utilities to take a specific action. Right now we don’t have that authority. It all has to go through the National Electric Reliability Corporation…. It’s kind of a cumbersome process now, that takes a lot longer than you would want if you knew of some immediate threat or vulnerability….

Which brings us to some analysis of what's on deck for 2011 in the NERC CIP world. From NERC CIP compliance experts Abidance Consulting, here's their well informed take on which way this will likely play out in version 4 of the CIPs:

The NERC CIP Standards are being reviewed and updated by various NERC committees to include the Standards & Development Team .... The new version(s) will categorize Critical Assets and Critical Cyber Assets based on impact assessment as “High”, "Medium" and "Low". The new methodology will not use the current Critical Assets and Critical Cyber Assets. [Rather], CIP standards will be customized to each category based on their impact on the BES ....

That's a heck of a lot of change. Too much for some, though others would call it long overdue. And here's a big (and good) one:

The new version of CIP will expose several assets to CIP compliance requirements unlike today as the serial connection will no longer be able to provide immunity from compliance.

This change, if and when it takes effect, will reverse a trend that some analysts have used to argue that the CIPs actually weaken grid security.

We could go on, but this is a blog and our job is to keep these posts short and tasty. Kind of like tappas. Speaking of which, there's plenty of action on the menu for 2011 for utility security pro's and everyone in the community who wants to see them succeed. Looking forward to it!

Photo credit: Erik Fitzpatrick on Flickr.com

Who Is and Is Not Making Smart Grid Standards

One organization at the center of Smart Grid standards formulation wants to be clear about one thing you may find less than intuitive. You should be aware that the National Institute of Standards and Technology, better known as NIST, is not making the standards for the Smart Grid.

That NIST is involved there is no doubt. See this from the Energy Independence and Security Act of 2007: NIST has "primary responsibility to coordinate development of a framework that includes protocols and model standards for information management to achieve interoperability of smart grid devices and systems…". In point of fact, NIST's role in the process is to be the honest broker between warring tribes of standards bodies, lobbyists and advocates of all stripes. As the above slide makes plain, each home is a bloody standards battleground. This is not easy work for NIST, or any of the innumerable stakeholders.

But to repeat: NIST is not making the standards. It's an open process and that's a job for all of us. Just so you know.

Slide Credit: "Repowering the Nation: Setting Standards for the Smart Grid" presented at MIT on Nov 21, 2009 by George Arnold, NIST National Coordinator for Smart Grid Interoperability Standards. Full presentation is here.

Notes from 2009 Control Systems Cyber Security Conference

We first posted on Joe Weiss's work back in July following a presentation he gave to the Air Force. Now here's a great review of a significant annual conference, one that focuses not on IT or internet security in a Smart Grid context, but rather on the security issues related to the millions of control systems that automate the Grid. This is Joe's summary:

The Ninth Control Systems Cyber Security Conference was hosted by Applied Control Solutions (ACS) the week of October 19 in Bethesda, MD. The festivities started Monday morning with parallel activities. A tour was arranged of Washington Suburban Sanitary Commission’s Rock Creek water treatment facility. In parallel, the initial meeting of the ISA Nuclear Plant Cyber Security Joint Working Group was held.

The ACS Conference started Monday afternoon with two introductory sessions: Control Systems for the non-Control System Engineer and IT for the Control Systems Engineer.The Conference began in earnest Tuesday with approximately 110 attendees from US and international electric and water utilities, chemical and oil/gas companies, IT and control system suppliers and consultants, universities, and US and international government agencies. The Conference is called Control Systems Cyber Security is that industrial control systems are common across multiple industries. The agenda can be found at www.realtimeacs.com.

There were two hacking demonstrations of control systems and several discussions on control system cyber vulnerabilities. There was also a discussion on the need for technical control system cyber security curriculum (policy programs exist). There were two keynotes: the Honorable Yvette Clarke (D-NY), Chairwoman of the Subcommittee on Emerging Threats, Cybersecurity, Science and Technology and member of the Intelligence, Information Sharing and Terrorism Risk Assessment Subcommittee provided the lunch keynote. Whitfield Diffie gave the evening keynote and discussed control system cyber security issues from the Tuesday’s session.

There were four different sessions on actual control system cyber incidents – none of which was public! In one session, two control system engineers from two different utilities that have control systems from every major supplier discussed their recent control system cyber incidents – one had his plant shutdown. A couple interesting side notes were that existing control system logging are adequate to identify control system incidents and their control system suppliers weren’t of much help when it came to providing control system cyber security support. Both engineers felt it was so important to share information they attended the Conference on their own nickel. This is in marked contrast to the utility and industry leadership who didn’t think this conference was important enough to attend even though many were based in Washington. Wednesday evening, the Honorable James Langevin gave the evening keynote. Congressman Langevin felt this was so important he spent 30-45 minutes after his presentation answering questions and talking to the attendees.

We received a summary of government activities including legislative efforts on cyber security, cyber security activities by the Nuclear Regulatory Commission, efforts on-going at the Bonneville Power Administration using the NIST Framework, and non-governmental activities in certification and cyber incident collection. Also got a very interesting presentation on cyber security legal issues and a discussion of the Russian cyber attack on Estonia.

On the last day, NIST held training sessions on two very relevant NIST standards:

-- SP 800-53 - Recommended Security Controls for Federal Information Systems - including those for the Bulk Power System
-- SP 800-82 - Guide to Industrial Control Systems (ICS) Security provides guidance on securing Industrial Control Systems (ICS), including Supervisory Control and Data Acquisition (SCADA) systems, Distributed Control Systems (DCS), and other control system configurations

Security and the Smart Grid Investment Act

From South Jersey to You: The Courier Post Online reports that PSE&G is applying for federal stimulus dollars as a source of funding for their grid upgrade to make it Smart Grid capable. As they look for approximately $76M ( 50% of the expected costs of the improvements ) in tax dollars, the utility is highlighting the project's effects on job creation and advancement of Smart Grid goals. They are applying for a grant through the Smart Grid Investment Grant Program, which has made $3.9B available for Smart Grid Technologies and Grid Infrastructure.

One interesting note within the Grant program ( which you can look for at FedConnect ) is located in Part IV, Section B.3.b. It is a requirement for a project plan within the application for grant to contain a:

technical approach that describes how the project will address interoperability and cyber-security;

On request of the SGSBlog, PSE&G Investor Relations is going to see if they can produce a public copy of that section of the application. More data as it becomes available.

Senate Energy Bill Love or Hate

The National Journal recently put out a question asking how folks liked the recently approved Senate Energy bill (details here). Good responses from energy company execs and other senior leaders came back, but I particularly liked the balance and focus on realism in the one submitted by Econ professor Paul Sullivan of NDU:

In many ways the bill is a set of first steps toward something much better, or at least one would hope. It does read like it was written by powerful people who see the problems of climate change and energy security not as nearer term crises, but as slow roll issues that are looming somewhere in a future horizon. It also shows some of the difficult tradeoffs between energy security and environmental security being handled in tough-minded political ways.