A Means to a Measured Approach to Cybersecurity

Having posted innumerable times on the many benefits the energy and other critical infrastructure sectors would achieve if they would identify a few security metrics and start measuring them, it seems that a practical means to at least partially achieve this objective may be at hand.

Just came upon a new company that appears to be pursuing a good part of the SGSB playbook, though they appear to have found their way to these ideas by following their own path.

A few of the principles we seem to share include:

Webinar Alert: UTC Cybersecurity Metrics Training

Never thought I'd see training on one of my favorite topics, but somehow the Utilities Telecom Council (UTC) is going to do it a week from now.  To some readers' pleasure and others chagrin, I've done a million posts on metrics, some absurdly long (see: HERE) and I for one, will be paying very close attention.

When: 12 November 2013, 2 - 3:30 pm ET

What: "This webinar provides an overview of metrics development and implementation approaches based on national and international standards and best practices. It describes how to develop and use metrics to gauge performance and facilitate improvement and gives examples from the utilities space."

How: Click HERE for more info and to register

Thanks again to tmorkemo on Flickr.com for this image ... my 2nd timing using it

One Step Closer: Announcing NARUC's Cybersecurity Guide for State Regulators 2.0

My last post on NARUC*, from June of 2012, was on the first version of their cybersecurity guide for state regulators, and the somewhat sprawling piece ended thusly:

I would like to end by saying that this was a document that could never fully please everyone, and if we remember it's a 1.0 version, then in that context it's an ambitious and excellent start. Let's start providing feedback now so that 2.0 can be even better.

Well guess what readers? Some of you and maybe some others provided feedback, so well and fully in fact that we find ourselves fewer than 9 months later with a new and improved 2.0 version, just released by NARUC after announcing it at its Winter Meetings (note sublime, almost hypnotic snowflake animation on landing page).

Smart Grid Security 2012 Highlights and 2013 Look Forward

As a chronic complainer re: the lack of grid security metrics (see post from nearly 2 years ago: "Smart Grid Security Truth: You Can't Do What You Don't Measure"), this has been the most amazing and surprising year for me.

By far the most important development this year was that it began with only a few specific guidance documents from NIST and NRECA) and is now ending with a comparative landslide of guidance, including some directly aimed at helping utilities assess their current security posture and plot future courses for improvement.

I documented most of these in an October post but for those who missed, forgot or avoided it, here are the new ones for North America published in 2012:

• DOE's Electricity Subsector Cybersecurity Maturity Model (Jun 2012)
• DOE’s Electricity Subsector Risk Management Process (May 2012)
• NARUC's Cybersecurity for State Regulators (Jun 2012)
• NIST’s NISTIR 7628 Assessment Guide (Aug 2012)
• California's Cybersecurity and the Evolving Role of State Regulation (Sep 2012)

Mid 2012 GAO Update on Grid Security ... and a Mea Culpa

Before teeing up the most recent GAO report on electric sector cybersecurity, I'd like to use this pixelated platform to speak back to a quote attributed to me last week that raised the hackles of some utility professionals (and it should have).

First, I'm neither a security-focused PR flack for the electricity industry, nor a gotcha journalist trying to capture eyeballs by vilifying utilities and scaring readers. Rather, I'm a member, supporter, advocate, and hopefully, sometimes, a constructive critic of the enterprise of keeping the grid safe and secure while updating it for the 21st century.

So here's the thing: a recent interviewer quoted me as saying senior management doesn't have a very good understanding of their security posture. While I'm sure I've said something like this a hundred different ways on the blog, it's never been intended as an insult or attack, but rather as observation of the current state of affairs at many but not all utilities. The way  this was captured and framed in the article, however, losing nuance and a few other qualifying words along the way, it definitely came off as a blunt attack ... and I'm not the only one who noticed. Sorry about that ... wasn't my intent.

However, support for this type of generic observation comes from things everyone in the industry already knows, and that the GAO lists on the highlights page of its July 2012 report. Here are the last 4 challenges, partially addressing utilities, partially the larger industry ecosystem:

• A focus by utilities on regulatory compliance instead of comprehensive security
• A lack of security features consistently built into smart grid systems
• The electricity industry did not have an effective mechanism for sharing information on cybersecurity and other issues
• The electricity industry did not have metrics for evaluating cybersecurity (AB: of course I'll come back to this one before the post is over!)

All of these things make sense to folks who've either been in a utility or have worked with utilities and/or regulators for some time. There's a logical history to each of them that explains where they came from and why they remain challenges to be solved. 

And you'll note (and it angers some of the more concerned security pundits when I say this), that whatever US utilities have done so far has apparently been enough to keep cyber attackers from having major successes to date.

As this post is now getting too long and trying to do too many things, let's end with another invocation on the benefits of business-oriented metrics, this time courtesy of the GAO itself:

... Having metrics would help utilities develop a business case for cybersecurity by helping to show the return on a particular investment. Until such metrics are developed, there is increased risk that utilities will not invest in security in a cost-effective manner, or have the information needed to make informed decisions on their cybersecurity investments.

The GAO, I think, comes from a similar position, in some ways anyway, as this blog. The cited report mentions not just shortcomings but positive actions taken so far. The GAO, the SGSB (this blog) and plenty of other groups and individuals simply want to see utilities and the industry be safe and successful while they modernize to meet the demands of our times. Neither are interested in criticism for criticism's sake, but only to suggest better possible methods. I'll leave it at that for now.

New IDC Report Takes Measure of Energy Security Metrics

They had me with the title: "Methods and Practices: Creating a Metrics-Based Security Culture".  It seems IDC must have used a key word optimizer app designed to discover the best title based on the complete works at the Smart Grid Security Blog.

I can't vouch for the utility of this report because I haven't read it.  But I do know lead IDC energy and security analyst Usman Sindhu because we've been discussing grid security topics since we met back when he was still at Forrester Research.

Jesse Berst and the SmartGridNewsers did a nice little intro to it HERE.

The price may not be right for you, though maybe your company already has a subscription with IDC that will let you see it for free. Or maybe you can negotiate a "friends price" with Usman, the economy being somewhat iffy at the moment.

Photo credit: Steven Harris on Flickr.com

DOE's Prescription for Electric Sector Cybersecurity Uncertainties

I've had a link to this document in the blog's "Relevant Docs" section since it appeared, but with today's press release, I think it's time to shine a spotlight DOE's latest and greatest electric sector cybersecurity resource.

The campaign for measurement has just been given a big shot in the arm. By definition, in a weird permutation of Newton's Third Law, the minute a metric or measurement is proposed it creates its own opposition. Often vocal opposition, I might add.

Nevertheless, neither Newton nor opposition should cause us to accept stasis and the uncertainties that attend the status quo. "What uncertainties?" you might well ask.

And my answer is that the majority of C-Suiters and BoDs at medium-to-large electric utilities likely do not have a decent understanding of the cyber-related reliability and safety risks confronting their IT and OT operations. Nor do they understand well how sound (or unsound) are the defensive measures (people, policy, processes) their cybersecurity folks have deployed.

If I were to now transition to a tirade about the crying need for business-oriented security metrics and measurement, while linking to previous tirades, few would be surprised. But in a moment uncommon self restraint, I won't do that.

Instead, I invite you to consume a few tapas-sized sound bites from DOE's press release earlier today announcing its new, unpronounceable acronymed tool, the ES-C2M2.

Dig in:

• Energy Department Develops Tool with Industry to Help Utilities Strengthen Their Cybersecurity Capabilities
• New Tool Available to Enable Electric Utilities to Better Assess their Cybersecurity Needs and Assets 
• Maturity models, which rely on best practices to identify an organization’s strengths and weaknesses, are widely used by other sectors to improve performance, efficiency and quality. 
• More than a dozen utilities nationwide participated in pilot evaluations to help refine the model
• The Cybersecurity Self-Evaluation Tool itself helps electric utilities and grid operators identify opportunities to further develop their own cybersecurity capabilities by posing a series of questions that focus on areas including situational awareness and threat and vulnerability management
• Utilities that choose to provide their anonymous self-assessment results to the Energy Department will receive reports with anonymous benchmarking results of all utilities participating in the “opt-in” program.

Here's a LINK to the model. Utilities can request the Cybersecurity Self Evaluation Survey Tool by contacting the Energy Department at ES-C2M2@hq.doe.gov. Note: The Energy Department is also offering facilitated self-evaluations on request.

Please keep in mind that this is a 1.0 version developed at break-neck speed. The more feedback DOE gets from its earliest users, the more we can expect from future versions. And they do seek your feedback.

I think what's been started here is good, very good in fact. Now let's seek to use it, make it great, and substantially improve the industry's understanding of itself along the way.

Image credit: DiaVoLo Group on Flickr.com

Measuring Security? In the Electric Sector? Are you Serious? Someone Is.

Tried making the case most recently with Time for Electric Sector to Measure Up on Security and Smart Grid Security Truth: You Can't Do What You Don't Measure but couldn't detect a measurable response.

Without a lingua franca for security, how will anyone ever know which organizations are doing a comparatively better or worse job? Whether one's own organization is kicking butt or having its butt kicked?

Chances are the only folks with this information today are hackers who spread their attacks across dozens of them. They can see which utilities offer them an easier path in than others. But I don't imagine they're sharing this information too freely.

I'm tired of this ambiguity. Perhaps you are too. And so, it seems, is the State of California.

Tweeting from GridSec conference this week

Howdy from Dallas. This is the evolution of Mike Ahmadi's Smart Grid Security East and West events, which have been running twice a year since the fiest one in San Jose in 2010. Will shoot to summarize key messages in a post when it's over, but also will blurt out the occasional tweet on the fly using the #GridSec hash tag on Twitter.

Webcast Alert: Discussing 2012 Smart Grid Security this Morning on Virtual Energy Forum

I'm the warm up act this morning (2/9/12) for the main show, Dr. Peter Fuhr of DOE, who'll be doing a talk on "The Implications Of Cyber Security For Smart Grid Tech Development".

Show starts at 11 am ET (USA). You can get the details, as well as register to attend, right HERE.

This will be recorded too, so if you come to this post after the fact, it'll be available on demand.

Town Hall Announcement: Measurable Security in the Electric Sector

We've trumpeted alerts for previous editions of this town hall series before, and here's another one on a topic that's near and dear to my heart.

Here's the deets:

• Date: August 17, 2011
• Time: 8 am - 12 pm PT
• Host: Puget Sound Energy (PSE)
• Town: Bellevue, Washington
• Address: 320 108th Avenue NE, Bellevue, WA 98004
• Fee: Free
• More info and to register:  http://nescotownhall.eventbrite.com/

Hope you can make it.

Combating Smart Grid Vulnerabilities ... and Ourselves

In the previous post I attempted to communicate the urgent necessity of setting some performance metrics for ourselves, with the objective of demonstrating to the senior decision makers who sponsor our activities that what we are doing is bearing fruit.

That the sum total of all the money spent on Smart Grid cyber security products and services, plus the monetary and human resources dedicated to the task of formulating solid interoperability and security standards is producing demonstrably more secure utilities and a demonstrably more secure and increasingly smart grid.

Well, the Journal of Energy Security just published an article called "Combating Smart Grid Vulnerabilities" in which my senior colleague, Grid Wise Alliance Chairman emeritus and current Chair of the Global Smart Grid Federation, Guido Bartels makes a case that we seem to be making reasonable progress ... that we're successfully grappling with what we think we know about the security weaknesses in this system under construction. And I can only agree with him.

But he also acknowledges that it's really hard to say for sure. And backs that with the recently published findings of the GAO and the DOE's IG office. A section of the article called "Don't get too comfortable" states:

The [IG report] issued its report on this matter ... in which it found FERC cyber security standards (as implemented by NERC) and the overall approach for regulating the national grid quite lacking, saying: "… even if the standards had been implemented properly, they 'were not adequate to ensure that systems-related risks to the nation’s power grid were mitigated or addressed in a timely manner."

My response to this is: how would the DOE IG, or anyone else for that matter, especially those who aren't working energy and cyber security 24/7 know if and when implemented standards and controls were adequate? We haven't defined adequate and we measure almost nothing because we've told ourselves two things:

1. It's too hard to measure cyber security, especially in the energy sector, and,
2. We can't talk about anything that might be helpful because the info is too sensitive

I agree with Bartels that we are making progress. But how we convince others of that is another matter. There are plenty of MBA's out there and enough Deming disciples to know that we're fooling ourselves if we think that progress is self evident ... that it's obvious to all observers that activity equals efficacy.

Let's admit the emperor is stark naked, get him some decent garb, and build an increasingly secure Smart Grid, the security level of which can be communicated to ordinary folks ... including non-technical senior executives and congressmen.

Smart Grid Security Truth: You Can't Do What You Don't Measure

Are you part of a Smart Grid security task force, working group, support group?  No?  Look to your left and look to your right. Chances are, one of those folks is. It's getting pretty crowded, with many folks and organizations toiling away trying to figure out what a future-state secure Smart Grid should look like layered on top of our largely insecure and aging legacy grid. Two thing's are certain: there are lot of us, and we're awfully busy.

It reminds me of the wood chopping anecdote inside Steven Covey's Seven Habits of Highly Successful People, which goes something like this:

A group of loggers is busy chopping away doing great work under the supervision of the managers and achieving high productivity and throughput. Someone from a mountain overlooking the forests notices something and shouts "hey, you down there ..." Reply: "we are busy, and making great progress" ... and the person on the mountain yells "Wrong forest!"

Which is to say, we can chop all the Smart Grid security wood we want, but if we don't come up with a way to show our mountain top-dwelling managers that we're working in a forest that matters to them, then it's all for naught. We have remember that these are the folks who not only write our paychecks, but also approve the regulations, and who fund the R&D and ultimately purchase the security products and services we present to them as solutions.

You know and I know that increased emphasis on (and competence in) cyber security is an absolute must if this grand initiative called the Smart Grid is going to succeed. Whatever would keep anyone, you might ask, from aggressively funding our activities and the security of this most critical piece of critical national infrastructure? Is robust Smart Grid security not as American as mom and apple pie? (Other countries may have to substitute patriotic food stuffs here ... I'm going to assume reverence for mom is universal).

Well, the answer to why we have to struggle for every last scrap of support is painfully simple: it's because most executives and government leaders perceive no improvement beyond status quo ... no change for the better, from the current level of cyber risk the nation's electric utilities are already carrying.

Put yourself in their shoes for a second. Would you continue to allocate scarce human and financial resources, or prioritize legislation, for activities for which their is no clearly discernible business impact/result/payback?

Look around inside our own tightly knit community and you'll quickly see that even the true Jedi masters have no ready tools for objectively describing the current state or for referencing indicators that reveal improvement  to outsiders.

So, how might we know if our many activities are helping? Why through measurement and reporting, of course. And some folks out there have mentioned this to us in none-too-subtle a fashion. In the recent Government Accountability Office (GAO) report titled: "Electrical Grid Modernization: Progress Being Made on Cybersecurity Guidelines, but Key Challenges Remain to be Addressed" lack of measurement tools was one of the primary findings:

The electricity industry is ... challenged by a lack of cybersecurity metrics, making it difficult to measure the extent to which investments in cybersecurity improve the security of smart grid systems. Experts noted that while such metrics are difficult to develop, they could help compare the effectiveness of competing solutions and determine what mix of solutions combine to make the most secure system.

Furthermore, our experts said that having metrics would help utilities develop a business case for cybersecurity by helping to show the return on a particular investment. Until such metrics are developed, there is increased risk that utilities will not invest in security in a cost-effective manner, or have the information needed to make informed decisions on their cybersecurity investments.

So, to help keep this long post from getting too much longer, I recommend a couple of things to you, dear reader:

1. First, read the recent Gartner Group brief called "Why Communication Fails: Five Reasons the Business Doesn't Get Security's Message" by analyst Jeff Wheaten. It's excellent, and helps map out what's lost in translation when executives try to understand security in their orgs but can't fathom the highly technical, specialized language that's used to describe it. It has some excellent recommendations for improvement, and while it's not energy sector-specific, it doesn't need to be. (Note: unless your org is already a Gartner subscriber, it's going to cost you a bit, but nothing close to what it costs having the funding rug pulled out from under your feet)
2. It's easy to think of reasons why security metrics (or if you'd prefer, measurement) are difficult or impossible to do in our sector. So take that as a challenge and come up with one or two, preferably nice and simple, that'll have people saying "man, that's brilliant". I'd prefer they were high level and didn't require near-realtime sensor readings and massive analytics. Hint: how about something along the lines of Smart Grid and security maturity models?

Still with me? OK, let's do this thing.

Photo credit: tmorkemo on Flickr.com