Energy Firms Not Ready for Cyber Insurance?

Or so says corporate underwriter and veteran cyber insurance provider, Lloyds of London, in a BBC article last week:

Any company that applies for cover has to let experts employed by Kiln and other underwriters look over their systems to see if they are doing enough to keep intruders out. Assessors look at the steps firms take to keep attackers away, how they ensure software is kept up to date and how they oversee networks of hardware that can span regions or entire countries.

Sadly, as the article goes on to say:

After such checks were carried out, the majority of applicants were turned away because their cyber defenses were lacking.

DOE's C2M2 is Growing Up Fast

There's been a ton of work accomplished since DOE handed the C2M2 flame to former FERCer Jason Christopher.  This program has now been leveraged at hundreds of enterprises and now gives you three flavors of Cybersecurity Capability Maturity Model (C2M2) to choose from now.

You can download any/all of the models right this minute if you are so inclined:

• ES - Electricity Subsector (version 1.1)
• O&G - Oil & Gas (version 1.1)
• Sector Neutral

In addition, there are a number of new supporting resources for organizations at some stage of the C2M2 consideration or implementation process:

• C2M2 FAQ - helps answer whether or not a C2M2 self-assessment is right for your organization (ab: sounds a little too much like a Cialis commercial to me)
• C2M2 Facilitator Guide - provides step-by-step guidance for organizations that want to perform their own internal self-assessments (with or without a 3rd party)
• C2M2 toolkit for all three models (electricity, oil & natural gas, and sector-neutral) based on MS Excel and Word, so it can be used by any organization. (Toolkits are provided by request only—email C2M2@doe.gov for more information.)

Lastly, this just-released bulletin tells you how DOE, NIST and DHS see the C2M2 and the Critical Infrastructure Security Framework (CSF) playing complementary roles.

So much good stuff.  Between all of the above and the Olympics, this should keep you off the streets and out of trouble until Spring finally shows up.

Moving Beyond Technical: Use Security Governance Strategies to Integrate Security with the Mission

If like me you've come to the conclusion that a tech-centric strategy can only get us so far in energy sector cyber risk management, then you might want to see some of the source materials I've come across in my explorations.

The two I'll point to in this post are from Carnegie Mellon University's CERT program and PricewaterhouseCoopers' cybersecurity consulting practice.  What they have in common is that they are both several years old.  This is not VC or DARPA-funded cutting edge stuff.  It's human behavior stuff, and as such, it's not on an upgrade path anything like iOS, Android, or "Next Generation" firewalls. But neither are these concepts rapidly deployable, as you'd be hard put to find them put into practice widely at many utilities in 2013.

Smart Grid Security 2012 Highlights and 2013 Look Forward

As a chronic complainer re: the lack of grid security metrics (see post from nearly 2 years ago: "Smart Grid Security Truth: You Can't Do What You Don't Measure"), this has been the most amazing and surprising year for me.

By far the most important development this year was that it began with only a few specific guidance documents from NIST and NRECA) and is now ending with a comparative landslide of guidance, including some directly aimed at helping utilities assess their current security posture and plot future courses for improvement.

I documented most of these in an October post but for those who missed, forgot or avoided it, here are the new ones for North America published in 2012:

• DOE's Electricity Subsector Cybersecurity Maturity Model (Jun 2012)
• DOE’s Electricity Subsector Risk Management Process (May 2012)
• NARUC's Cybersecurity for State Regulators (Jun 2012)
• NIST’s NISTIR 7628 Assessment Guide (Aug 2012)
• California's Cybersecurity and the Evolving Role of State Regulation (Sep 2012)

Electric Sector Security Metrics Mother Load

Not all are technical metrics, nor are they all technically, metrics.

But in the space of just a few months this summer, North American electric utility executives and their security leadership have seen a spate of new guidance documents published that intend to help them manage, monitor, and measure the effectiveness of their cyber risk mitigation strategies and controls.

Where once there was just the cross-sector ISO 27000 series to steer your security course by (or for Federal folks, FISMA), there are suddenly a near handful of freshly minted how-to manuals at their disposal:

DOE's Electricity Subsector Cybersecurity Maturity Model (June 2012)
Metrics for utilities to use to baseline and gauge effectiveness

DOE’s Electricity Subsector Risk Management Process (May 2012)
Helpful translating cybersecurity into risk management framework 

NARUC's Cybersecurity for State Regulators (June 2012)
Questions utilities will be asked by their state public utility commissions

NIST’s NISTIR 7628 Assessment Guide (Aug 2012)

And if you live in or keep an eye on California, then there’s the metrics work and data privacy rules of the California Public Utilities Commission (CPUC) to consider. It’s working collaboratively with the three big investor owned utilities (IOUs) to bring Smart Grid metrics to fruition, and despite some initial skirmishing, seems resolute in adding security metrics to the mix.

So now maybe the guidance utilities need most is: with limited resources already maxed out on NERC CIP related activities, how to select and implement the best and most helpful pieces from the list above.

Ironic, is it not, to hear the SGSB describe a flood of security metrics in our industry?

Conference Alert: A Risk Management-Focused GridSec

Things have been changing over the course of half a dozen or so GridSec conferences the last 3 years:

• Increasingly, a risk management vs. pure compliance approach to security is in evidence at utilities
• Practical, business-oriented metrics and measurement mechanisms are being developed and used to increase visibility and understanding of current state and challenges, and to facilitate prioritization
• Describing security requirements and incidents in language more accessible to management and more aligned with core utility values and business drivers, including safety and reliability
• More attention to Operational-side issues

What attendees will experience at the upcoming summit will be an update on the evolution of grid security, privacy and compliance issues that reflects the evolution of the bullet-ed points of the above.

The details you need to get/be there:

• When: 22-24 Oct 2012
• Where: PG&E head office, 77 Beale Street, San Franciso, CA
• Web page for more info and reg: HERE

Lots of great speakers are lined up and the hallway talk is always interesting too. Hope you can make it.

Mid 2012 GAO Update on Grid Security ... and a Mea Culpa

Before teeing up the most recent GAO report on electric sector cybersecurity, I'd like to use this pixelated platform to speak back to a quote attributed to me last week that raised the hackles of some utility professionals (and it should have).

First, I'm neither a security-focused PR flack for the electricity industry, nor a gotcha journalist trying to capture eyeballs by vilifying utilities and scaring readers. Rather, I'm a member, supporter, advocate, and hopefully, sometimes, a constructive critic of the enterprise of keeping the grid safe and secure while updating it for the 21st century.

So here's the thing: a recent interviewer quoted me as saying senior management doesn't have a very good understanding of their security posture. While I'm sure I've said something like this a hundred different ways on the blog, it's never been intended as an insult or attack, but rather as observation of the current state of affairs at many but not all utilities. The way  this was captured and framed in the article, however, losing nuance and a few other qualifying words along the way, it definitely came off as a blunt attack ... and I'm not the only one who noticed. Sorry about that ... wasn't my intent.

However, support for this type of generic observation comes from things everyone in the industry already knows, and that the GAO lists on the highlights page of its July 2012 report. Here are the last 4 challenges, partially addressing utilities, partially the larger industry ecosystem:

• A focus by utilities on regulatory compliance instead of comprehensive security
• A lack of security features consistently built into smart grid systems
• The electricity industry did not have an effective mechanism for sharing information on cybersecurity and other issues
• The electricity industry did not have metrics for evaluating cybersecurity (AB: of course I'll come back to this one before the post is over!)

All of these things make sense to folks who've either been in a utility or have worked with utilities and/or regulators for some time. There's a logical history to each of them that explains where they came from and why they remain challenges to be solved. 

And you'll note (and it angers some of the more concerned security pundits when I say this), that whatever US utilities have done so far has apparently been enough to keep cyber attackers from having major successes to date.

As this post is now getting too long and trying to do too many things, let's end with another invocation on the benefits of business-oriented metrics, this time courtesy of the GAO itself:

... Having metrics would help utilities develop a business case for cybersecurity by helping to show the return on a particular investment. Until such metrics are developed, there is increased risk that utilities will not invest in security in a cost-effective manner, or have the information needed to make informed decisions on their cybersecurity investments.

The GAO, I think, comes from a similar position, in some ways anyway, as this blog. The cited report mentions not just shortcomings but positive actions taken so far. The GAO, the SGSB (this blog) and plenty of other groups and individuals simply want to see utilities and the industry be safe and successful while they modernize to meet the demands of our times. Neither are interested in criticism for criticism's sake, but only to suggest better possible methods. I'll leave it at that for now.

2 Control Systems Metrics Movers/Shakers: Jim Brenton and Joe Weiss

The more metrics the merrier, I say. After yesterday's post on IDC's take on energy sector cybersecurity metrics, let's pivot to control systems, where the three most important things are:

1. reliability
2. reliability, and
3. reliability

... and where what passes for cybersecurity in IT realms just doesn't cut the mustard.

First see this NEW POST from Joe Weiss on how to begin wrapping your head around what control systems metrics could look like.

Then I'd recommend Jim Brenton's PRESENTATION at GridSec earlier this year on a new group that's formed to look at developing security (or should I say reliability and resiliency) metrics for the Bulk Electric System (BES).

OK, that's it, this is a short one. You can go back to what you should have been doing all along.

New IDC Report Takes Measure of Energy Security Metrics

They had me with the title: "Methods and Practices: Creating a Metrics-Based Security Culture".  It seems IDC must have used a key word optimizer app designed to discover the best title based on the complete works at the Smart Grid Security Blog.

I can't vouch for the utility of this report because I haven't read it.  But I do know lead IDC energy and security analyst Usman Sindhu because we've been discussing grid security topics since we met back when he was still at Forrester Research.

Jesse Berst and the SmartGridNewsers did a nice little intro to it HERE.

The price may not be right for you, though maybe your company already has a subscription with IDC that will let you see it for free. Or maybe you can negotiate a "friends price" with Usman, the economy being somewhat iffy at the moment.

Photo credit: Steven Harris on Flickr.com

Measuring Security? In the Electric Sector? Are you Serious? Someone Is.

Tried making the case most recently with Time for Electric Sector to Measure Up on Security and Smart Grid Security Truth: You Can't Do What You Don't Measure but couldn't detect a measurable response.

Without a lingua franca for security, how will anyone ever know which organizations are doing a comparatively better or worse job? Whether one's own organization is kicking butt or having its butt kicked?

Chances are the only folks with this information today are hackers who spread their attacks across dozens of them. They can see which utilities offer them an easier path in than others. But I don't imagine they're sharing this information too freely.

I'm tired of this ambiguity. Perhaps you are too. And so, it seems, is the State of California.

Announcing the First Electric Sector CSO List

You've been holding your breath for this, I know, so I'm happy to announce you can resume normal respirational activities. As the title says, this post begins the process of assigning kudos to utilities who've been so bold and proactive as to appoint and empower a senior professional to run cyber security across their organizations.

By this I mean a senior business (more than a technical) professional charged with developing, promulgating and enforcing security policy across operational and information technology boundaries, across all lines of business.

Time for the Electric Sector to Measure Up on Security

Let me begin by saying I'm so sick of alarmists. We are implored to "Constant Vigilance!" by Mad Eye Moody and to constant vigilance we at the SGSB are committed. But not to constant cowering.

OK, that said, you may recall I have a jones for business metrics. So much so that lately I've been suggesting them to the DOE Electric Sector Cyber Risk Management Maturity folks for inclusion in the Program Management part of their model.

Amidst the latest spate of Smart Grid security fear and loathing (documented here and here last week, and earlier here and here and etc.), maybe what Congress, FERC, utility boards of directors, consumer protection groups, and the man on the street need is evidence that we're making progress on protecting the grid and its constituent elements from the various forms of lurking badness out there.

Maybe that evidence, to be readily consumed by all of the above, needs to be communicated in plain language. Let's agree that business language is plain language.

So let's begin with Enernex CEO Erich Gunther's GridSec 2012 monster keynote preso Pragmatic Approach to Utility Cyber Security and one slide in particular "Approaches that Fail". These should all be quite familiar to y'all by now:

• Attempting to explain the situation technically
• Overwhelming with statistics – number of attacks, names and types of attacks, enumerating systems potentially affected
• Using the “sky is falling approach” – we’re doomed!
• Depending on government and regulation to “fix it”

For me, this outstanding presentation was an expertly crafted electric sector extension of Gartner Group analyst Jeff Wheatman's seminal 2011 paper: "Why Communication Fails: Five Reasons the Business doesn't get Security's Message".  I'm going to grab one of Erich's "Pragmatic Conclusion" bullets to segue to the next piece:

• We need to be more well versed in the disciplines of the core businesses we are trying to protect

By apparently Divine intervention, Robb Reck's article, Making Security Metrics that Matter (to Business) was just published on InfoSec Island, where I found it this morning. The morning of the same day (today) I actually needed it.

Robb begins by asking security folks:

What are the strategic goals for your organization in 2012? Can you recite them off the top of your head? If you can't, you're not alone. The inability of enterprise security teams to answer those questions is one of the biggest obstacles facing our discipline today, and it's the biggest reason current [overly technical] security metrics do not grab the attention of organization leaders.

He provides some excellent large and small company examples and begins his conclusion with:

Gone are metrics like “vulnerabilities found” and “patch level.” In their place are metrics that directly address the priorities of the business. By crafting the metrics in the language of our business leaders, we are demonstrating the value of their security investment in a way that matters to them.

I'll begin and finish my conclusion with the one security business metric that rules them all: the appointment and empowerment of a Chief Security Officer (CSO), with purview across the entire enterprise, and the authority to set and enforce security policy in both the IT and OT realms.

Show the man on the street and others an expanding list of utilities with CSOs as described above, and you can bet they'll all be sleeping better at night. And maybe we can all get up before the next alarm goes off.

Photo credit: mnapoleon at Flickr.com

Tweeting from GridSec conference this week

Howdy from Dallas. This is the evolution of Mike Ahmadi's Smart Grid Security East and West events, which have been running twice a year since the fiest one in San Jose in 2010. Will shoot to summarize key messages in a post when it's over, but also will blurt out the occasional tweet on the fly using the #GridSec hash tag on Twitter.

Webcast Alert: Discussing 2012 Smart Grid Security this Morning on Virtual Energy Forum

I'm the warm up act this morning (2/9/12) for the main show, Dr. Peter Fuhr of DOE, who'll be doing a talk on "The Implications Of Cyber Security For Smart Grid Tech Development".

Show starts at 11 am ET (USA). You can get the details, as well as register to attend, right HERE.

This will be recorded too, so if you come to this post after the fact, it'll be available on demand.

Conference Alert: EnerSec Smart Grid Security Summit West 2011

This conference series, the first ever dedicated to Smart Grid Security and Privacy, had a great start last year in San Jose and now returns to California with a head of steam after robust attendance and some very strong content earlier this year in Knoxville.

The lineup keeps getting stronger and this session promises a compelling mix of workshops on day 1, followed by days 2 and 3 with regulator and industry updates, round table discussions and lots of back and forth with what has been in the past a very energized audience.

You can expect a bunch of utilities will be present, and not just the big 3 from California, plus state regulators from CA and TX, fed folks from DOE, NERC, FERC and NIST.  Also, owing to proximity to one of the largest USN bases in the world, we'll likely see some energy-minded sailors present too.

Here's the basic facts for you:

• Dates: 3-5 Oct 2011
• Location: San Diego
• Venue: Town and Country Hotel - click HERE to reserve a room
• For more info and to register for the conference, click HERE

Next week I plan on throwing a few trivia questions at you. Correct answers may earn you a significantly reduced rate for the conference, or at the very least, hearty congratulations.

Photo credit: http2007 on Flickr.com

Town Hall Announcement: Measurable Security in the Electric Sector

We've trumpeted alerts for previous editions of this town hall series before, and here's another one on a topic that's near and dear to my heart.

Here's the deets:

• Date: August 17, 2011
• Time: 8 am - 12 pm PT
• Host: Puget Sound Energy (PSE)
• Town: Bellevue, Washington
• Address: 320 108th Avenue NE, Bellevue, WA 98004
• Fee: Free
• More info and to register:  http://nescotownhall.eventbrite.com/

Hope you can make it.

Combating Smart Grid Vulnerabilities ... and Ourselves

In the previous post I attempted to communicate the urgent necessity of setting some performance metrics for ourselves, with the objective of demonstrating to the senior decision makers who sponsor our activities that what we are doing is bearing fruit.

That the sum total of all the money spent on Smart Grid cyber security products and services, plus the monetary and human resources dedicated to the task of formulating solid interoperability and security standards is producing demonstrably more secure utilities and a demonstrably more secure and increasingly smart grid.

Well, the Journal of Energy Security just published an article called "Combating Smart Grid Vulnerabilities" in which my senior colleague, Grid Wise Alliance Chairman emeritus and current Chair of the Global Smart Grid Federation, Guido Bartels makes a case that we seem to be making reasonable progress ... that we're successfully grappling with what we think we know about the security weaknesses in this system under construction. And I can only agree with him.

But he also acknowledges that it's really hard to say for sure. And backs that with the recently published findings of the GAO and the DOE's IG office. A section of the article called "Don't get too comfortable" states:

The [IG report] issued its report on this matter ... in which it found FERC cyber security standards (as implemented by NERC) and the overall approach for regulating the national grid quite lacking, saying: "… even if the standards had been implemented properly, they 'were not adequate to ensure that systems-related risks to the nation’s power grid were mitigated or addressed in a timely manner."

My response to this is: how would the DOE IG, or anyone else for that matter, especially those who aren't working energy and cyber security 24/7 know if and when implemented standards and controls were adequate? We haven't defined adequate and we measure almost nothing because we've told ourselves two things:

1. It's too hard to measure cyber security, especially in the energy sector, and,
2. We can't talk about anything that might be helpful because the info is too sensitive

I agree with Bartels that we are making progress. But how we convince others of that is another matter. There are plenty of MBA's out there and enough Deming disciples to know that we're fooling ourselves if we think that progress is self evident ... that it's obvious to all observers that activity equals efficacy.

Let's admit the emperor is stark naked, get him some decent garb, and build an increasingly secure Smart Grid, the security level of which can be communicated to ordinary folks ... including non-technical senior executives and congressmen.

Smart Grid Security Truth: You Can't Do What You Don't Measure

Are you part of a Smart Grid security task force, working group, support group?  No?  Look to your left and look to your right. Chances are, one of those folks is. It's getting pretty crowded, with many folks and organizations toiling away trying to figure out what a future-state secure Smart Grid should look like layered on top of our largely insecure and aging legacy grid. Two thing's are certain: there are lot of us, and we're awfully busy.

It reminds me of the wood chopping anecdote inside Steven Covey's Seven Habits of Highly Successful People, which goes something like this:

A group of loggers is busy chopping away doing great work under the supervision of the managers and achieving high productivity and throughput. Someone from a mountain overlooking the forests notices something and shouts "hey, you down there ..." Reply: "we are busy, and making great progress" ... and the person on the mountain yells "Wrong forest!"

Which is to say, we can chop all the Smart Grid security wood we want, but if we don't come up with a way to show our mountain top-dwelling managers that we're working in a forest that matters to them, then it's all for naught. We have remember that these are the folks who not only write our paychecks, but also approve the regulations, and who fund the R&D and ultimately purchase the security products and services we present to them as solutions.

You know and I know that increased emphasis on (and competence in) cyber security is an absolute must if this grand initiative called the Smart Grid is going to succeed. Whatever would keep anyone, you might ask, from aggressively funding our activities and the security of this most critical piece of critical national infrastructure? Is robust Smart Grid security not as American as mom and apple pie? (Other countries may have to substitute patriotic food stuffs here ... I'm going to assume reverence for mom is universal).

Well, the answer to why we have to struggle for every last scrap of support is painfully simple: it's because most executives and government leaders perceive no improvement beyond status quo ... no change for the better, from the current level of cyber risk the nation's electric utilities are already carrying.

Put yourself in their shoes for a second. Would you continue to allocate scarce human and financial resources, or prioritize legislation, for activities for which their is no clearly discernible business impact/result/payback?

Look around inside our own tightly knit community and you'll quickly see that even the true Jedi masters have no ready tools for objectively describing the current state or for referencing indicators that reveal improvement  to outsiders.

So, how might we know if our many activities are helping? Why through measurement and reporting, of course. And some folks out there have mentioned this to us in none-too-subtle a fashion. In the recent Government Accountability Office (GAO) report titled: "Electrical Grid Modernization: Progress Being Made on Cybersecurity Guidelines, but Key Challenges Remain to be Addressed" lack of measurement tools was one of the primary findings:

The electricity industry is ... challenged by a lack of cybersecurity metrics, making it difficult to measure the extent to which investments in cybersecurity improve the security of smart grid systems. Experts noted that while such metrics are difficult to develop, they could help compare the effectiveness of competing solutions and determine what mix of solutions combine to make the most secure system.

Furthermore, our experts said that having metrics would help utilities develop a business case for cybersecurity by helping to show the return on a particular investment. Until such metrics are developed, there is increased risk that utilities will not invest in security in a cost-effective manner, or have the information needed to make informed decisions on their cybersecurity investments.

So, to help keep this long post from getting too much longer, I recommend a couple of things to you, dear reader:

1. First, read the recent Gartner Group brief called "Why Communication Fails: Five Reasons the Business Doesn't Get Security's Message" by analyst Jeff Wheaten. It's excellent, and helps map out what's lost in translation when executives try to understand security in their orgs but can't fathom the highly technical, specialized language that's used to describe it. It has some excellent recommendations for improvement, and while it's not energy sector-specific, it doesn't need to be. (Note: unless your org is already a Gartner subscriber, it's going to cost you a bit, but nothing close to what it costs having the funding rug pulled out from under your feet)
2. It's easy to think of reasons why security metrics (or if you'd prefer, measurement) are difficult or impossible to do in our sector. So take that as a challenge and come up with one or two, preferably nice and simple, that'll have people saying "man, that's brilliant". I'd prefer they were high level and didn't require near-realtime sensor readings and massive analytics. Hint: how about something along the lines of Smart Grid and security maturity models?

Still with me? OK, let's do this thing.

Photo credit: tmorkemo on Flickr.com