Energy Security Postscript and Next Chapter

Long-time readers of the SGSB might have wondered if they'd ever see another post. Me too. After producing an average of 1+ posts per week since its inception 5 years ago, I cut way back after leaving IBM in 2013 to give myself more time to focus on consulting. And now there's a new development to report.

4 month ago I shuttered my security strategy business and began my first day on the job at Idaho National Laboratory (INL). It's one of the Department of Energy's national labs, and it's the one most squarely positioned at the intersection of energy infrastructure and national security. Let's call that energy security.

My INL title: Senior Cyber & Energy Security Strategist - may sound a little pretentious, but it pretty accurately captures what I was hired to do. If you visit the lab's home page or the INL Twitter feed it seems like nuclear energy research and related nuclear work are its dominant activities. But while nuclear energy research and fuels fabrication were its origin in the 1940's and its historic mission, with the help of its massive and remote test range that includes grid-scale transmission, distribution and communications assets, the lab I just joined does a ton of research and applied work on power and industrial control systems, Smart Grid and wireless communications, cyber and physical security and resilience, renewables, microgrids, energy storage and more.

Nuclear energy R&D, and full nuclear fuel lifecycle work (including non proliferation) will always be a significant part of that nation's requirements, and the INL mission, but nuclear energy is arguably the most reliable portion of our non fossil fuel baseload, but INL is quietly becoming something much more - and more important - than its nuclear legacy might suggest.

Without going into too much detail, the lab's customers now include not just DOE's nuclear energy organizations, but also DOE's renewables, resilience and cyber-physical security components too. DHS has become a major customer, as the lab hosts the ICS-CERT cyber security overwatch function for the US grid and other critical infrastructures, and performs other leading edge cyber and physical security roles as well. DoD is a very large customer too, for energy, security and communications test functions, rounded out by direct work with utilities and energy and telecom technology suppliers.

In short, INL in 2014 is not the lab many people think it is. While it's yet to update its image online, a visit to Idaho Falls quickly confirms that this is one of the nation's preeminent Energy Security lab resources. Nuclear energy is and likely always will be a key element, but without making much noise about it, INL has become so much more, and I'm very very lucky to be a part of it.

------------------------------

Postscript to the Postscript post: Though my blogs are in suspended animation, I continue to speak in public, and albeit more frequently and tersely, on Twitter @andybochman. As the Twitter profile reveals, I continue to work out of my home office in Boston while hitting the road most often for DC, and of course, now, Idaho.

A Social Summary of SANS ICS Security Summit 2014

Since I went solo there's been less time for blogging but I hope to catch up a little with this mega post on the just-concluded, 9th annual SANS ICS Security Summit which took place in the Contemporary Hotel at Disney.

Where I can I'll include Twitter IDs, as for many of us, Twitter is how we stay abreast of what we find interesting and what we're thinking about in between real world meet-ups. (Note: I only include these when they're unique to the individual and not shared by a company or org.)

I won't cover all the talks because I didn't attend all of them, and I apologize to those presenters I don't cover here. Nor was I at "Game Night" (though I wish I was) which from what I heard later was a fantastic and grueling hack-fest that extended into the wee hours before champions finally emerged.

Please Remain Calm: My Metcalf Substation Physical Security Take-Aways

Valentines Day update - Two more good links have surfaced for you since I wrote the original post a few days ago:

A PBS Interview with Jon Wellinghof and Mark Weatherford 

A 3rd WSJ article, this one largely a counterpoint to the more FUD-oriented first one

----

It's been nearly 10 days now since the Wall Street Journal published its big story on the attack on a transmission substation outside Silicon Valley in California.  Since then, the media, keying on words like "assault, military-style, terrorism" have had a pre-apocalyptic field day.

So in my own way, I've been running a counter-alarmism campaign when speaking with the press as well as with infrastructure security experts about to go live on one of the hysterical "news shows."

My main points are:

• This attack was significant but it didn't cause a blackout
• So be concerned, but don't overreact
• You can thank the hard work and preparation by Pacific Gas & Electric (PG&E) for at least 2 things: 1) rerouting energy flows so there was no perceptible customer impact despite the loss of many transformers, and, 2) getting the substation fully back on line within one month
• This was a great opportunity for utilities to refresh their physical security policies, and that's what they're doing right now
• Utilities are already taking concrete steps to deter this type of attack, including: erecting screens or walls to block a would-be shooter's view of his/her intended targets, inviting citizens living near substations to call their utilities if they see something suspicious, in the spirit of the "if you see something, say something" transit security campaign, and looking at the transformer stockpiling and loaner program 

SANS gets Cyber-Physical with ICS Breach Response Guide

With apologies to Olivia Newton John, you may or may not be aware that some bad actors have been helping raise awareness about physical threats to electric infrastructure lately.  You might say, "Are we sure about this, or were they merely after some copper ... or groundnuts?"

Of course, it always pays to be skeptical, but in the age of video cameras, motion detectors and similar, it's clear that these were humans not after enrichment or nourishment, but rather, intent on destruction.

Mike Assante and Scott Swartz of security training firm SANS just released a how-to manual describing how you can help your utility proceed in the event of an attack.  In particular, they want utilities to be on the lookout for cyber security foul play as they investigate breaches of physical defenses.

Grid Attack Simulation Just Completed: “It was More Severe than Anything We’ve Drilled"

So said the President and COO of AEP subsidiary Southwestern Electric Power Company, of scenario she and her people faced during NERC's second GridEx exercise.

Sounds like NERC CEO Gerry Cauley and his team brewed up something pretty potent this time.  Heck, it even included 7 deaths and 150 casualties ... in quotes of course.

NERC will issue an "after action" report including objectives, what actually happened, lessons learned and recommendations as soon as they get some sleep.  In the meantime, this account from the NY Times Matthew Wald is pretty darn good.  You can check it out HERE.

Photo credit: The Guardian

Wishful CERAWeek 2012 Energy Sector Security Thoughts

Had the great pleasure of participating in CERA's 31st annual energy conference last week in Houston. I was only there for one day, Wednesday, as I participated in a security panel that evening.

Earlier, the lunch keynote presentation was delivered by Royal Dutch Shell CEO Peter Voser, who addressed environmental and community concerns about the new natural gas recovery technique called fracking.

He suggested that the best approach was for the the industry to be as up-front and transparent as possible, and cited his own company's self-policing policy called the "Tight sands/shale oil & gas operating principles", posted on Shell's website for all to see.

Essentially, Voser asserted that Shell's safety, environmental protection, and community partnering policies around fracking were not just a sound strategy for getting "out in front" of a potential PR problem, they were simply good business.

It struck me that perhaps here was a model here for electric utility self policing re: cybersecurity and privacy. Maybe if  more companies in our sector would get out in front of cybersecurity fears and concerns with clearly broadcast policy and messaging, Congress and other oversight orgs (NERC, for example) would feel less compulsion to legislate additional layers of compliance requirements.

As my colleague Matt F pointed out, it may be too late to stop the 2012 Cybersecurity Act from becoming law. Utilities would have had to start their self-policing campaigns much earlier to stay Congress' hand. And with the recent mock attack on NYC, demonstrating, among other things, that current regulations like NERC CIP version 3 don't cover distribution networks, it looks like a fait accompli.

All full of speculation and wishful thinking here, but I definitely have a sense that this could have played out differently. And who knows, maybe the utility security self-policing idea, if it caught on and went wide, could begin to obviate and undo the need for the legislation, and lead to its eventual repeal.

A Couple of Closing Thoughts on Hurricane Irene

Hurricane Irene fully cleared my city (Boston) last week, we've had nice weather since, and everyone (or almost everyone) in Massachusetts has their power back at the time of this writing. Folks in some other states aren't quite so lucky.

But before we file away the memory and move on to the next storm or cyber incident, check out this Irene-related online exchange between a residential customer and a utility executive doing his best to keep his customers as informed as possible:

Q: Why am I getting calls to see if my power has been restored when in fact it has not been? I have a 4 year old and 1 year old and you can imagine what it is like being without power. 

A: One of the reasons we perform call backs is because crews have made repairs in the neighborhood and surrounding areas, and we want to ensure that each house has been restored. Without requesting a call back when you report an outage, we wouldn't know the service to your house is still out. Please make sure to report all outages to 1-877-xxx-yyyy.

Sounds like a region ripe and ready for its residential Smart Meter deployments, doesn't it? I'd say it's well worth the extra time and effort cyber professionals need to develop a secure Smart Grid to relegate conversations like this to history.

And the image of the totally chewed up poles (from Nag's Head, North Carolina) really caught my eye. Aren't the poles supposed to be holding up the lines ... and not the other way around? As immigrants to the electric sector quickly learn: cyber risks are one thing; Mother Nature is something else entirely.

Photo credit: Nicholas Kamm of AFP

The Near-Inside Cyber Threat to Utilities

DOE's cyber lead Bill Hunteman  just revealed a security guard once told him "I'm your biggest threat" at 2 am one morning. Guard noted he had keys to every room in that utility and was taking cyber security classes in between shifts. Said he could be inside the network attacking systems all night and nobody would know it.

Food for thought at Smart Grid Security East.

Enernex's Kevin Brown on Intersection of Physical and Cyber Security Challenges in Smart Grid Devices

Thanks to Erich Gunther for promulgating this excellent video Q&A featuring his security-minded colleague, Kevin Brown.

As a cyber guy, I've not imagined physical security as being much more than perimeter fences, surveillance cameras and good locks. Brown's discussions on battery life expectancies, how high you should mount pole-mounted devices, and how easy is to become king of reclosers were all eye openers for me.

Visually, there's not a lot more going on than in My Dinner with Andre. But the content, which truly bridges the physical and cyber worlds, is utterly compelling, fascinating stuff. It's over 20 minutes long, so make sure you find an open spot in your schedule. You won't want to multi-task through this one or you'll miss a lot.


Physical and Cyber Security for a Smart Grid from Erich Gunther on Vimeo.

Electric Infrastructure Physical Security "Wrong Way " in Ohio

Not sure even the most robust physical security controls could have prevented this crashing chimney-induced local loss of service. As Chrissie Hynde of the Pretenders put it: "Way to go, Ohio". How did this substation arrive at this sorry state of affairs you may ask?  See for yourself in this short and scary video:



Guess from a security point of view, we'd have to catalog this one under "some things are just out of our control" as energy security policy wonks, right next to city busting asteroids and mid-continent nuclear explosion-generated EMP bursts.

Here's the full page of pictures and the article on MSNBC's photoblog page.

Photo credit: MSNBC