DOE's C2M2 is Growing Up Fast

There's been a ton of work accomplished since DOE handed the C2M2 flame to former FERCer Jason Christopher.  This program has now been leveraged at hundreds of enterprises and now gives you three flavors of Cybersecurity Capability Maturity Model (C2M2) to choose from now.

You can download any/all of the models right this minute if you are so inclined:

• ES - Electricity Subsector (version 1.1)
• O&G - Oil & Gas (version 1.1)
• Sector Neutral

In addition, there are a number of new supporting resources for organizations at some stage of the C2M2 consideration or implementation process:

• C2M2 FAQ - helps answer whether or not a C2M2 self-assessment is right for your organization (ab: sounds a little too much like a Cialis commercial to me)
• C2M2 Facilitator Guide - provides step-by-step guidance for organizations that want to perform their own internal self-assessments (with or without a 3rd party)
• C2M2 toolkit for all three models (electricity, oil & natural gas, and sector-neutral) based on MS Excel and Word, so it can be used by any organization. (Toolkits are provided by request only—email C2M2@doe.gov for more information.)

Lastly, this just-released bulletin tells you how DOE, NIST and DHS see the C2M2 and the Critical Infrastructure Security Framework (CSF) playing complementary roles.

So much good stuff.  Between all of the above and the Olympics, this should keep you off the streets and out of trouble until Spring finally shows up.

Please Remain Calm: My Metcalf Substation Physical Security Take-Aways

Valentines Day update - Two more good links have surfaced for you since I wrote the original post a few days ago:

A PBS Interview with Jon Wellinghof and Mark Weatherford 

A 3rd WSJ article, this one largely a counterpoint to the more FUD-oriented first one

----

It's been nearly 10 days now since the Wall Street Journal published its big story on the attack on a transmission substation outside Silicon Valley in California.  Since then, the media, keying on words like "assault, military-style, terrorism" have had a pre-apocalyptic field day.

So in my own way, I've been running a counter-alarmism campaign when speaking with the press as well as with infrastructure security experts about to go live on one of the hysterical "news shows."

My main points are:

• This attack was significant but it didn't cause a blackout
• So be concerned, but don't overreact
• You can thank the hard work and preparation by Pacific Gas & Electric (PG&E) for at least 2 things: 1) rerouting energy flows so there was no perceptible customer impact despite the loss of many transformers, and, 2) getting the substation fully back on line within one month
• This was a great opportunity for utilities to refresh their physical security policies, and that's what they're doing right now
• Utilities are already taking concrete steps to deter this type of attack, including: erecting screens or walls to block a would-be shooter's view of his/her intended targets, inviting citizens living near substations to call their utilities if they see something suspicious, in the spirit of the "if you see something, say something" transit security campaign, and looking at the transformer stockpiling and loaner program 

Whitsitt on What's Up with the NIST CSF

Before you click through on the link provided below, I have to tell you that this write-up is not just about the NIST Critical Infrastructure Security Framework (CSF), but it's also a review of the current state of the security profession/practice/belief system, depending on your vantage point.

Penned by Jack Whitsitt of EnergySec, who among other things helped design the cyber security policies for the Transportation Security Agency (TSA) when it was just getting started. Be forewarned: Jack is no ordinary security guru. Because he's a practicing artist too, he brings both hemispheres to this challenge, and as a result, his perspectives and insights are unlike what you'll likely encounter anywhere else.

The Things I've Seen Series: Part 1 - Utility Security Governance Boards

In the final moments of Blade Runner, Rutger Hauer's character, close to death, tells Harrison Ford: "I've seen things you people wouldn't believe."

Over the course of the next several posts I'm going to go through some of my sanitized field notes and let you see things you may or may not believe, some good, some not so good.  Nothing quite as cosmic as what Hauer relates in his final moments, but probably should be interesting if you're in or work with the industry.

Let's start off the series on a positive note with the formation of Security Advisory Boards.  Investor Owned Utilities (IOUs) typically have a number of boards: executive, safety, governance, audit & compliance, etc. However, you can dig through annual reports and review the investor information sections on company web sites for a long time and you likely won't find much if anything relating to cybersecurity risk strategies, concerns or activities.

NERC CIPs Catching up to iPhone Version Numbers

OK, imagine an auction barker: "Bids opening at NERC version 3, do we have a version 3? ..."

"Yes! How about version 4?" Etc.

Well, according to Honeywell's NERC CIP guru Tom Alrich (of the famous, eponymous and quite helpful blog), it now appears that the next version of the CIPs to which utilities must comply will be neither version 4 nor  5 but rather version 6!

I was stunned as were many of the those in online attendance. Tom explains his reasoning on the EnergySec webcast and much more, which you can see HERE. There's a lot of helpful information for utilities of all sizes dispensed in this hour long piece, with some deep dives into the ramifications of high, medium, and low risk assets.

Now, depending on whether we get an iPhone 5s or 6 next month, it's clear that NERC will not allow the CIP versions to lag far behind.

----------------------------

Attended most of this webinar online, but hat tip to my former colleague and (hopefully) current friend, Nebraskan Dave Hemsath of IBM for sending me the replay.

Photo credit: KCRW.com

Motivation through Compensation: Paying Utilities to Upgrade Cyber Defenses

Now we're getting somewhere!  The long submerged topic of "who should pay" for electric utility cyber security improvements has just breached the surface and is now bobbing up and down in clear daylight.

A recent article in Bloomberg documents several large US utilities' efforts to recover current and future cyber security investments the same way they get paid for other infrastructure programs: by getting clearance from their state utility commissions to approve these expenses in their rate cases.

Actually rate payers (aka electricity customers) will pay one way or another, as they should, for the essential service that makes our modern lifestyles possible.  Possible methods of payment include:

• Absorbing the costs to their businesses and their lives associated with brown outs or black outs or electricity quality issues stemming from successful attacks on control centers or systems
• Paying more every month to cover some, most or all (TBD) of their utilities' cyber-protection expenses
• Or, as Pepco CIO Doug Myers said, as cited in the Bloomberg article, allowing utilities to be reimbursed through federal grants

This concept was articulated more formally by Michael Daniel, special assistant to the President on Cybersecurity, when he included rate recovery as one of a number of cyber incentive strategies for critical infrastructure providers:

Rate Recovery for Price Regulated Industries — Agencies [DHS, Commerce, Treasury] recommended further dialogue with federal, state, and local regulators and sector specific agencies on whether the regulatory agencies that set utility rates should consider allowing utilities recovery for cybersecurity investments related to complying with the Framework and participation in the Program.

As this blog often reiterates, we have to acknowledge and accept the costs of living in a technology-enabled world, where the impulse to cyber secure important services must become every bit as natural as physically securing our more tangible valuables.

Else, I have a nice cave I'd like to show you. And no, it doesn't have wifi.

First Look at Cyber Security Incentive Ideas, Companion to NIST's Framework Work

I'll oversimplify this to keep it short, but the President kicked all of this off earlier this year in wake of failed cyber security legislation efforts in 2010 (GRID Act) and 2012 (Cybersecurity Act of 2012).

The two primary vectors on this project have included:

1. Having NIST lead the charge to develop a new cyber security framework (i.e., pattern, roadmap, guidance) made up of references to existing guidance that seem to work well. On twitter this effort is tagged #NISTCSF
2. A parallel initiative to develop incentives that might improve the business case for being more proactive on cyber security.

The incentive categories were just made public, and so far include :

• Cybersecurity Insurance
• Grants
• Process Preference
• Liability Limitation
• Streamline Regulations
• Public Recognition
• Rate Recovery
• Cybersecurity Research

Liability and insurance are going to be the thorniest.  And rate recovery help, if workable, sounds promising.

You ran read The Hill's coverage and the original White House text via URLs below, as well as check out the current status and next activities related to the framework.

----

URLs

The Hill

http://thehill.com/blogs/hillicon-valley/technology/315795-white-house-publishes-preliminary-list-of-cybersecurity-incentives

White House

http://www.whitehouse.gov/blog/2013/08/06/incentives-support-adoption-cybersecurity-framework

NIST CSF

http://www.nist.gov/itl/cyberframework.cfm

To Secure Your State Grid, First Know Your Public Utility Commission (UPDATED)

19 July 2013 UPDATE: Significant clarification just in from Terry Jarrett, Commissioner of Missouri's Public Service Commission and Chairman of the Committee on Critical Infrastructure at NARUC:

Actually, the NARUC Critical Infrastructure Committee's main focus has been cyber security for the past two years that I have been chairman. Last fall at our annual meeting, incoming NARUC president Phil Jones declared cyber security to be one of the themes of his presidency. To say that cyber will be given more attention in Denver than in the past simply is not factual. 

Thank you Terry.  I'll leave the original post below intact so you can see to what Terry was referring, but please keep his clarification in mind as you do.  ab

-- -- -- -- --

The Advanced Energy Economy Institute (AEE) has a great new site for helping you navigate your way around any of the 50 US states' energy landscapes, including commission leadership, energy portfolio mix, legislation and more. One topic you won't read much about, however, at least not without doing some substantial digging, is cyber security preparedness.

As readers of the SGSB may recall, we've done shout outs to California and Texas, both states having cyber security knowledgable professionals on their Public Utility Commission (PUC) staff, and there are a couple of other states now similarly equipped. Many other states, however, haven't yet made a modest level of cyber security capability a requirement.

With the Business Roundtable (BRT) issuing guidance earlier this year for how organizations should better organize themselves to meet the rising cyber security risks they face, to a recent report drawn from mega-insurer Lloyds of London's survey of CEOs and Board of Directors at the world's top companies showing they now consider cyber security among the top three risks facing their companies, you could say it's well past time for all organizations, and particularly those with public authority and responsibility like state utility commissions, to ensure they are well informed.

Lastly, you should note that the national body representing the interests of state commissions in Washington, NARUC, has demonstrated excellent leadership producing not just one, but two versions of practical cyber security guidance for commissions in the past year. NARUC will be holding its annual summer meetings in Denver next week and I understand cyber security is going to be given much more attention than it's received in the past.  Hmm, maybe this is a good chance to jump-start your commission's cyber security program ....

NIST Critical Infrastructure Cyber Security Framework (#NISTCSF) Effort Steaming Ahead

Five hundred souls or so are expected in sunny San Diego this week for the 3rd round of meetings intended to produce new cyber security guidelines for operators of US critical infrastructure.

This article gives you the most recent update on status including cares and concerns related to privacy, business case, and getting senior management buy-in to even consider following this framework in the first place:

http://insidecybersecurity.com/Cyber-Daily-News/Daily-News/nist-meeting-poses-major-test-for-obama-cybersecurity-push/menu-id-1075.html

It references this DHS doc from earlier this year that attempts to pave the way for CEOs to become more engaged in their organization's cyber security efforts, called Cyber Security Questions for CEOs:

https://www.us-cert.gov/sites/default/files/publications/DHS-Cybersecurity-Questions-for-CEOs.pdf

Lastly, if you want to see more of the process without actually getting your feet weight (or getting on a west-bound plane) here are a few resources for you:

The emerging framework itself: http://www.nist.gov/itl/cyberframework.cfm

Details on the San Diego workshop: http://www.nist.gov/itl/csd/3rd-cybersecurity-framework-workshop-july-10-12-2013-san-diego-ca.cfm

Live webcasts of the proceedings can be viewed via these URLs:

Day 1 (Wednesday) Webcast: http://www.youtube.com/watch?v=3hJww5_BDSQ
Day 2 Webcast: http://www.youtube.com/watch?v=SLVW0vFw0gI
Day 3 Webcast: http://www.youtube.com/watch?v=-9hORcAcXNA

I'm flying out today, along with a few of my IBM colleagues. Looking forward to seeing some of you there.

Photo credit: The San Diego Union-Tribune

Oil and Natural Gas Co's became Primary Attack Targets Last Year

At least according to analysis from cyber security company Alert Logic. This detail and more is captured in a report just released by the US Council on Foreign Relations (CFR).

According to authors Blake Clayton and Adam Segal:

Cyber attacks on energy companies are increasing in both frequency and sophistication, making them more difficult to detect and defend against. Cyber espionage is being carried out by foreign intelligence and defense agencies, even organized crime or freelance hackers.

Energy sector can learn from DOD's cybersecurity strengths (and weaknesses)

Last year the US DoD released a report by one of its Defense Science Board teams and I've seen it referenced a number of times in recent weeks, especially in articles announcing our loss of the most sensitive systems design details on dozens of current and next generation weapons systems.

See if you think this excerpt from the executive summary would accurately describe the current state at the utility you work for, or regulate, or invest in, or power your home with:

[The conclusion that we must do much better on cyber defense] was developed upon several factors, including the success adversaries have had penetrating our networks; the relative ease that our Red Teams have in disrupting, or completely beating, our forces in exercises using exploits available on the Internet; and the weak cyber hygiene position of DoD networks and systems.

If you think it might, then it's possible that you may find value in digging into the findings and recommendations within. I noticed this one on culture as being particularly relevant to our sector:

Individual and organizational cyber practices result in so many cyber security breaches that many experts believe that DoD networks can never be secure with the current cyber culture. The individual’s immersion in the civil sector cyber culture and the military’s focus on mission objective are the two most important contributors to DoD’s poor cyber culture. In the face of a threat that routinely exploits organizational and personal flaws, DoD leadership must develop a clear vision for the Department’s cyber culture.

It's very likely your utility is not targeted nearly as much as are the DoD's networks and systems, but I'd still say this report has lots of applicability for the way we think and act.

-------------------------

URL for full report:

http://www.acq.osd.mil/dsb/reports/ResilientMilitarySystems.CyberThreat.pdf

Grid Security Keynote of Note at May 2013 ISO Conference

Since you can't be everywhere, there's the SGSB (which can).  Former Seattle City Light CISO and current Verizon control systems security ace Ernie Hayden gave a keynote presentation at the recent ISO New England and New York ISO Energy Conference held in Boston, and we've got it for you.

If you don't know ISO, it stands for Independent System Operator, a term which is often used interchangeably with another acronym: RTO, or Regional Transmission Organization. In North America, these organizations are like referees and traffic cops, trying to keep the peace among utilities and ensure the smooth and reliable flow of appropriately priced electricity across multi-state regions.

It's good to see Security get such a prominent platform at a high profile industry event like this. Certainly a sign of the times.  Ernie's slides will take you through the past, 2013/present and future of grid security, and though some of the info would clearly benefit from his accompanying narration, a lot of this works quite well as is. And if you really want the audio, then I'm sure Ernie will agree to come to you and do it again, as long as you treat him right.  URLs below.

-----------

Ernie Hayden deck

http://www.isoenergyconference.com/pdf/Ernie-Hayden-Keynote.pdf

Conference home page

http://www.isoenergyconference.com

All the NIST Critical Infrastructure Security RFI Responses You Can Eat

Re: the many and various submissions from companies and individuals to NIST, someone who knows more than a few things about grid security recently tweeted twice thusly:

Reading - and in many cases laughing at - #NISTCSF responses

and ...

The responses? Mostly neutrally irrelevant, some nonsensical. I've marked only 14% so far for "real" read later

I just want you to set your expectations bar sufficiently low before you click HERE and read all of the responses.

By the way there were a few good and very good responses too.

If, after reading, you not only feel like you have something to suggest that hasn't yet been suggested, but you also want to physically transport and immerse yourself in this grand sausage making activity, then ...

For more information on the 2nd workshop coming up in late May in Pittsburgh, and a link where you can register, click on THIS.

Photo credit: @Doug88888 on Flickr.com

SGSB notes from NIST's Critical Infrastructure Cybersecurity Framework Workshop

Long title, eh?  Cranking this out just before heading back to Beantown from DC/Reagan airport so please be more tolerant than usual of typo's, lack of narrative, lack of clarity, weak grammar, lack of a point, etc. ...

ICS-ISAC Chair Chris Blask, pictured above (long hair on right), waited very patiently at a microphone that seemed like it was for audience use, and ultimately got his turn, in which he asked a long question phrased like a long statement.

Boxing the Fundamental Assumptions of Cybersecurity Risk Management

Here's something to wrap your head around (or more literally, put in your head) as you head to NIST on April 3rd to make your contribution to the Critical Infrastructure Cybersecurity framework development processes, an effort begat by the recent Presidential Executive Order.

Many in our community love to talk about risk management as the common sense, business oriented antidote to the mandatory and therefore inflexible and slow moving instructions in the NERC CIPs.

You could certainly put me at least half in that camp.  Well, after reading THIS sharp Brookings paper from Ralph Langer and Perry Pederson, that half of me is feeling a little wobbly.

Metrics Mark the End of Faith-based Cybersecurity

Thanks to Dark Reading for covering the RSA 2013 metrics panel and for the article: "Governance Without Metrics Is Just Dogma."

To whom do we owe this powerful and provocative headline? Not the editors at Dark Reading, though they were smart enough to grab it and put it at the top. It was Alex Hutton, an Operations Risk and Governance director at Zions National Bank.

In case you're not used to seeing the word dogma in this context, let's refresh ourselves with a definition (thanks Wikipedia):

Dogma is an official system of belief or doctrine held by a religion, or a particular group or organization. It serves as part of the primary basis of an ideology or belief system. 

NIST Critical Infrastructure Cybersecurity Framework RFI and Workshop Details

We're about a month away from the first NIST workshop to help create the new framework described in the recent Executive Order, as well as from the 5 pm, USA ET, April 8 deadline to submit responses to the RFI.

To refresh, here's what they/we are trying to do:

The goals of the Framework development process will be: (i) To identify existing cybersecurity standards, guidelines, frameworks, and best practices that are applicable to increase the security of critical infrastructure sectors and other interested entities; (ii) to specify high-priority gaps for which new or revised standards are needed; and (iii) to collaboratively develop action plans by which these gaps can be addressed. It is contemplated that the development process will have requisite stages to allow for continuing engagement with the owners and operators of critical infrastructure, and other industry, academic, and government stakeholders.

If you are so moved and have something to say (and NIST and I hope you do), here's how to submit your ideas and recommendations:

Old School

For those who prefer to communicate longhand by dipping your peacock feather quill into the inkwell on your vintage desk, "Written comments may be submitted by mail to Diane Honeycutt, National Institute of Standards and Technology, 100 Bureau Drive, Stop 8930, Gaithersburg, MD 20899."

DHS' CSET: a Remedy for Electric Sector Security Measurement and Reporting Complexity Pains?

Sorry about that ridiculously long title, but felt it couldn't be helped this time. Thanks to Dr. Les Cardwell of Central Lincoln PUD, a publicly owned utility serving communities on the coast of Oregon.

Les wrote in and shared some of what he recommended to NIST and DOE regarding the recent RFI on the "Framework for Reducing Cyber Risks to Critical Infrastructure."

I'm not going to reprint the entirety of his submission, but will share with you two things here. First, Les' articulation of the need for a way to keep complexity in check as we go about this search for a new/better security framework for our community:

CNAS Provides a Good Way to Grok the Executive Order

First of all, Happy Valentines Day, SGSB readers.  Hope you are finding as much success in your love lives as you are in your careers securing (or caring about securing) the most critical of critical infrastructures.

Yesterday found me walking down the street in Washington DC a little before noon, when suddenly I ran into some friends, old and new, who had just popped out of the US Department of Commerce. They witnessed directly, and gave me a  first-hand account, of the birth of the administration's Executive Order (EO) on better securing the nation's critical infrastructures.

California PUC to Host Cybersecurity Discussion

This is great because apparently you can participate in person in San Francisco (who wouldn't want to visit?) or in a remote fashion. Here are some of the details for  you:

WHEN: Feb. 27, 2013, 1:30 p.m. – 3:30 p.m.

Opening remarks will be made by CPUC President Michael R. Peevey and the event will be moderated by Gary Ackerman, Executive Director, Western Power Trading Forum.

Panelists:

• Commissioner Terry Jarrett, Missouri Public Service Commission
• Tim Roxey, North America Energy Reliability Corporation
• Steven Dougherty, IBM
• James Sample, Pacific Gas and Electric Company

WHERE: CPUC Auditorium, 505 Van Ness Ave., San Francisco, CA, USA

VIRTUAL WHERE: www.californiaadmin.com/cpuc.shtml

You can submit questions on advance to thoughtleaders@cpuc.ca.gov.  Pretty nice, right? Wonder if other states or maybe countries will follow suit?