NIST Critical Infrastructure Cyber Security Framework (#NISTCSF) Effort Steaming Ahead

Five hundred souls or so are expected in sunny San Diego this week for the 3rd round of meetings intended to produce new cyber security guidelines for operators of US critical infrastructure.

This article gives you the most recent update on status including cares and concerns related to privacy, business case, and getting senior management buy-in to even consider following this framework in the first place:

http://insidecybersecurity.com/Cyber-Daily-News/Daily-News/nist-meeting-poses-major-test-for-obama-cybersecurity-push/menu-id-1075.html

It references this DHS doc from earlier this year that attempts to pave the way for CEOs to become more engaged in their organization's cyber security efforts, called Cyber Security Questions for CEOs:

https://www.us-cert.gov/sites/default/files/publications/DHS-Cybersecurity-Questions-for-CEOs.pdf

Lastly, if you want to see more of the process without actually getting your feet weight (or getting on a west-bound plane) here are a few resources for you:

The emerging framework itself: http://www.nist.gov/itl/cyberframework.cfm

Details on the San Diego workshop: http://www.nist.gov/itl/csd/3rd-cybersecurity-framework-workshop-july-10-12-2013-san-diego-ca.cfm

Live webcasts of the proceedings can be viewed via these URLs:

Day 1 (Wednesday) Webcast: http://www.youtube.com/watch?v=3hJww5_BDSQ
Day 2 Webcast: http://www.youtube.com/watch?v=SLVW0vFw0gI
Day 3 Webcast: http://www.youtube.com/watch?v=-9hORcAcXNA

I'm flying out today, along with a few of my IBM colleagues. Looking forward to seeing some of you there.

Photo credit: The San Diego Union-Tribune

CPUC's Villarreal is the Real Deal for Grid Security from the US States' Perspective

From cybersecurity to privacy, the Green Button and security metrics, this recent deck from the California Public Utility Commission's (CPUC's) Chris Villarreal covers the entire grid security waterfront from a (very big) state's point of view.

This is well worth your time if you're a regulator in another state, a regulated entity in any state, or you just want to get a better feel for the way this process is evolving.

Note links on last slide to excellent CPUC security white paper by Chris and his security savvy colleagues, Liza Malashenko and J. David Erickson, and to NARUC's excellent "Cybersecurity for State Regulators 2.0" guide. There are other states upping their cybersecurity game as well, but California and Texas have been the two trailblazers. Of that there is no doubt.

----------------------------

URL for this deck, which accompanied Erfan Ibrahim's SG Educational Series webinar:

https://docs.google.com/file/d/0B83Q27_xggOTV3JpVTlSNnRGNGM/edit?usp=sharing

URL for another nice write-up on the work of Chris and his colleagues, from Greentech Media's Jeff St. John:

http://www.greentechmedia.com/articles/read/smart-grid-cybersecurity-the-california-way

Conference Alert: Security at Distributech 2013

The annual electric sector conference in North America is coming up next week in San Diego. Called Distributech, the 7,500 or so attendees will peruse booths featuring the latest reclosers, transformers, comm gear, outage management systems, etc.

They can also peruse me, as I'll be at the large IBM booth alongside colleagues discussing solutions for:

• Smart Metering and AMI
• Distributed Energy and Electric Vehicles (EVs)
• Asset Management
• Grid Operations
• Communications and Cloud

And of course, security, privacy and compliance. I'll be there with my security consulting services colleague and industry veteran, Steve Dougherty. Will also be doing a 30-minute auditorium session called "Utility Cyber Breach Scenarios & Responses" which should be a good one.

If you can make it, here are the details:

• Dates: 29-31 January
• Venue: San Diego Convention Center 
• URL: http://www.distributech.com/index.html

While the conference is going on, will be tweeting highlights from @sgsblog. Lastly, if you aren't attending, will be happy to share findings and observations afterwards on the blog and/or via other means.

Photo credit: Wikimedia.org

Great Video: Latest Utility CEO on Cybersecurity

Another CEO joins the emerging chorus of senior energy sector executives not just tuned in to the strategic nature of cybersecurity and privacy challenges in the Smart Grid era, but willing to speak out about it. Also hits some good notes re: supply chain issues as well.

Thanks to Jessie Knight, Chairman and CEO of San Diego Gas & Electric (SDG&E). And hat tip to IBM colleague Tracy A and SmartGridNews.com for sending me this.

Electric Sector Security Metrics Mother Load

Not all are technical metrics, nor are they all technically, metrics.

But in the space of just a few months this summer, North American electric utility executives and their security leadership have seen a spate of new guidance documents published that intend to help them manage, monitor, and measure the effectiveness of their cyber risk mitigation strategies and controls.

Where once there was just the cross-sector ISO 27000 series to steer your security course by (or for Federal folks, FISMA), there are suddenly a near handful of freshly minted how-to manuals at their disposal:

DOE's Electricity Subsector Cybersecurity Maturity Model (June 2012)
Metrics for utilities to use to baseline and gauge effectiveness

DOE’s Electricity Subsector Risk Management Process (May 2012)
Helpful translating cybersecurity into risk management framework 

NARUC's Cybersecurity for State Regulators (June 2012)
Questions utilities will be asked by their state public utility commissions

NIST’s NISTIR 7628 Assessment Guide (Aug 2012)

And if you live in or keep an eye on California, then there’s the metrics work and data privacy rules of the California Public Utilities Commission (CPUC) to consider. It’s working collaboratively with the three big investor owned utilities (IOUs) to bring Smart Grid metrics to fruition, and despite some initial skirmishing, seems resolute in adding security metrics to the mix.

So now maybe the guidance utilities need most is: with limited resources already maxed out on NERC CIP related activities, how to select and implement the best and most helpful pieces from the list above.

Ironic, is it not, to hear the SGSB describe a flood of security metrics in our industry?

Conference(s) Alert: EnergySec and GridSec coming up

These are the two longest running energy + cybersecurity conference tracks in North America and both have  summits coming up this Fall:

http://www.energysec.org/summit
Sep 25-18, 2012
Portland, OR

http://www.gridsec.com/2012/summit/
Oct 22-24, 2012
San Francisco, CA

Click through and you'll see that both agendas are forming and speaker rosters are still being firmed up, but utility participation is on the rise and these are the real deal.

Also there's much more focus now on the security of operational systems, not just IT/Business.

Recommend you attend one of these, and if you can't, then at least pay attention to the articles, blogs and videos that come out of them ... some, hopefully, right here.

ENISA Again: 3rd Time's the Charm re European Grid and Smart Grid Security Policy

8/29 Update:

You still have a few days to register and get your plane or train tickets to Amsterdam. In one fell swoop, the existence of this 10/15 workshop, in itself, fully refutes charges of lack of US-European cooperation, as well as claims that control system security is ignored. Go HERE to learn more and register.

---------------------------------------

While of monologues many great political speech or play are constructed, it's through dialogue we reach understanding and consensus. Wait, who said that?

This blog first posted on the European Network and Information Security Agency (ENISA) and its recent recommendations for EU energy sector security earlier this month.

SGCC Releases Smart Grid Privacy Fact Sheet

In January of this year we gave you a privacy post related to the Smart Grid Consumer Collaborative (SGCC) from a panel session it organized the day before the Distributech conference in San Antonio.

Time has passed and now the same great org has produced a short, sweet, and very helpful fact sheet on Privacy for the layman, also known as the "man on the street", the "generalist", the "consumer" or from the electric utility industry's point of view: THE CUSTOMER.

The 2-sided sheet contains lots of helpful orienting bits like what's a "smart grid" and "what is a smart meter", but the part I like best comes near the end:

The privacy of electricity usage data is protected now and that will not change with the use of smart meters. Electric companies, the federal government, and the suppliers of critical electric grid systems and components are working together to strengthen consumer safeguards, develop a best-in-class data security model and enforce its implementation.

Talk about a pure pro-education / anti-FUD message. I am think I am in love.

Photo credit: Roland at Flickr.com

Smart Grid Privacy for Real

I find I like reading stuff by Jeff St. John at Greentech Media, because he covers all the bases. Almost a month ago he did a piece around San Diego Gas & Electric (SDG&E)'s use of the Ontario's "Privacy by Design" principles to ensure proper protections for their customers, and hopefully, in-so-doing, meet the requirements of the California PUC's privacy rules for the big 3 Investor Owned Utilities (IOUs).

I'll give him a little grief for this section:

... customers ... are worried that their smart meters will allow hackers, data thieves or other nefarious parties to know when they’re home and when they’re away, or to piece together other personal information. Sure, people tend to give away lots more personal information when they’re surfing the internet -- but they do so by choice, whereas smart meters are being installed on their homes without their direct permission. 

IMHO the additional behavioral information that can be gleaned from Smart Meters is incremental, not a game changing tidal wave of previously unknowable, super personal dirty laundry. And though no one, including the government, is making people: buy computers and smart phones, and no one is forcing them to use the web to buy things, consume entertainment, stay in touch with loved ones, get educated, find new friends, share secrets, do their banking, and even adjust their electrical plans, it would take an army to take that all away from folks now.

Survey after survey says they demand more self service, more flexibility and more options from their service providers. Smart Meters will eventually enable all of that and then some, so for me saying their having the meters forced on them is a bit of a rhetorical red herring. Like saying ATMs were forced on people. You want them gone too cause you weren't asked up front?

But I began by saying I generally like Jeff's stuff and this article is no exception. He handles citations from Ontario's Privacy Commissioner, Ann Cavoukian, with aplomb. I particularly like this one:

... the real threat utilities should be worried about is the dreaded privacy breach, Cavoukian said. Measured against the public relations and political ramifications for the smart grid of the possibility of a major loss or theft of customer data, “utilities shouldn’t be asking how much money it costs -- they should be asking how much money it will save,” to invest in privacy protection upfront, she said.

I won't throw numbers at you here, but suffice it to say that when you read about the weekly exposure of personal account information from successful cyber breaches of banks, retails, credit card companies, etc., one thing the public isn't exposed to are the amazing (and amazingly expensive) gyrations those companies go through to try and make things right. Picture boatloads of attorneys. Picture the mass combustion of 55 gallons drums worth of midnight oil. In other words, Cavoukian's got a point.

This is an interesting international collaboration between a Canadian province and an entity regulated by a US state. One thing they have in common is that both are very forward leaning in a number of ways, not the least of which is in their enthusiasm for modernizing the grid and grid systems. It's good to see that both acknowledge the responsibility to their citizens that comes with that.

And by the way, the other 2 California IOUs, Southern California Edison (SCE) and Pacific Gas & Electric (PG&E) are moving out on privacy and protection of customer data as well.

I'll leave it at that for now. Best thing you can do is read St. John's article yourself which you can do by clicking HERE. And be careful about what you put on Facebook ...

High Impact Cyber Security Legislation Looming for Utilities

My previous post referenced a recent preliminary report documenting how companies from all sectors are moving slowly to elevate security matters to the CEO and Board of Directors level. And hardly a day goes by where I don't suggest having more than a few empowered CSOs in our industry might start to turn the actual cyber security strategy tide as well as signal a culture change to all the grid's many stakeholders.

Like Congress for example.

Congress in 2011 seemed pretty sure that utilities and their regulators needed a few additional sticks to goad them into tightening up the overall security posture of the grid. That was the GRID Act, and when it passed the House but didn't get a Senate vote, the stage was set for a sequel.

And so here it is: the cross-sector Cybersecurity Act of 2012.

If you're a utility with too much on your plate today what with modernization initiatives, aging workforce and aging equipment issues, PUCs starting to impose new rules on how you handle and protect customer data, NERC CIP version 3 looking like it's going to morph into a much more burdensome version 4 or 5 soon, the last thing you need is another oversight agency asking you to demonstrate compliance with new regulations.

Well, that's exactly what the DHS-centered new act is. And if it passes in anything like its current form, utilities are likely to like it about as much as you'd think they would. According to Jody Westby writing in Forbes ... not much. For example:

With overtones of Sarbanes-Oxley, the bill also requires the owners of these systems to either certify annually to DHS and their sector agency whether they have implemented security measures to satisfy the performance requirements or submit a third-party assessment. Even if a company subject to the provisions of the bill can obtain an exemption by demonstrating that it is sufficiently secured or in compliance with the risk-based performance requirements, it must undergo this process every three years.

I recommend you read her whole Forbes article, take 4 Advil, and call me in the morning. Or better yet, email, if you think Westby is making a mountain out of a legislative molehill. Or vice versa.

Notes from Smart Grid Consumer Collaborative (SGCC) Privacy Panel at Distributech

Just a couple things for you here related to privacy. First, here's a link to the good organization that sponsored this event, the SGCC.

One of my co-panelists from a Texas utility brought up a great point I thought ... a challenge that's facing most utilities these days, when she said that a big challenge for her team is how they can know, with confidence, if a 3rd party really has been authorized (by the customer) to access their data. That's a part privacy, part security question, and I'm going to have to ponder that one a bit, and maybe bring in a larger brained colleague or two.

So why does the SGCC need to exist?  First, it funds the research that provides a wealth of great consumer and marketing data to utilities, regulators, and other interested stakeholders. You can click HERE to get their 2012 State of the Consumer report (brief registration required).

But here's another reason, and we talked about this a little on the panel.  It's because absent a sane and sensible, reality-based organization like SGCC getting the facts out, many consumers might be swayed by the fear, uncertainty and doubt (FUD) they're exposed to in the mainstream media as well as in newer channels like Youtube.

This video you're about to see has been watched 1.5 million times, and during its 4 minute run-time the narrator calls smart meters" "power company surveillance devices" and closes with what has to be one of the greatest pieces of alarmist hyperbole I've yet come across. I think you'll like it too:

Those friendly guys on the sidewalk (utility servicemen and women) told me they plan to put a smart meter on every house in America. If they do that, it will no longer be America.

Jeez Louise. Good night America. Good night and good luck. Here you GO.

-----------------------------

And just in, here's a great reader response to the smart meter scare video above:

You’d think there would be more of an outcry over the fact an ISP can see everything they do online, mobile phone carriers can see every incoming and outgoing call and SMS, triangulate their global positions, etc., traffic cameras and OnStar know where their car is at all times, and yet they are worried about someone being able to see their energy data? Maybe opponents should just build their own private power plants and take themselves off the grid completely.

The day may come to pass when that last suggestion is feasible for the mainstream. But for now, your local utility is still far and away your best bet for large quantities of reliable and reasonably priced electrons. Why not help them as they help you, by letting them upgrade equipment to improve their own operations, and serve you and your fellow customers better? I'm just saying ...

SGSB at Distributech 2012 and Smart Grid Consumer Collaborative Symposium

Howdy Y'all. Just an FYI that I'll be attending and working at the IBM booth at this year's Distributech conference in San Antonio, Texas, which runs January 24-26. And the day before, will be speaking on a privacy panel at the Smart Grid Consumer Collaborative in the same location as Distributech: the Henry B. Gonzalez Convention Center.

In case you haven't been to it before, Distributech is the premier annual electric sector conference and exhibition in North America and it draws a large, global audience. Here's a link for D'Tech. And while we're at it, here's a link for the SGCC symposium.

If you want to accost me about current electric sector security topics and/or find out more about what IBM is doing in the cyber security space (including a massive new re-org around security), please swing by.

Also, for those of you who use Twitter, will be tweeting from the conference and maybe the symposium, using some or all of the hashtags below:

• #DTech
• #IBMSmartrEnergy
• #SGconsumer
• #SGSblog

Photo credit: StuSeeger on Flickr.com

European Smart Grid Cyber Security through American Eyes

You know, there are ways in which the EU Smart Grid Security & Privacy standards process mimics the structural problems that have so far stymied solutions to the EU budget crisis:

The initiatives are not harmonized. For example, the Netherlands’ approach to smart meter data privacy would be illegal in Germany because it forces a choice between personal data privacy and energy efficiency. Yes, the much loved opt-in has been outlawed in Germany.

See that? This is from Pike Research security analyst Bob Lockhart, who had the pleasure of attending the  recent European Smart Grid Cyber Security in Amsterdam. Bob's been keeping a close eye on security standards forming and evolving in North America, and we've both talked and wondered out loud about how things were going in Europe.

Well, it's seems like they're not going as well as they could be. Here's Bob again:

There is an entire document in the NISTIR 7628 series – Volume 2 – devoted to Data Privacy, an issue of great concern to European nations and their citizens. Someone suggested why not start with NIST’s cyber security guidelines, overlay European Data Privacy guidelines, and call it done? I am still trying to work out why that is not the answer. Instead there are ... five other efforts, all of which freely admit that they love the NISTIR documents, creating ... or recreating a new set of smart grid cyber security [and privacy] guidelines.

Bob goes on to talk about the need for urgency and haste, but you can just tell nothing's going to happen fast on that side of the Atlantic. And we thought things were slow on this side!

C'est la vie.

You can read his full post HERE.

GridWise Global Forum (GGF) - Privacy Panel Perspectives

Couldn't tweet this one as I was on the panel, but yesterday (day 2) we had an excellent session expertly and amiably moderated by David Leeds of GTM called: "Smart Grid Data: Insights, Privacy or Both."

Excellent fellow panelists included:

• Lee Tien, Electronic Frontier Foundation
• Vesa Koivisto, Fortum Corporation (Finland-based utility)
• Elias Quinn, Colorado PUC (former consultant)
• Daniel Cleverdon, DC PUC

Here are a few take-aways for you:

When California's Privacy and Data Security decision came up (as we all knew it would) Dan Cleverdon said (and I'm paraphrasing here) that "every state PUC is all over it, and they'll deviate from it at their own peril."

It's great to have a precedent, isn't it?  California, as it has so many times before, has done its homework and is blazing a trail on data and privacy for the US. So far the consensus seems to be they did a good job, so as Dan said, a state will have to justify itself when it heads in a different direction, as some likely will. This is good process I think.

Lee Tien cited a long established example of trust between an organization and the public: the USPS has been carrying and delivering and not reading your mail for over one-hundred years. It's been done before and it can happen again with the utilities.

Vesa Koivisto described the way electric bills have been presented to customers in Finland, with 11 monthly estimates followed by an end-of-year adjustment (up or down). Pretty familiar, right? He contended that this wasn't a great way to establish trust and that if utilities could simply provide their customers with timely and accurate billing information, that would go a long way towards establishing a better relationship and trust. Great point.

Well, that's good news then, because thanks to AMI and Smart Meter deployments, this is the experience many customers are enjoying today, and many are getting even better visibility than that. Before you can have a trusted relationship you have to have a relationship, and accurate bills are a big step in the right direction.

Prompted by a lead-in by David and a question from the audience, we had a mini debate about how much of an individual's personal information is already exposed via social media, online transactions, smart phones, cable television, etc. and how much more could be revealed by Smart Meters and home area networks (HANS). We kept it civil and decided to research this question in more depth as a team, and maybe produce an infographic that could be useful to the industry ... and to the public.

Lastly, in my opening monologue I pledged to share a couple of information governance best practices from other sectors, and while I recalled one: frequent auditing (internal and external) of privacy policy and controls, I blanked on the second. Well, now it's come to me: the other one was about practicing for privacy-related data breaches. Make the whole organization get a visceral feel for what it would be like, and pressure test policies, procedures and technical security controls to see how they hold up in the heat of a (simulated) real world event. Practice makes perfect, as the saying goes.

All-in-all it felt like an educational and entertaining 90 minutes. The panelists, myself included, seemed to think we covered some worthwhile ground (credit goes to the moderator), and from the GGF audience feedback I got, it seemed they liked it too.

Getting Smart at GridWise Global Forum this Week

This just in from the SGSB social media desk - I'll be at the Reagan building in DC starting tomorrow armed with MacBook Air, Twitter and Blogger to both speak at and cover this year's GridWise Global Forum (agenda HERE).

Will be paying particular attention to the opening keynote moderated by IBM Energy & Utilities sector GM Guido Bartels with DOE Secretary Steven Chu and Uzi Landau, who runs Israel's Ministry of National Infrastructures (Tues at 12:45 pm ET), and the following panels:

• "Guarding the Grid: Smart Grid and Grid Vulnerability" (Tues at 4:30 pm)
• "The Technology Horizon: Future Trends and Potential Disruptions" (Wed at 8:30 am)
• "Smart Grid Data: Insights, Privacy, or Both" (Wed at 10:30 am)
• "Smart Grid and the Regulatory Landscape: Evolution or Revolution" (Wed at 1:30 am)

Two of these sessions will be broadcast live (and free) by our friends at Greentech Media. Follow THIS LINK to tune in at the appointed times to "Guarding the Grid" and "Smart Grid Data."

BTW: will using the #IBM@GridWise hashtag for denizens of the Twitterverse.

Conference Alert: European Smart Grid Security & Privacy

Lately, my work has included significant amounts of privacy, data security and information governance, so that makes this conference coming up in two weeks, with its mix of security and privacy, seem particularly helpful and timely. 

In energy sector, privacy has been primarily associated with Europe and Canada in the past, but now that the California PUC has ruled on customer usage data privacy, we're expecting to see it come to the fore in the US as well.

Here are the details if you want to check it out:

• What: European Smart Grid Security and Privacy
• When: Nov 14 and 15
• Where: Amsterdam

For more info on the conference and to register, click HERE

For more info on the venue, click HERE

BTW - if you have a chance to walk around Amsterdam and crave food that's fast, good for you, inexpensive and extremely fresh and tasty, I found Wok to Walk my last time there and loved it.

Photo credit: Leo-seta on Flickr.com

Covering the 3rd Smart Grid Security Summit

Have iPad with Twitter app loaded: will travel. When I'm not tripping over words as a moderator or panelist over the next two days, I'll try to give you a feel for who's saying what here in San Diego.

I came in late today and caught the tail end of the privacy workshop. Then onto a social gathering sponsored by the Canadian Consulate in a so-called Tiki room (see reference image above - conference attendees, you decide), where we got a little more privacy, courtesy of the Ontario Information and Privacy Commission. Other workshops today covered advanced AMI security and security testing.

All good stuff, and ready to dig into security topics tomorrow. For Twitter followers, will use #smartgrid #security and #sgssummit. And once again, here's the conference site.

Photo credit: http://www.nuthousepunks.com/blog/

Smart Grid Security Social Metrics

For a bunch of tech geeks and policy wonks, the folks in our community sure do like to congregate and socialize. There are a spate of new conferences coming up, the most temporally proximate being next week's EnergySec Smart Grid Security Summit West in San Diego.

I'll be there speaking on security metrics, including the IBM-initiated Smart Grid Security Maturity Model (SGSMM) as well as the developing IEC 62443 2-4 standard. One way to think of these two projects is that the former seeks to look at security maturity from an organizational (i.e., utility) perspective, while the latter employs technical metrics to evaluate, and in some circumstances, certify, products, depending on their levels of security goodness.

Will also be involved in a panel comprised of the participant orgs in the Risk Management Process (RMP), including DOE, DHS, NIST, NERC, as well as NRECA and a CA utility. Among other things, we'll be talking about the draft RMP document, currently out for public comment. Click HERE for that.

But if San Diego is too soon, or too far away, or too comfortable for you, you've got three more options to socialize with Smart Grid security folks in coming months thanks to the London-based SMi Group:

• European Smart Grid Cyber Security and Privacy – November in The Netherlands
• Oil and Gas Cyber Security - November in London
• European Smart Grid Cyber Security and Privacy – March 2012 in London

Hope you can make one or several of these. They're definitely useful for working out some of our more intractable issues face to face. And they usually serve adult beverages at some point as well.

California Shows the Way with Customer Electricity Usage Data Security & Privacy Ruling

Show me another state (or country for that matter) that's doing this much. The California Public Utilities Commission (CPUC)'s proposed decision became a decided decision while I was away, so if you haven't had time to check it out yet, here's a good short summary from IDC's Usman Sindhu.

In play are:

• HAN networks (for real)
• Real-time pricing signals for consumers
• 3rd party access to usage data with customer consent
• New security and privacy rules for the big 3 CA IOU utilities with CPUC oversight

But if you insist on reading the entire ruling, then by all means, click HERE for it. I won't try to stop you.

From the Left Coast comes Big News on Smart Meter Data Privacy Regs

No time to pontificate on this now, but wanted to make sure you saw the news. CPUC's formerly proposed decision has just become a decision. One, the implications of which, could ripple across the US and impact future Smart Meter and Smart Grid deployments. See the Jesse Berst quick take on it HERE.