Energy Security Postscript and Next Chapter

Long-time readers of the SGSB might have wondered if they'd ever see another post. Me too. After producing an average of 1+ posts per week since its inception 5 years ago, I cut way back after leaving IBM in 2013 to give myself more time to focus on consulting. And now there's a new development to report.

4 month ago I shuttered my security strategy business and began my first day on the job at Idaho National Laboratory (INL). It's one of the Department of Energy's national labs, and it's the one most squarely positioned at the intersection of energy infrastructure and national security. Let's call that energy security.

My INL title: Senior Cyber & Energy Security Strategist - may sound a little pretentious, but it pretty accurately captures what I was hired to do. If you visit the lab's home page or the INL Twitter feed it seems like nuclear energy research and related nuclear work are its dominant activities. But while nuclear energy research and fuels fabrication were its origin in the 1940's and its historic mission, with the help of its massive and remote test range that includes grid-scale transmission, distribution and communications assets, the lab I just joined does a ton of research and applied work on power and industrial control systems, Smart Grid and wireless communications, cyber and physical security and resilience, renewables, microgrids, energy storage and more.

Nuclear energy R&D, and full nuclear fuel lifecycle work (including non proliferation) will always be a significant part of that nation's requirements, and the INL mission, but nuclear energy is arguably the most reliable portion of our non fossil fuel baseload, but INL is quietly becoming something much more - and more important - than its nuclear legacy might suggest.

Without going into too much detail, the lab's customers now include not just DOE's nuclear energy organizations, but also DOE's renewables, resilience and cyber-physical security components too. DHS has become a major customer, as the lab hosts the ICS-CERT cyber security overwatch function for the US grid and other critical infrastructures, and performs other leading edge cyber and physical security roles as well. DoD is a very large customer too, for energy, security and communications test functions, rounded out by direct work with utilities and energy and telecom technology suppliers.

In short, INL in 2014 is not the lab many people think it is. While it's yet to update its image online, a visit to Idaho Falls quickly confirms that this is one of the nation's preeminent Energy Security lab resources. Nuclear energy is and likely always will be a key element, but without making much noise about it, INL has become so much more, and I'm very very lucky to be a part of it.

------------------------------

Postscript to the Postscript post: Though my blogs are in suspended animation, I continue to speak in public, and albeit more frequently and tersely, on Twitter @andybochman. As the Twitter profile reveals, I continue to work out of my home office in Boston while hitting the road most often for DC, and of course, now, Idaho.

The Future of Naval Installation Energy

Posting this one for SGSB readers who might not otherwise see relevant content on the DOD Energy Blog. There's a lot to admire, and learn from what the Navy is doing in Washington DC and the surrounding region. Check it out ...
-----------------------
As projected several years ago in this great 5-minute video, paving the way for demand management, energy efficiency, microgrids, support for renewables and all manner of support-the-mission, energy security goals (with cybersecurity baked in).



From all accounts, the folks involved with this initiative are right on schedule and are meeting their objectives.  Recommend you keep an eye on this.

DOE Seeks Your Ideas for Better Grid and Smart Grid Security

Thanks for to my colleagues JSK and SG for initially sending this my way and given the news lately, how timely it is!

A new Department of Energy (DOE) funded project seeks:

... applications to conduct research, development and demonstrations leading to next generation tools and technologies that will become widely adopted to enhance and accelerate deployment of cybersecurity capabilities for the U.S energy infrastructure, including cyber secure integration of smart grid technologies.

Conference Alert: AGRION Energy & Sustainability

On Feb 19, one of the year's best energy and sustainability conferences will be kicking off in NYC. It's organized  by a great org I've become familiar with recently: AGRION, a global business network for energy, cleantech and corporate sustainability.

On the second day, following a morning keynote by PSE&G CEO Ralph Izzo, I'll be moderating a panel of experts on the topic "Smart Grid Market: Scope and Scale":

• Kevin Genieser, Managing Director & Head of Clean Energy & Renewables, Morgan Stanley
• Joe Callis, Sr. Applied Solutions Engineer, PJM Interconnection
• David Groarke, Smart Grid Senior Analyst, Greentech Media

To be sure, I'll work in an appropriate amount of security substance. After all, you can't deploy a Smart Grid that's easy to disrupt, right?

You can see the full agenda, list of speakers and venue details HERE. Hope some SGSB readers can make it.

No Day at the Beach: The Rationale for Breach Practice

Here in the Northern hemisphere, where approximately 90% of SGSB readers reside, it's summer.  In Europe (pre financial crisis Europe, anyway), it's time to throttle back and head for the beach. In the US and other parts of the world where long breaks are less common, beach time remains, for most, a scarce commodity.

Certainly with record heat waves driving air conditioning use way up, energy workers need to be on their toes, not dipping their toes in ponds, lakes or oceans.

Because I subscribe to Mckinsey & Company's Quarterly cybersecurity newsletter, I had the good fortune to come across this article yesterday: "Playing war games to prepare for a cyberattack".

We've talked on this blog before about the need for resilience, as in THIS POST from earliest 2012 citing statements on the subject from PJM CEO Terry Boston.

To me, awareness and acknowledgement that you have endured successful attacks, are being attacked or at least scrutinized right now, and will come under increasingly heavy and varied fire in the future, is a key indictor of whether your organization is reality based ... or not.

If your company is reality based, and you've haven't been running practice breaches yet, now's a good time to start, and the Mckinsey piece gives you a framework for getting started.

I won't pull any citations from it, though it's full of goodness. But rather, leave you with this sharp comment from UK-based reader:

In this still-nascent area of corporate risk and reputational vulnerability, the understanding of precisely who has responsibility for what should the worst happen isn’t good enough. We need new governance structures to provide more robust ownership, and in the interest of all stakeholders (customers, staff, shareholders, suppliers etc), we need a better reporting framework to ensure rhat public confidence in our most important IT and network-reliant brands is maintained.

Ah yes, the need for better security governance and better structures. Nothing like an actual impactful data or systems breach, or the realistic trial of dealing with one, to show you you're not organized to deal with it the way you'd want to be. 

Practice might not make perfect, but it can only serve to improve your understanding of the challenges, and may give you the fodder you've got to have to drive the changes you need.

Now, where's the suntan lotion?

Tilted Photo credit: ToddonFlickr 

PJM CEO Speaks Out on Cyber Security and Resilience

In an interview published a couple of weeks before Christmas, Linda Evers of the excellent Smart Grid Legal News blog conducted a brief Q&A with the PJM CEO Terry Boston and got quickly to the subject of grid cyber security.

PJM, in case you're new to this, is the Pennsylvania-New Jersey-Maryland Interconnection, an RTO that balances power and oversees wholesale transmission markets across thirteen states and the District of Columbia.

When Evers asked the classic "What keeps you up at night?" Boston responded:

Cyber security. It has changed in the last three to four years. It’s no longer just a matter of trying to keep kids out of the system. Making sure we have security built in not bolted on to all of our networks and systems is probably the most important part of what we do. You have to realize this is a new world we’re in. We have to be very diligent, and we need resilience. Resilience is the ability to recover after a breach or intrusion.

Can't help but feel this approach is realistic and fully in tune with the times, especially in light of the numerous cyber security attacks of 2011 that successfully targeted many different sectors.

With or without a forward-leaning CEO, utilities are regulated to think this way to a certain extent. NERC CIP 009 - Recovery Plans for Critical Cyber Assets insists that asset owners makes plans for responding when their cyber systems are under attack, including when they fail outright or come under the control of the attacker. NERC also wants to see evidence that regular practice sessions and exercises are being conducted, though I don't know how detailed and realistic these exercises are. Looking at the language of CIP 009 it appears that an exercise of some kind, once a year, may suffice to get a clean bill of health in this category.

In my mind, connecting the dots from the reliability of cyber systems to the reliability and quality of performance of generation, transmission and distribution equipment and revealing the potential impacts to the utility and its customers is the work required to build the case for bolstering resilience efforts.

Greatly appreciate it when senior energy-sector leadership articulates practical approaches to dealing with always evolving cyber threats. Feels like a great place to start for 2012.