Energy Firms Not Ready for Cyber Insurance?

Or so says corporate underwriter and veteran cyber insurance provider, Lloyds of London, in a BBC article last week:

Any company that applies for cover has to let experts employed by Kiln and other underwriters look over their systems to see if they are doing enough to keep intruders out. Assessors look at the steps firms take to keep attackers away, how they ensure software is kept up to date and how they oversee networks of hardware that can span regions or entire countries.

Sadly, as the article goes on to say:

After such checks were carried out, the majority of applicants were turned away because their cyber defenses were lacking.

Where do Today's Electric Utility CEOs come from, and what do their Origins Mean for Grid Security?

I remember once thinking, naively perhaps, that most utility CEOs must have come up through the ranks, like generals in the military, with hands-on operational engineering experience garnering them the respect of their peers and subordinates along the way.

When I shared that concept last year with a 40-year industry veteran who'd done his time in generation and T&D, he schooled me saying that while that used to be the case, it's not the norm today.  He said more often you'll find someone with a finance background, often imported from sectors outside power.

Thoughts on "Risk and Responsibility in a Hyperconnected World"

Hat tip to Tim Dierking of Aclara for spotting and forwarding this January 2014 World Economic Forum / McKinsey report: "Risk and Responsibility in a Hyper-connected World." Tim pointed to a couple of excellent sections on cyber resilience and future scenarios which you'll find within, but I'm going to call out a different selection for your immediate consumption.

This below is taken directly from the McKinsey summary, which while not energy-sector specific, is right on the money, IMHO, on the culture, leadership and organizational dynamics aspects of what's needed to do security right in 2014+.  Here you go:

A CEO-level issue 

Given the trillions of dollars in play, the stakes are high. And given the range of social and business issues that cyber resiliency affects—for example, intellectual property, regulatory compliance, privacy, customer experience, product development, business continuity, legal jurisdiction—it can only be addressed effectively with active engagement from the most senior business and public leaders. 

Special Conference Alert: Risk Management-Focused NARUC Annual Meeting

This NARUC Annual Meeting is called "Managing Risk: Protecting Consumers and Critical Assets" and yours truly will have the honor of participating as a panelist.

As per usual, here are basics:

• Where: Orlando Hilton Bonnet Creek, FL
• When: 17-20 November 2013
• To Register: click HERE

Here's a press release for more flavor, and here's the agenda.

The Sunday afternoon panel I'm on is called: "Risk Management in Action: Challenges and Opportunities for Implementation", and here's the narrative description of what we'll be discussing:

There’s a lot of talk about the benefits of risk management processes to address cybersecurity, but how familiar are we with the actual implementation of these processes? Come hear panelists discuss the resources necessary to implement and maintain risk management processes for cybersecurity of our critical infrastructure. What are the bottom line impacts on owners’ and operators’ resources for implementing risk management? Hear from subject matter experts about the opportunities and challenges.

Should be great.  Hope some of you can make it.

Photo credit: TripAdvisor.com

Heads-Up: The 2013 ICS Cybersecurity Summit is Closing In

We talked about this conference and many of its concerns a few weeks ago at the EnergySec Summit, and among things, got a great presentation showing how one utility has built and gotten great value from its OT security test-bed.

There's going to be a talk on test-beds plus a bunch of other great presentations at the annual "Joe Weiss" summit, so if you have interest, and the ability to get there,  I highly recommend you do.

Here are the basics:

Dates: 21-24 October 2013 

Venue: Conference location: GTRI Conference Center, 250 14th Street NW, Atlanta, GA 30318 

LINK for more info and to register 

LINK to register

Photo credit: Jomi Thomas Mani @ Flickr.com

NERC CIPs Catching up to iPhone Version Numbers

OK, imagine an auction barker: "Bids opening at NERC version 3, do we have a version 3? ..."

"Yes! How about version 4?" Etc.

Well, according to Honeywell's NERC CIP guru Tom Alrich (of the famous, eponymous and quite helpful blog), it now appears that the next version of the CIPs to which utilities must comply will be neither version 4 nor  5 but rather version 6!

I was stunned as were many of the those in online attendance. Tom explains his reasoning on the EnergySec webcast and much more, which you can see HERE. There's a lot of helpful information for utilities of all sizes dispensed in this hour long piece, with some deep dives into the ramifications of high, medium, and low risk assets.

Now, depending on whether we get an iPhone 5s or 6 next month, it's clear that NERC will not allow the CIP versions to lag far behind.

----------------------------

Attended most of this webinar online, but hat tip to my former colleague and (hopefully) current friend, Nebraskan Dave Hemsath of IBM for sending me the replay.

Photo credit: KCRW.com

To Secure Your State Grid, First Know Your Public Utility Commission (UPDATED)

19 July 2013 UPDATE: Significant clarification just in from Terry Jarrett, Commissioner of Missouri's Public Service Commission and Chairman of the Committee on Critical Infrastructure at NARUC:

Actually, the NARUC Critical Infrastructure Committee's main focus has been cyber security for the past two years that I have been chairman. Last fall at our annual meeting, incoming NARUC president Phil Jones declared cyber security to be one of the themes of his presidency. To say that cyber will be given more attention in Denver than in the past simply is not factual. 

Thank you Terry.  I'll leave the original post below intact so you can see to what Terry was referring, but please keep his clarification in mind as you do.  ab

-- -- -- -- --

The Advanced Energy Economy Institute (AEE) has a great new site for helping you navigate your way around any of the 50 US states' energy landscapes, including commission leadership, energy portfolio mix, legislation and more. One topic you won't read much about, however, at least not without doing some substantial digging, is cyber security preparedness.

As readers of the SGSB may recall, we've done shout outs to California and Texas, both states having cyber security knowledgable professionals on their Public Utility Commission (PUC) staff, and there are a couple of other states now similarly equipped. Many other states, however, haven't yet made a modest level of cyber security capability a requirement.

With the Business Roundtable (BRT) issuing guidance earlier this year for how organizations should better organize themselves to meet the rising cyber security risks they face, to a recent report drawn from mega-insurer Lloyds of London's survey of CEOs and Board of Directors at the world's top companies showing they now consider cyber security among the top three risks facing their companies, you could say it's well past time for all organizations, and particularly those with public authority and responsibility like state utility commissions, to ensure they are well informed.

Lastly, you should note that the national body representing the interests of state commissions in Washington, NARUC, has demonstrated excellent leadership producing not just one, but two versions of practical cyber security guidance for commissions in the past year. NARUC will be holding its annual summer meetings in Denver next week and I understand cyber security is going to be given much more attention than it's received in the past.  Hmm, maybe this is a good chance to jump-start your commission's cyber security program ....

Boxing the Fundamental Assumptions of Cybersecurity Risk Management

Here's something to wrap your head around (or more literally, put in your head) as you head to NIST on April 3rd to make your contribution to the Critical Infrastructure Cybersecurity framework development processes, an effort begat by the recent Presidential Executive Order.

Many in our community love to talk about risk management as the common sense, business oriented antidote to the mandatory and therefore inflexible and slow moving instructions in the NERC CIPs.

You could certainly put me at least half in that camp.  Well, after reading THIS sharp Brookings paper from Ralph Langer and Perry Pederson, that half of me is feeling a little wobbly.

Heralding the Dawn of Critical Infrastructure Security Metrics

You may like this blog because of its emphasis on business-oriented security metrics and measurement. Or you may loathe it for the same reason (though if you do, you shouldn't still be visiting much).

Can't measure, can't manage. On this we agree, right?

So ... we're two weeks past the Presidential executive order (EO) that kicked off a new round of meetings that will ultimately produce a new NIST framework for grid security. You can read about the goals for this thing, including the RFI process HERE.

Thanks for EnergySec's Patrick Miller who tweeted yesterday that this round of work is designed, among other things, to produce metrics that can be used to assess the current security posture of your organization.

Alrich on Distributech's 2013 Cybersecurity Focus Panels

I couldn't make it to the panel sessions but fortunately Tom Alrich could and did. Here's are his short-takes on 3 different panels:

Substation Integration and Automation: The Cybersecurity Landscape is Changing - Didier Giarratano of Schneider Electric discussed Role Based Access Control (RBAC) and how to do good job applying RBAC to the challenges of substations. Anthony Eshpeter of SUBNET Solutions discussed “Complexities of Substation Cyber Security”. He provided a very good, lucid discussion – pointing out the need for solutions like those SUBNET sells but without ever making a sales pitch. Bradley Tips of Cisco addressed “Real-world Deployment of Network Security for NERC CIP Compliance”. A good overview of what CIP requires for a substation these days.

EEI on Electric Sector Cybersecurity, late 2012

David Batz (rhymes with yachts, not cats) is in a good position to know what he's talking about when he says:

Utilities are taking actions to mitigate and manage cybersecurity threats.

As Cybersecurity Director for the Edison Electric Institute (EEI), a DC-based industry advocacy firm that represents the interests of the vast majority of investor owned utilities in the US, Batz is emminently credible as he spends just about every waking hour working with utilities, various Federal and state regulators, and the companies that serve the sector.

At a recent conference in Arlington, VA Batz shared some observations on the state of electric sector cybersecurity preparedness that I liked.  Here's one:

In today’s world, cyber attacks and cyber hacking have become monetized and different ventures are using cyber attacks as a ways to generate income .... This poses a problem for law-abiding citizenry and creates a problem for the electric sector.

Is the Smart Grid a Homeland Security Problem?

Last week I had the privilege of being on a IEEE/Department of Homeland Security (DHS) panel discussing the topic: Smart Grid: A Homeland Security Problem or Not? Talk about a title that begs the question.

My sharp co-panelists hailed from DHS, the Utilities Telecom Council (UTC), MIT, the University of Vermont and MITRE, and we were masterfully moderated by Emily Frye, also of MITRE.

Anyway, all I want to say here is that we got a great question from an audience member (and it was a very interactive audience!) that we were hard pressed to answer. It went basically like this:

If each utility was somehow given an infusion of $1 million (Dr. Evil's preferred amount) what would be the best, most security impacting way for them to spend it?

Conference Alert: A Risk Management-Focused GridSec

Things have been changing over the course of half a dozen or so GridSec conferences the last 3 years:

• Increasingly, a risk management vs. pure compliance approach to security is in evidence at utilities
• Practical, business-oriented metrics and measurement mechanisms are being developed and used to increase visibility and understanding of current state and challenges, and to facilitate prioritization
• Describing security requirements and incidents in language more accessible to management and more aligned with core utility values and business drivers, including safety and reliability
• More attention to Operational-side issues

What attendees will experience at the upcoming summit will be an update on the evolution of grid security, privacy and compliance issues that reflects the evolution of the bullet-ed points of the above.

The details you need to get/be there:

• When: 22-24 Oct 2012
• Where: PG&E head office, 77 Beale Street, San Franciso, CA
• Web page for more info and reg: HERE

Lots of great speakers are lined up and the hallway talk is always interesting too. Hope you can make it.

Attacks on Energy Equipment Vendor like Attacks on Defense Contractor

In 2009 reports emerged that attackers had breached defense contractor systems and stolen data related to the F-35 Joint Strike Fighter. Not knowing what was seen and what was stolen, it means we may always have some uncertainty about how much adversaries know about this plane's combat capabilities and other secrets.

In 2011 we got news that the same contractor was attacked again, albeit this time, perhaps, with less success.

Now comes a network breach of a major critical infrastructure telemetry and control systems manufacturer and it sounds like they may have lost some of the design specs and software at the heart of one of their most important and widely deployed systems.

More Datapoints on the Current State of Electric Sector Cybersecurity Governance

In March we covered the preliminary CyLab report on the state of cross sector Security governance and one of the things it taught me was that electric sector cybersecurity professionals are not alone in their quest to improve/increase the level of interaction and communication with senior executives in their companies, including the CEO and Board of Directors (BoD).

Other than financial services sector companies, whose reputation for being in the lead on security and privacy governance matters is corroborated, none of the other sectors covered (IT/Telecom, Energy/Utilities, Industrial) fares particularly well.

Well, the final Carnegie Mellon/CyLab report is out now, and it provides a lot more detail into which to sink one's teeth. You can begin with the press release HERE, or move straight into the 28-page full report HERE.

But with your limited time in mind, electric sector reader, I've cherry picked a few salient nuggets for your more rapid consumption. First, an opening statement:

Interestingly, none of the energy/utilities sector respondents indicated that they have a Chief Risk Officer (CRO) even though their risks are high. The energy/utilities sector also places a much lower value on board member IT though their risks are high. The energy/utilities sector also places a much lower value on board member IT experience than the other sectors, which is puzzling since their operations are so dependent upon complex experience than the other sectors, which is puzzling since their operations are so dependent upon complex supervisory control and data acquisition (SCADA) systems.

Interesting: connecting IT experience with a foundation for grasping control systems security fundamentals. Certainly better than having no information systems background. And I didn't know CRO's where rare in large utilities. Maybe the utilities that participated in this survey are not representative of the larger population for some reason. But I would have thought CROs were commonplace, even if their attention wasn't trained on cybersecurity risks.

Now lets go straightaway to electric sector conclusions:

• The energy/utilities and IT/telecom respondents indicated that their organizations never rely upon insurance brokers to provide outside risk expertise, while the industrials sector relies upon them 100%
• Energy/utilities and IT/telecom sector boards are not adequately reviewing cyber insurance coverage
• The energy/utilities sector places a much lower value on board member IT experience than financial, IT/telecom, and industrials industry sectors

And let's conclude with this recommendation, since it squares so nicely with one of the oft-repeated themes of this blog:

Review existing top-level policies to create a culture of security and respect for privacy

This CyLab report is an interesting complement to the recently release IBM CISO Survey, the results of which were discussed HERE last month. I'm always glad to add others' takes on how our sector is faring, even if the findingss are less than glowing. The truth, as they say, and presuming it's present to some degree in these reports, will set you free. Hopefully free to make things better.

Image credit: Magnetbox at Flickr.com

Re-reminding you about NESCO's upcoming Electric Sector Risk Management Session

In a few weeks (30-31 May to be specific) there will another grid security and risk management conference. As someone who keeps an eye on all of them, not all conferences on this topic are created equal, and this one run by the DOE-funded National Electric Sector Cybersecurity Organization (NESCO) appears to be one of the best.

Posted on it a few weeks ago HERE, or you can go directly to the event site HERE.

Photo credit: New Orleans Marriott

Town Hall Alert: NESCO Security Risk Management Practices for Electric Utilities

Here's news you can use.  And to save you time a la Joe Friday, just the facts:

When: Wednesday, May 30, 2012 - Thursday, May 31, 2012

Where: New Orleans, LA - New Orleans Marriott

Who (should attend): senior level industry executives, cyber security experts and peers from the security and utility communities, key decision makers and subject matter experts in critical infrastructure protection, cyber security and electric utilities.

What's it about: Security risk management is a topic of continued discussion in the electric sector. It can be a daunting task and often overwhelming when faced with trying to implement the many security risk management models available. This town hall style meeting brings together many of the industries leading security professionals to explore security risk management practices for the electric sector in depth. You will have the opportunity to participate in open discussions with security risk experts, hear about solutions implemented by utility security teams and learn about security risk management guidelines from the actual authors. Click HERE to register

Contact info: Abbie Trimble, abbie@energysec.org 

Joe Friday / Jack Webb Photo Courtesy of Wikipedia

Prepping for the Risk Management Process (RMP) Panel

In San Diego, Wednesday morning of next week I'll have the good fortune to be moderating a panel comprised of some of our industry's heavy hitters, including:

• Marianne Swanson, CSWG Chairperson, NIST
• Craig Miller, PM, National Rural Electric Cooperative Association (NRECA)
• Lisa Kaiser, Security Consultant, DHS
• Matthew Light, Infrastructure Analyst, Office of Electricity Delivery and Energy Reliability, DOE
• James Sample, Director, NERC Critical Infrastructure Protection, Pacific Gas & Electric

As you may or may not know, a new document (in draft) which ties all of these organizations (and FERC and NERC and more) together has been released for public comment. Call the "Electricity Sector Cybersecurity Risk Management Process (RMP) Guideline" or RMP for short, it's viewable HERE and you can register to make comments HERE.

During the panel session, we'll be moving quickly through intro's and prepared Qs&As so that the audience will have ample time to ask questions of the panelists.

But here's an ultra short intro to the dock in case you won't get a chance to be there in person or to look at the draft yourself. One way I've heard it described is to say the RMP attempts to blend and extend traditional IT security with OT and thereby bridge internal utility stovepipes. That's ambitious for sure but most would agree, sorely needed.

The draft breaks out the following objectives right up front, presented here, with my color commentary in color:

• "Effectively and efficiently implement a risk management process (RMP) across the whole organization" - So they're saying there should be policy that extends across the entire enterprise; that'll be new to most utilities.
• "Establish the organizational tolerance for risk and communicate throughout the organization including guidance on how risk tolerance impacts ongoing decision making" - Figuring out how much risk is acceptable  and how much is too much is classic business case material. To do this you have to do some solid translation between cybersecurity geek speak and hard business requirements ... should be interesting to say the least, but definitely well worth the effort.
• "Prioritize and allocate resources for managing cybersecurity risk" - Prioritizing with confidence becomes possible once you've got a defined and level playing field. This could be quite refreshing for execs who get this far.
• "Create an organizational climate in which cybersecurity risk is considered within the context of the mission and business objectives of the organization" - Culture change 101, but much more difficult by far than technology change IMHO.
• "Improve the understanding of cybersecurity risk and how these risks potentially impact the mission and business success of the organization" - Also sorely needed and well worth the effort: drawing solid line connections, where they exist, between cybersecurity and reliability. If it's not about reliability, or some of the lesser values like efficiency, or cost effectiveness, why bother?

OK, that's enough for now. Will try to take notes so I can write up the RMP panel session highlights here afterwards. Meanwhile, you can click HERE for conference website if you seek more info.

NERC and NIST Ramp Up Risk Management Collaboration

There are security-related ISO, IEC and IEEE electric grid standards galore, but these are technical standards. I know it's more complicated than this, but I submit that the easiest way to tell regular folks about grid and Smart Grid security standards is to say there are really only two that matter in 2011, and they are:

• NERC CIPs, version 3
• NISTIR 7628, version 1

The first covers cyber security protections of only the most critical generation and transmission assets in the bulk electric system (BES) and has little to do with protecting new Smart Grid systems, most of which deploy in the distribution network, far from the BES. The second boldly attempts to describe how to secure the whole enchilada, albeit at a high level. In short, there isn't a heck of lot the two standards/guidance documents have in common.

We've described each ad nauseum on this blog, so let's look at something more soothing. With the next version of the above standards still over the horizon, let's consider the nascent collaborative effort between NERC and NIST, confirmed by language pulled from a draft budget document submitted by an SGSB reader:

... NERC is collaborating with DOE and the National Institute of Standards and Technology (NIST) to develop comprehensive cyber security risk management process guidelines for the entire electric grid, including the bulk power and distribution systems. This initiative is particularly important with the increasing availability of smart grid technologies. While the majority of technology associated with the smart grid is found within the distribution system, vulnerabilities realized within the distribution system could potentially impact the bulk power system.

So, it seems that some folks in high places have realized the disconnect, and seek to build a risk management bridge between the CIPs and the NISTIR. This is good news, right? Here's the draft NERC 2012 business plan and budget, if you're into this kind of thing.

Zen and the Art of Smart Grid Security

I'm not sure how to say his last name, but there's a lot to like in  John Traenkenschuh's metaphor:

We bikers know that risk is something that can be mitigated, to a point. Risk remains, and it's our job as safety pro's to limit impact and help the organization, the rider, steer a reasonably secure, er, safe course. 

... and also this:

Nothing I can do can wash away all the security risks with all the IT systems we're paid to protect; in much the same way that no amount of training I might provide you will remove all risk from riding a motorcycle. Instead, let's focus on forcing a quick alert if, maybe WHEN the attack occurs? 

This short article is not specific to our industry, and is actually written more from a vendor's point of view than a technology user's, but because survivability is a crucial backstop to good security, and certainly adds to peace of mind, there's more HERE that applies.

Photo credit: Don DeBold on Flickr.com