A Means to a Measured Approach to Cybersecurity

Having posted innumerable times on the many benefits the energy and other critical infrastructure sectors would achieve if they would identify a few security metrics and start measuring them, it seems that a practical means to at least partially achieve this objective may be at hand.

Just came upon a new company that appears to be pursuing a good part of the SGSB playbook, though they appear to have found their way to these ideas by following their own path.

A few of the principles we seem to share include:

Webinar Alert: UTC Cybersecurity Metrics Training

Never thought I'd see training on one of my favorite topics, but somehow the Utilities Telecom Council (UTC) is going to do it a week from now.  To some readers' pleasure and others chagrin, I've done a million posts on metrics, some absurdly long (see: HERE) and I for one, will be paying very close attention.

When: 12 November 2013, 2 - 3:30 pm ET

What: "This webinar provides an overview of metrics development and implementation approaches based on national and international standards and best practices. It describes how to develop and use metrics to gauge performance and facilitate improvement and gives examples from the utilities space."

How: Click HERE for more info and to register

Thanks again to tmorkemo on Flickr.com for this image ... my 2nd timing using it

CPUC's Villarreal is the Real Deal for Grid Security from the US States' Perspective

From cybersecurity to privacy, the Green Button and security metrics, this recent deck from the California Public Utility Commission's (CPUC's) Chris Villarreal covers the entire grid security waterfront from a (very big) state's point of view.

This is well worth your time if you're a regulator in another state, a regulated entity in any state, or you just want to get a better feel for the way this process is evolving.

Note links on last slide to excellent CPUC security white paper by Chris and his security savvy colleagues, Liza Malashenko and J. David Erickson, and to NARUC's excellent "Cybersecurity for State Regulators 2.0" guide. There are other states upping their cybersecurity game as well, but California and Texas have been the two trailblazers. Of that there is no doubt.

----------------------------

URL for this deck, which accompanied Erfan Ibrahim's SG Educational Series webinar:

https://docs.google.com/file/d/0B83Q27_xggOTV3JpVTlSNnRGNGM/edit?usp=sharing

URL for another nice write-up on the work of Chris and his colleagues, from Greentech Media's Jeff St. John:

http://www.greentechmedia.com/articles/read/smart-grid-cybersecurity-the-california-way

Webcast Alert: Establishing Security Baselines at Industrial Facilities

I love good baselines, and I'm not the only one. When famous jazz composer arranger Gil Evans (see Sketches of Spain) heard the early Police playing Walking on the Moon, he took time to personally compliment the stunned base player, Gordon Sumner aka Sting.

Now another baseline for you, less musical but more actionable, courtesy of the new ICS-ISAC:

• Title: Raising All Boats: Establishing Security Baselines at Industrial Facilities
• Date: Monday April 29th, 2013
• Time: 1:00-2:00pm USA Eastern Time
• Registration and more info here: http://ics-isac.org/events.html

Hope you can make it. Oh, and here's Miles for you: http://www.youtube.com/watch?v=7KDQNoqKya0

Metrics Mark the End of Faith-based Cybersecurity

Thanks to Dark Reading for covering the RSA 2013 metrics panel and for the article: "Governance Without Metrics Is Just Dogma."

To whom do we owe this powerful and provocative headline? Not the editors at Dark Reading, though they were smart enough to grab it and put it at the top. It was Alex Hutton, an Operations Risk and Governance director at Zions National Bank.

In case you're not used to seeing the word dogma in this context, let's refresh ourselves with a definition (thanks Wikipedia):

Dogma is an official system of belief or doctrine held by a religion, or a particular group or organization. It serves as part of the primary basis of an ideology or belief system. 

Heralding the Dawn of Critical Infrastructure Security Metrics

You may like this blog because of its emphasis on business-oriented security metrics and measurement. Or you may loathe it for the same reason (though if you do, you shouldn't still be visiting much).

Can't measure, can't manage. On this we agree, right?

So ... we're two weeks past the Presidential executive order (EO) that kicked off a new round of meetings that will ultimately produce a new NIST framework for grid security. You can read about the goals for this thing, including the RFI process HERE.

Thanks for EnergySec's Patrick Miller who tweeted yesterday that this round of work is designed, among other things, to produce metrics that can be used to assess the current security posture of your organization.

One Step Closer: Announcing NARUC's Cybersecurity Guide for State Regulators 2.0

My last post on NARUC*, from June of 2012, was on the first version of their cybersecurity guide for state regulators, and the somewhat sprawling piece ended thusly:

I would like to end by saying that this was a document that could never fully please everyone, and if we remember it's a 1.0 version, then in that context it's an ambitious and excellent start. Let's start providing feedback now so that 2.0 can be even better.

Well guess what readers? Some of you and maybe some others provided feedback, so well and fully in fact that we find ourselves fewer than 9 months later with a new and improved 2.0 version, just released by NARUC after announcing it at its Winter Meetings (note sublime, almost hypnotic snowflake animation on landing page).

Michael Assante Holds Forth on Cybersecurity Leadership

You've seen him here before, but for those not familar, his quals, in reverse chronological order:

• National Bureau of Information Security Examiners (NBISE) Founder, Pres & CEO
• NERC CSO
• Critical Infrastructure Protection Strategist
• AEP VP & CSO
• VP at several security start-ups
• Navy intelligence officer

Great background, right? Though he lives in the Northwest, he's pretty visible in DC as a frequent testifier on national security issues related to cybersecurity and critical infrastructure.

Here's an excerpt from a just published Q&A session I was lucky enough to engage him in. When asked:

 "... What can the energy & utilities industry learn and leverage from these other critical infrastructure industries?" Mike responded:

It is more the norm than the exception to find executive-level cybersecurity leadership in banking and telecommunications today. Years ago, both industries realized that protecting their networks, systems and data from attackers was a strategic imperative. And some industries have even gone so far as to police themselves with their own security standards. Now it’s time for electric utilities and other energy companies to elevate cyber resilience in their business planning and investment decisions.

You bet it is.

The interview is not too long ... only 4 questions, but I highly recommend you view his well-informed responses to all of them, which you can see RIGHT HERE.

Image credit: NewsMilitary.com

2 Control Systems Metrics Movers/Shakers: Jim Brenton and Joe Weiss

The more metrics the merrier, I say. After yesterday's post on IDC's take on energy sector cybersecurity metrics, let's pivot to control systems, where the three most important things are:

1. reliability
2. reliability, and
3. reliability

... and where what passes for cybersecurity in IT realms just doesn't cut the mustard.

First see this NEW POST from Joe Weiss on how to begin wrapping your head around what control systems metrics could look like.

Then I'd recommend Jim Brenton's PRESENTATION at GridSec earlier this year on a new group that's formed to look at developing security (or should I say reliability and resiliency) metrics for the Bulk Electric System (BES).

OK, that's it, this is a short one. You can go back to what you should have been doing all along.

New IDC Report Takes Measure of Energy Security Metrics

They had me with the title: "Methods and Practices: Creating a Metrics-Based Security Culture".  It seems IDC must have used a key word optimizer app designed to discover the best title based on the complete works at the Smart Grid Security Blog.

I can't vouch for the utility of this report because I haven't read it.  But I do know lead IDC energy and security analyst Usman Sindhu because we've been discussing grid security topics since we met back when he was still at Forrester Research.

Jesse Berst and the SmartGridNewsers did a nice little intro to it HERE.

The price may not be right for you, though maybe your company already has a subscription with IDC that will let you see it for free. Or maybe you can negotiate a "friends price" with Usman, the economy being somewhat iffy at the moment.

Photo credit: Steven Harris on Flickr.com

DOE's Prescription for Electric Sector Cybersecurity Uncertainties

I've had a link to this document in the blog's "Relevant Docs" section since it appeared, but with today's press release, I think it's time to shine a spotlight DOE's latest and greatest electric sector cybersecurity resource.

The campaign for measurement has just been given a big shot in the arm. By definition, in a weird permutation of Newton's Third Law, the minute a metric or measurement is proposed it creates its own opposition. Often vocal opposition, I might add.

Nevertheless, neither Newton nor opposition should cause us to accept stasis and the uncertainties that attend the status quo. "What uncertainties?" you might well ask.

And my answer is that the majority of C-Suiters and BoDs at medium-to-large electric utilities likely do not have a decent understanding of the cyber-related reliability and safety risks confronting their IT and OT operations. Nor do they understand well how sound (or unsound) are the defensive measures (people, policy, processes) their cybersecurity folks have deployed.

If I were to now transition to a tirade about the crying need for business-oriented security metrics and measurement, while linking to previous tirades, few would be surprised. But in a moment uncommon self restraint, I won't do that.

Instead, I invite you to consume a few tapas-sized sound bites from DOE's press release earlier today announcing its new, unpronounceable acronymed tool, the ES-C2M2.

Dig in:

• Energy Department Develops Tool with Industry to Help Utilities Strengthen Their Cybersecurity Capabilities
• New Tool Available to Enable Electric Utilities to Better Assess their Cybersecurity Needs and Assets 
• Maturity models, which rely on best practices to identify an organization’s strengths and weaknesses, are widely used by other sectors to improve performance, efficiency and quality. 
• More than a dozen utilities nationwide participated in pilot evaluations to help refine the model
• The Cybersecurity Self-Evaluation Tool itself helps electric utilities and grid operators identify opportunities to further develop their own cybersecurity capabilities by posing a series of questions that focus on areas including situational awareness and threat and vulnerability management
• Utilities that choose to provide their anonymous self-assessment results to the Energy Department will receive reports with anonymous benchmarking results of all utilities participating in the “opt-in” program.

Here's a LINK to the model. Utilities can request the Cybersecurity Self Evaluation Survey Tool by contacting the Energy Department at ES-C2M2@hq.doe.gov. Note: The Energy Department is also offering facilitated self-evaluations on request.

Please keep in mind that this is a 1.0 version developed at break-neck speed. The more feedback DOE gets from its earliest users, the more we can expect from future versions. And they do seek your feedback.

I think what's been started here is good, very good in fact. Now let's seek to use it, make it great, and substantially improve the industry's understanding of itself along the way.

Image credit: DiaVoLo Group on Flickr.com

Time for the Electric Sector to Measure Up on Security

Let me begin by saying I'm so sick of alarmists. We are implored to "Constant Vigilance!" by Mad Eye Moody and to constant vigilance we at the SGSB are committed. But not to constant cowering.

OK, that said, you may recall I have a jones for business metrics. So much so that lately I've been suggesting them to the DOE Electric Sector Cyber Risk Management Maturity folks for inclusion in the Program Management part of their model.

Amidst the latest spate of Smart Grid security fear and loathing (documented here and here last week, and earlier here and here and etc.), maybe what Congress, FERC, utility boards of directors, consumer protection groups, and the man on the street need is evidence that we're making progress on protecting the grid and its constituent elements from the various forms of lurking badness out there.

Maybe that evidence, to be readily consumed by all of the above, needs to be communicated in plain language. Let's agree that business language is plain language.

So let's begin with Enernex CEO Erich Gunther's GridSec 2012 monster keynote preso Pragmatic Approach to Utility Cyber Security and one slide in particular "Approaches that Fail". These should all be quite familiar to y'all by now:

• Attempting to explain the situation technically
• Overwhelming with statistics – number of attacks, names and types of attacks, enumerating systems potentially affected
• Using the “sky is falling approach” – we’re doomed!
• Depending on government and regulation to “fix it”

For me, this outstanding presentation was an expertly crafted electric sector extension of Gartner Group analyst Jeff Wheatman's seminal 2011 paper: "Why Communication Fails: Five Reasons the Business doesn't get Security's Message".  I'm going to grab one of Erich's "Pragmatic Conclusion" bullets to segue to the next piece:

• We need to be more well versed in the disciplines of the core businesses we are trying to protect

By apparently Divine intervention, Robb Reck's article, Making Security Metrics that Matter (to Business) was just published on InfoSec Island, where I found it this morning. The morning of the same day (today) I actually needed it.

Robb begins by asking security folks:

What are the strategic goals for your organization in 2012? Can you recite them off the top of your head? If you can't, you're not alone. The inability of enterprise security teams to answer those questions is one of the biggest obstacles facing our discipline today, and it's the biggest reason current [overly technical] security metrics do not grab the attention of organization leaders.

He provides some excellent large and small company examples and begins his conclusion with:

Gone are metrics like “vulnerabilities found” and “patch level.” In their place are metrics that directly address the priorities of the business. By crafting the metrics in the language of our business leaders, we are demonstrating the value of their security investment in a way that matters to them.

I'll begin and finish my conclusion with the one security business metric that rules them all: the appointment and empowerment of a Chief Security Officer (CSO), with purview across the entire enterprise, and the authority to set and enforce security policy in both the IT and OT realms.

Show the man on the street and others an expanding list of utilities with CSOs as described above, and you can bet they'll all be sleeping better at night. And maybe we can all get up before the next alarm goes off.

Photo credit: mnapoleon at Flickr.com