GridSec Texas Wrap-Up: One More Time with Tweets

Here's a few of the tweets from myself and others from GridSec day 2 to give you a tapas-style version of what when down:

• Erfan Ibrahim: a mosaic of entities hold liability for grid security, but customers usually know/interact with only one. #GridSec
• At #GridSec, Darren Highfill says we're already paying for security, we're just not calling it that, invoking Russian Roulette metaphor.
• Both keynoters said cyber security maturity models (like DOE's bldg now) & business metrics might reduce likelihood of legislation”#GridSec
• Brese & Gunther both said cyber security maturity models (like one DOE's bldg now) & business metrics might reduce likelihood of legislation
• At #GridSec just asked DOE's Robert Brese & Erich Gunther what would utilities have to do to put Congress more at ease re cyber security ... 
• Recommend using Gunther's #GridSec preso 4 coaching security folks on thinking/speaking in language that's understandable to business folks 
• Enernex CEO Erich Gunther kicking off #GridSec day 2. Echoing yesterday's theme of connecting security w/ safety for better business comm 
• At #GridSec good presentation on offensive cyber security aka Active Defense. Discussing Hactivism, Cybercrime, Cyber Espionage, Cyber War 
• Strong messages from speakers @ #GridSec on importance to move from geek speak to business speak so those C level folks get #ICSsecurity 
• Several presentations at #GridSec are finally linking security to safety. #ICS http://www.us-cert.gov/control_systems/icsjwg/presentations/spring2010/08%20-%20Walter%20Sikora.pdf is a preso given a couple years ago 
• #gridsec You can stop the Stuxnet artifact, but private industry does not have the means to protect against nation-state adversaries 

What was different this time? Well:

• Without any prompting, I heard metrics, and especially business metrics mentioned quite a lot this time
  There was much discussion around control system security. In fact, one guy who attended the "Beyond AMI" panel yesterday said it was exactly because it wasn't about AMI. Duh!

• As I said in a previous post and tweets above, linking security and safety was a common theme this time around
• Lastly, we had more utilities here this time than ever before. Seems like a no brainer, but without their real-world, pragmatic "what works" insights, this effort wouldn't be half as worthwhile

Sad to see it come to a close, but close it always must. Re-connected with all the old folks, and met many new ones, and that was great. Didn't get to say anything like a proper good bye to folks so it looks like au revoir until October back on the west coast when we do this again. Andy

GridSec in Near Real Time - A Tale of the Tweets

This must be some type of social media sin, but I 'm building this post almost entirely out of Tweets I did from yesterday's GridSec conference. In reverse chronological order, they were:

• Attending Chris Blask's great ICS security panel. Good to see more attention to control system security at the conference this time#GridSec
• "Beyond AMI" panel co's include Waterfall, Cisco, McAfee, GE and AlertEnterprise at #GridSec
• At #GridSec, attempting Tweeting-while-moderating. A high wire act. But Beyond AMI panel off to good start with experts from 5 companies.
• #GridSec Infra security panel seems to concur that appropriate info sharing is security goal #1 for next few years
• #GridSec talk on sad topic: utilities won't report any attack that could earn them a compliance penalty, so helpful info doesn't get to help
• In the Security Infrastructure panel, ERCOT speaker said one key focus area needs to be situational awareness. #GridSec
• From #GridSec - linking security and safety in budget talks.
• Rea#GridSec conf. First session is CXO perspectives with Vermont Electric's CEO David Hallquist bringing his usual candor, energy and insight
• Tweeting from #GridSec conference this week http://bit.ly/HhIyj1

Have to keep this short for now, so only commentary I have on the above is that unless you have comprehensive situational awareness, (one speaker's suggestion), then information sharing isn't that big a priority, as you have little to share. Utilities, and any organization for that matter, have to know what's happening with their systems in order to detect, hopefully thwart, and also report this info so others can be on their guard.

Day 2 begins soon ...

Conference Alert: EnerSec Smart Grid Security Summit West 2011

This conference series, the first ever dedicated to Smart Grid Security and Privacy, had a great start last year in San Jose and now returns to California with a head of steam after robust attendance and some very strong content earlier this year in Knoxville.

The lineup keeps getting stronger and this session promises a compelling mix of workshops on day 1, followed by days 2 and 3 with regulator and industry updates, round table discussions and lots of back and forth with what has been in the past a very energized audience.

You can expect a bunch of utilities will be present, and not just the big 3 from California, plus state regulators from CA and TX, fed folks from DOE, NERC, FERC and NIST.  Also, owing to proximity to one of the largest USN bases in the world, we'll likely see some energy-minded sailors present too.

Here's the basic facts for you:

• Dates: 3-5 Oct 2011
• Location: San Diego
• Venue: Town and Country Hotel - click HERE to reserve a room
• For more info and to register for the conference, click HERE

Next week I plan on throwing a few trivia questions at you. Correct answers may earn you a significantly reduced rate for the conference, or at the very least, hearty congratulations.

Photo credit: http2007 on Flickr.com