Energy Sector Orgs: How Would You Know if You Were Secure Enough?

Along with my friend and IBM colleague Jeff Katz, I was recently cited in an article by a new publication called Breaking Energy. One of the things they captured was this statement:

[Legislators and regulators] hear statements that the grid is not secure enough .... That begs the question: how would you know? how do you know how secure it is now?”

If one was hellbent on better securing the grid, how would define your destination and how you know you were making progress towards it? Sorry so many questions.  Maybe you can provide some in the comment space below.

Meanwhile, in this USA Today piece, senior leaders in Washington continue to make alarming sounds about our industry's preparedness:

The power industry [ranges widely in security maturity] from companies that are very good to companies that need a lot of work and a lot of help," Gen. Keith Alexander, commander of Cyber Command, said Friday.

Meanwhile, in the NYTimes, two senior [DHS] officials just said "[a new wave of intrusions] were aimed largely at the administrative systems of about 10 major American energy firms, which they would not name."

Seems we have the motivation. And maybe the means. But I still question whether we have a roadmap, tools, or even language recognize progress. More on this coming up.

All the NIST Critical Infrastructure Security RFI Responses You Can Eat

Re: the many and various submissions from companies and individuals to NIST, someone who knows more than a few things about grid security recently tweeted twice thusly:

Reading - and in many cases laughing at - #NISTCSF responses

and ...

The responses? Mostly neutrally irrelevant, some nonsensical. I've marked only 14% so far for "real" read later

I just want you to set your expectations bar sufficiently low before you click HERE and read all of the responses.

By the way there were a few good and very good responses too.

If, after reading, you not only feel like you have something to suggest that hasn't yet been suggested, but you also want to physically transport and immerse yourself in this grand sausage making activity, then ...

For more information on the 2nd workshop coming up in late May in Pittsburgh, and a link where you can register, click on THIS.

Photo credit: @Doug88888 on Flickr.com

Conference Alert: Smart Grid & Control Systems Security for Europe

Sometimes I don't give enough lead time, here's a case where maybe I'm giving you too much lead time. Anyway, you know how time flies when you're having fun, so 5 short months from now, you might want to be here:

• What: 3rd European Smart Grid and SCADA Security Forum
• Where: The Copthorne Tara Hotel, London
• When: 11-12 March 2013
• Web: For more info and to register, click HERE

Conference(s) Alert: EnergySec and GridSec coming up

These are the two longest running energy + cybersecurity conference tracks in North America and both have  summits coming up this Fall:

http://www.energysec.org/summit
Sep 25-18, 2012
Portland, OR

http://www.gridsec.com/2012/summit/
Oct 22-24, 2012
San Francisco, CA

Click through and you'll see that both agendas are forming and speaker rosters are still being firmed up, but utility participation is on the rise and these are the real deal.

Also there's much more focus now on the security of operational systems, not just IT/Business.

Recommend you attend one of these, and if you can't, then at least pay attention to the articles, blogs and videos that come out of them ... some, hopefully, right here.

The State of the States and Smart Grid Security

Readers, working your way through this comprehensive yet non alarmist EPIC PIECE of Smart Grid security journalism will take some time, because author and former NH PUC commissioner Nancy Brockway has done her homework and then some.

And unlike some unschooled energy security bloggers I know, she knows all the business angles. To whit:

Utilities might argue that they need pre-approval and current recovery of cybersecurity costs. Utilities and their smart grid industry partners sometimes claim that without such cost recovery, a utility will lack the ability and resources to pursue cybersecurity with vigor, presumably because in and of themselves, cybersecurity investments don’t generate revenue. However, the industry has it backwards.

See what I mean? OK, here's the cybersecurity funding smackdown:

If a utility executive says the firm won’t vigorously pursue cybersecurity absent a tracker to recover its costs outside the normal ratemaking treatment, the utility is signalling that it might not have fully embraced the goal of such security. And a utility that tries to reassure the commission that such guaranteed revenues can be clawed back on a later finding of imprudence might be hoping the commissioners are naive about how prudence reviews work.

Hold on; one more volley and it's over:

There’s a huge difference between pre-approving and providing extra-rate-case recovery of utility investments in cybersecurity, and making it clear that the commission understands the need to change out obsolete equipment and technology, beef up staff, and make investments to protect the grid. But if a utility cares so little about cybersecurity that it won’t pursue the smart grid or the cybersecurity component of the smart grid absent guaranteed, dollar-for-dollar, few-questions-asked revenues awarded outside of normal cost recovery, this should be a red flag to the commission about letting that utility install the connectivity inherent in the smart grid.

About the only point Ms. Brockway seems to have missed re: State actions is the recent publication of a pretty decent and helpful guide by NARUC, which we posted on earlier and you can view HERE. Didn't seem like you could comment on the article, but I'll be very interested to hear what folks make of her positions on these matters, particularly the funding aspects.

Workshop Alert: ENISA Flexing Grid Security Muscles in Brussels

This announcement, from the European Network and Information Security Agency (ENISA) hit my inbox earlier today and you might like to see it, especially if you are based in Europe (or would like a reason to visit). I reduced it down for your more rapid consumption:

• Title: Workshop on “Security Certification of Smart Grid Components”
• When: June 27, 2012
• Where: Rue de la Loi, 130-1040 - Bruxelles (that's Brussels, Belgium, for you non Euro types)
• Who (should attend): Participants and speakers of the workshop would be national certification authorities, EU officials, hardware and software manufacturers, energy service providers and certification laboratories from EU and US
• Organizers: ENISA in cooperation with the European Commission
• For details and to register, click HERE

The stated objectives of the workshop are to:

• Support the Member States in better understanding the challenges of the Smart Grid component certification process 
• Contribute in the harmonization of different certification policies followed by the Member States 
• Invite Member States to present their national certification schemes and private sector to present their views on the matter 
• Debate about the possible steps to take, at national and EU level, to speed up the secure introduction of Smart Grids

Sounds somewhat akin to IEC 62443 2-4. Perhaps there's some overlap or potential to leverage existing work. Anyway, if you've got something to contribute, or a desire to learn, go if you can ... and don't skip the mussels.

GridSec Texas Wrap-Up: One More Time with Tweets

Here's a few of the tweets from myself and others from GridSec day 2 to give you a tapas-style version of what when down:

• Erfan Ibrahim: a mosaic of entities hold liability for grid security, but customers usually know/interact with only one. #GridSec
• At #GridSec, Darren Highfill says we're already paying for security, we're just not calling it that, invoking Russian Roulette metaphor.
• Both keynoters said cyber security maturity models (like DOE's bldg now) & business metrics might reduce likelihood of legislation”#GridSec
• Brese & Gunther both said cyber security maturity models (like one DOE's bldg now) & business metrics might reduce likelihood of legislation
• At #GridSec just asked DOE's Robert Brese & Erich Gunther what would utilities have to do to put Congress more at ease re cyber security ... 
• Recommend using Gunther's #GridSec preso 4 coaching security folks on thinking/speaking in language that's understandable to business folks 
• Enernex CEO Erich Gunther kicking off #GridSec day 2. Echoing yesterday's theme of connecting security w/ safety for better business comm 
• At #GridSec good presentation on offensive cyber security aka Active Defense. Discussing Hactivism, Cybercrime, Cyber Espionage, Cyber War 
• Strong messages from speakers @ #GridSec on importance to move from geek speak to business speak so those C level folks get #ICSsecurity 
• Several presentations at #GridSec are finally linking security to safety. #ICS http://www.us-cert.gov/control_systems/icsjwg/presentations/spring2010/08%20-%20Walter%20Sikora.pdf is a preso given a couple years ago 
• #gridsec You can stop the Stuxnet artifact, but private industry does not have the means to protect against nation-state adversaries 

What was different this time? Well:

• Without any prompting, I heard metrics, and especially business metrics mentioned quite a lot this time
  There was much discussion around control system security. In fact, one guy who attended the "Beyond AMI" panel yesterday said it was exactly because it wasn't about AMI. Duh!

• As I said in a previous post and tweets above, linking security and safety was a common theme this time around
• Lastly, we had more utilities here this time than ever before. Seems like a no brainer, but without their real-world, pragmatic "what works" insights, this effort wouldn't be half as worthwhile

Sad to see it come to a close, but close it always must. Re-connected with all the old folks, and met many new ones, and that was great. Didn't get to say anything like a proper good bye to folks so it looks like au revoir until October back on the west coast when we do this again. Andy

Smart Grid Security Conference Alert: GridSec 2012 Coming Soon

Here we go again, with what appears to be the best line-up yet. Noticeably, there's going to be significantly more utility representation this time.

It already started moving in this direction in the last conference or two (San Diego, Knoxville) and hopefully we'll be able to move the center of security discussion from AMI and Smart Meters to securing increasingly automated substations, control centers, SCADA and control systems, and the various juncture points between IT and OT networks.

As usual, I'll be on a panel or two, and moderating some as well. 

Here are deets for you, as well as the means to get a discount if you have yet to register:

• When: 27-29 March 2012 (the 27th is a workshop day)
• Where: the Irving Convention Center in Irving, TX
• Site URL:  http://www.gridsec.com/2012/

Discounts of various sizes are available depending on what kind of work you do. Go HERE and use this code BVAYVN

Photo credit: David Kozlowski on Flickriver.com

Just when you thought it was safe to Calculate: More "Incalculable" Smart Grid Security Doom for your Consumption

It might be a form of Tourettes, sorry. But every once in a while I feel compelled to shine a harsh light on articles that go too far or way too far in in the FUD department. Especially those from reputable publications.

What was Said

Here are a few selected citations from the first part of the less-than-soberly titled article in question:

• "Internet-based terrorists would be capable of causing blackouts on the order of nine to 18 months."
• “The dollars are incalculable.” 
• “There’s some percentage of utilities out there that just don’t take this seriously.” 
• "Energy companies including utilities would have to increase their investment in computer security more than seven-fold to reach an ideal level of protection."  

SGSB Non-Scientific Analysis

If the attacks come from bad guys based on the Internet, then the outages could be 9 - 18 months. I see. And the money at stake is so large as to be impossible to estimate. Thanks to recent debates over the US budget and deficit, my eyes and ears are now well accustomed to figures of $15 Trillion and beyond, but clearly the damages from hacking the grid must be even higher. "Some percentage" ?!?  You mean, a non-zero percentage that's so high as to be incalculable, right? And although I've never used the term WTF in this blog before, in the murky world of cyber attack and cyber security, WTF is "an ideal level of protection"?

In case you feel like I'm manipulating you, you can read the whole piece HERE. But suffice it to say, do we really need this? Are these types of "studies" and "journalism" doing much to advance thinking and spur action on securing the grid, or rather simply aiming at inciting panic?

I'll try to keep from blurting out what I really think.

Apocalytic image courtesy of PSD Collector

Conference Alert: European Smart Grid Cyber Security

It's going to be in London on 12 and 13 March 2012

Great speaker line-up with experts from both sides of the pond, includes:

• Office of Cyber Security and Information Assurance, Deputy Director, Mike St John Green
• European Commission, Policy Officer, DG Information Society and Media, Alejandro Pinto
• National Information Security Authority, Israel , Director, Erez Kreiner
• Enisa, Program Manager Resilience and CIIP Program, Dr. Vangelis Ouzounis
• Queen’s University Belfast, Director of Research, Professor Sakir Sezer
• NIST, Chief Cyber Security Advisor, William Barker
• Con Edison New York, Smart Grid Project Manager, Patricia Robison
• Swissgrid ag, TSO Security Cooperation, Senior Advisor Operations, Rudolf Baumann
• EDP Energie SA, Information and Cyber Security Officer, Nuno Emanuel Pereira
• Sirrix AG security technologies, Project Manager, Michael Gröne
• GDF Suez, Information Security & Business Continuity, Phillip Jones
• IOActive, Vice President, Services, David Baker
• Institute for Information Security, Executive Director, University of Tulsa, David Greer
• Alliander, Senior Consultant Intelligent Netbeheer, Frans Campfens
• Saudi Aramco, Information Protection Specialist, Saad Alhowaymel
• Zigbee Alliance, Security Working Group Chair, Robert Cragie
• Alliander, Privacy & Security Officer, Johan Rambi
• Energy Networks Association, Head of Strategic Telecommunications, Mark Simpson
• Riscure, Director Embedded Technology, Job de Haas
• SAIC, Chief Cyber Technologist, Gilbert Sorebo

Click HERE for more information.

Photo credit: Matt from London on Flickr.com

MIT Palantir Reveals Future Views of Grid and Grid Security

And as in the Lord of the Rings, few can look into a palantir and walk away unscathed. That's true for this recently released grid forecast from MIT, and especially for the sections on cyber security, which have served as the justification for many alarmist articles since, including:

• Electric Grid's Future: Increased Risk of Attack
• Smart Grid: There will be a Successful Attack
• US Power Grid is a Big, Soft Target for Cyberattack, MIT Study Shows
• Is Smart Grid Security a Losing Game?

What the hell does that last title even mean?  I read the article and still don't get the point.

It's funny but I just went through the security section of the MIT document and couldn't find anything faintly, and nothing that would strike the regular readers of this blog as in any way surprising.

The part that seemed to stir the press pot the most was in the conclusions and recommendations section - it began by stating that no one organization today makes and enforces grid security rules for the entire (US) grid, not FERC or NERC since they only have authority to regulate the bulk grid. Not other groups in DOE. Not DHS. Nor NIST, as its cyber security working groups as they can only recommend, not mandate, protective actions.

So this prompts the MIT report team to conclude:

This lack of a single operational entity with responsibility for grid cybersecurity preparedness as well as response and recovery creates a security vulnerability in a highly interconnected electric power system comprising generation, transmission, and distribution.

And recommend:

The federal government should designate a single agency to have responsibility for working with industry and to have appropriate regulatory authority to enhance cybersecurity preparedness, response, and recovery across the electric power sector, including bulk power and distribution systems.

This sounds right on one level (single source of truth and control) and yet wrong on many others, particularly, as the authors themselves point out, that they are hard pressed to imagine which government organization is equipped or ever could be equipped to take on so monumental a task.

But seriously folks, the MIT report is well worth a look, not so much for its cyber security content, as for its informed prognostications on other aspects of the future grid. There's no need to worry about the Eye of Sauron, or anything else unusually alarming, in this quest for knowledge.

You'll find the full report and some supplementary materials HERE, and the security section begins on page 208.

Image credit: Wikia

SGSB at Distributech 2012 and Smart Grid Consumer Collaborative Symposium

Howdy Y'all. Just an FYI that I'll be attending and working at the IBM booth at this year's Distributech conference in San Antonio, Texas, which runs January 24-26. And the day before, will be speaking on a privacy panel at the Smart Grid Consumer Collaborative in the same location as Distributech: the Henry B. Gonzalez Convention Center.

In case you haven't been to it before, Distributech is the premier annual electric sector conference and exhibition in North America and it draws a large, global audience. Here's a link for D'Tech. And while we're at it, here's a link for the SGCC symposium.

If you want to accost me about current electric sector security topics and/or find out more about what IBM is doing in the cyber security space (including a massive new re-org around security), please swing by.

Also, for those of you who use Twitter, will be tweeting from the conference and maybe the symposium, using some or all of the hashtags below:

• #DTech
• #IBMSmartrEnergy
• #SGconsumer
• #SGSblog

Photo credit: StuSeeger on Flickr.com

New Book Educates and Guides Smart Grid Security Stakeholders

Between them, authors Gib Sorebo, energy sector security lead for SAIC and Michael Echols, expert security consultant to many utilities including, recently, the Salt River Project in Arizona, have the chops to go deep into the technical weeds of grid security risks, challenges and solutions. Fortunately, however, in their just-published book on the subject, their aim is quite different than a technical tour de force:

For those who argue that one cannot secure a system without knowing how it works or the consequences of implementing the wrong security, this book is for you. Our goal is to make the Smart Grid and all its warts accessible to not only cyber security practitioners, but also to media, policymakers, regulators, engineers, utility executives, and even to consumers to understand the interplay between the automation of the electric grid and security.

Titled Smart Grid Security: an End-to-End View of Security in the New Electrical Grid, the book is very current, having just become available for purchase on Amazon and elsewhere in December.

There's much I could point out to you that's worthwhile, but the job of the blog is to alert you to the availability of a resource, and give you an opinion on whether it might be worth your time, not to do a full book review.

But to give you a feel for the types of topics Sorebo and Echols reach, consider this piece pulled from a chapter on operations and outsourcing:

Monitoring for cyber-threats through an incident identification and response strategy should extend beyond the traditional boundaries of the utility itself .... Vendors are typically connected to multiple utilities that are connected to multiple vendors ... the question becomes: if Vendor A is compromised,  how many utilities does it affect? And how would those utilities know if they were affected or not?

Sounds pretty overwhelming, but this is not a scare book. Throughout the nearly 300 pages, they keep their descriptions of cyber risks, vulnerabilities and other challenges as dispassionate as possible. The passage above is followed by:

To mitigate [risks like these], utilities and vendors must begin to insert cyber security into their maintenance and support contracts .... If a vendor loses information deemed to be private, then they are generally required to report the fact that there was a breach .... However, there appears to be no legal requirements for a vendor that is compromised and that has direct access to a utilities' control system .... As part of a good incident response security posture, [increased] collaboration may be necessary in the highly interconnected organizations that support the bulk electric system including utilities, vendors and service providers.

So there you go. And there's more helpful details on this and many other topics for folks charged with bringing security capabilities to fruition. I highly recommend this book for anyone for who cares that their grid is as reliable,  efficient and secure as possible, even as it goes through the many changes involved in becoming a Smart Grid.

A New Breed of Security Attributes for Our Time

I've been on the subject of grid and Smart Grid security measurement and metrics now for quite a while, and all around are signs that we're making slow but steady progress.

In Jack Danahy's latest mega-post on security from an industry perspective, you'll find a call to substantially overhaul the way security practitioners do business, with an emphasis on, among other things, measurement:

We should be able to describe how much time and money is spent to prevent the introduction of vulnerabilities vs. preventing the exploit of vulnerabilities vs. preventing the release of private information. We should be able to point to the documented practices in place to remediate vulnerabilities that are found, or to interrupt exploits in process, or to clean-up after a breach has occurred. In order to justify the strategic importance of security we must take a fresh look at the criteria by which we judge and measure it.

Warning: this material is not for the meek or groggy. Make sure you've got your got your thinking cap on straight before digging into the full post, HERE.

And note: this isn't the first time Jack has summoned the Parkerian Hexad. He took his first electric sector-specific run at it on SmartGridNews.com a year and a half ago, HERE.

Image credit: BrilliantGlass.com

European Smart Grid Cyber Security through American Eyes

You know, there are ways in which the EU Smart Grid Security & Privacy standards process mimics the structural problems that have so far stymied solutions to the EU budget crisis:

The initiatives are not harmonized. For example, the Netherlands’ approach to smart meter data privacy would be illegal in Germany because it forces a choice between personal data privacy and energy efficiency. Yes, the much loved opt-in has been outlawed in Germany.

See that? This is from Pike Research security analyst Bob Lockhart, who had the pleasure of attending the  recent European Smart Grid Cyber Security in Amsterdam. Bob's been keeping a close eye on security standards forming and evolving in North America, and we've both talked and wondered out loud about how things were going in Europe.

Well, it's seems like they're not going as well as they could be. Here's Bob again:

There is an entire document in the NISTIR 7628 series – Volume 2 – devoted to Data Privacy, an issue of great concern to European nations and their citizens. Someone suggested why not start with NIST’s cyber security guidelines, overlay European Data Privacy guidelines, and call it done? I am still trying to work out why that is not the answer. Instead there are ... five other efforts, all of which freely admit that they love the NISTIR documents, creating ... or recreating a new set of smart grid cyber security [and privacy] guidelines.

Bob goes on to talk about the need for urgency and haste, but you can just tell nothing's going to happen fast on that side of the Atlantic. And we thought things were slow on this side!

C'est la vie.

You can read his full post HERE.

New Smart Grid Security Book coming from Sorebo and Echols

This is the first new book on the topic in over a year, and as you know, a lot has transpired over the last 365. Awareness of Stuxnet, Night Dragon and other control system-targeting Advanced Persistent Threats (APTs), for example.

I didnt' have too much exposure to the previous one, but at first glance can tell you that Gib and Mike bring a heaping helping of hands-on industry experience to the table. Prove it, you say? Alright then:

Gib built and has been running SAIC's grid security team for quite a while. He also has been a leader on multiple security standards working groups. And Mike was Security Compliance Manager at the Salt River Project, a big power and water utility in Arizona and a security officer at the Western Area Power Administration.

The title is: Smart Grid Security, an End-to-End View of Security in the New Electrical Grid, and it's coming out on Dec 12 (just in time for Christmas!). You can read more about it and get an order started on Amazon HERE.

I should be getting a copy soon myself, and will do a short review on the SGSB as soon as I am able.

Conference Alert: European Smart Grid Security & Privacy

Lately, my work has included significant amounts of privacy, data security and information governance, so that makes this conference coming up in two weeks, with its mix of security and privacy, seem particularly helpful and timely. 

In energy sector, privacy has been primarily associated with Europe and Canada in the past, but now that the California PUC has ruled on customer usage data privacy, we're expecting to see it come to the fore in the US as well.

Here are the details if you want to check it out:

• What: European Smart Grid Security and Privacy
• When: Nov 14 and 15
• Where: Amsterdam

For more info on the conference and to register, click HERE

For more info on the venue, click HERE

BTW - if you have a chance to walk around Amsterdam and crave food that's fast, good for you, inexpensive and extremely fresh and tasty, I found Wok to Walk my last time there and loved it.

Photo credit: Leo-seta on Flickr.com

Asset Owners Speak Out/Up at Smart Grid Security Summit West

What a great start. Five guys charged with improving the security posture of their large utilities all on stage, and fielding questions from conference organizer Mike Amadhi and an audience full of security minded folks from all walks of life.

In no particular order, here are a few notes I took organized by speaker:

Jeff Gooding - Southern California Edison

• Very interested in standards
• Vendor certification would be desirable, though preferably nothing as heavy as the Common Criteria
• Finds it takes approx 2 years for an IT security generalist to get up to speed and be competent in the operational technology (OT) arena

Ward Pyles - Southern Company

• (Partly tongue in cheek, partly not) said Southern Co. doesn't talk security anymore. Rather, it's all about reliability ... doing what's required to keep systems operational and available.
• To do this, he/they use a different, more business oriented vocabulary
• Also, working with vendors towards certification

James Sample - Pacific Gas & Electric

• Security is much more a people than an technology issue
• Would like to see more standards baked into products at time of manufacture
• Like Ward, increasingly uses reliability versus pure security in conversations across the business lines
• Spends significant amount of time pushing vendors to deliver secure solutions
• Wishes he could spend less time on vendors (above) and more time working with his people

Christopher Peters - Entergy

• Security pro's must be good communicators and tailor language to fit their audiences
• Bridging silos is one of his main jobs
• Having a CXO as a boss is very helpful in accomplishing the above

Stephen Mikovits - San Diego Gas & Electric

• Very thankful for CPUC's order that CA IOUs generate 10-year forward looking Smart Grid deployment plans, including a major emphasis on security
• This really helped SDG&E as well as the other utilities by giving them a platform to communicate security  requirements and recommended actions

So there you have it. Several themes emerge: security as reliability, language and communications, silo busting, supplier security and certification, importance of security standards. Seems like most in the audience felt like these were the right notes. I sure did.

BTW - I was working pretty fast. If you spot any typos or inaccuracies here, please let me know and I'll update the post asap.

Covering the 3rd Smart Grid Security Summit

Have iPad with Twitter app loaded: will travel. When I'm not tripping over words as a moderator or panelist over the next two days, I'll try to give you a feel for who's saying what here in San Diego.

I came in late today and caught the tail end of the privacy workshop. Then onto a social gathering sponsored by the Canadian Consulate in a so-called Tiki room (see reference image above - conference attendees, you decide), where we got a little more privacy, courtesy of the Ontario Information and Privacy Commission. Other workshops today covered advanced AMI security and security testing.

All good stuff, and ready to dig into security topics tomorrow. For Twitter followers, will use #smartgrid #security and #sgssummit. And once again, here's the conference site.

Photo credit: http://www.nuthousepunks.com/blog/

Smart Grid Security Social Metrics

For a bunch of tech geeks and policy wonks, the folks in our community sure do like to congregate and socialize. There are a spate of new conferences coming up, the most temporally proximate being next week's EnergySec Smart Grid Security Summit West in San Diego.

I'll be there speaking on security metrics, including the IBM-initiated Smart Grid Security Maturity Model (SGSMM) as well as the developing IEC 62443 2-4 standard. One way to think of these two projects is that the former seeks to look at security maturity from an organizational (i.e., utility) perspective, while the latter employs technical metrics to evaluate, and in some circumstances, certify, products, depending on their levels of security goodness.

Will also be involved in a panel comprised of the participant orgs in the Risk Management Process (RMP), including DOE, DHS, NIST, NERC, as well as NRECA and a CA utility. Among other things, we'll be talking about the draft RMP document, currently out for public comment. Click HERE for that.

But if San Diego is too soon, or too far away, or too comfortable for you, you've got three more options to socialize with Smart Grid security folks in coming months thanks to the London-based SMi Group:

• European Smart Grid Cyber Security and Privacy – November in The Netherlands
• Oil and Gas Cyber Security - November in London
• European Smart Grid Cyber Security and Privacy – March 2012 in London

Hope you can make one or several of these. They're definitely useful for working out some of our more intractable issues face to face. And they usually serve adult beverages at some point as well.