Heads-Up: The 2013 ICS Cybersecurity Summit is Closing In

We talked about this conference and many of its concerns a few weeks ago at the EnergySec Summit, and among things, got a great presentation showing how one utility has built and gotten great value from its OT security test-bed.

There's going to be a talk on test-beds plus a bunch of other great presentations at the annual "Joe Weiss" summit, so if you have interest, and the ability to get there,  I highly recommend you do.

Here are the basics:

Dates: 21-24 October 2013 

Venue: Conference location: GTRI Conference Center, 250 14th Street NW, Atlanta, GA 30318 

LINK for more info and to register 

LINK to register

Photo credit: Jomi Thomas Mani @ Flickr.com

RFP Alert: Security Advisor Sought for New England Utility Commissions

No sooner had I posted on the need for more state utility commissions to ensure access to quality cyber security guidance, when an RFP with this exact goal in mind came across my desk (figuratively speaking). So without further delay, your attention please:

The region of 6 northeastern US states collectively referred to as "New England" and boasting the highest per-capita concentration of Dunkin Donuts is seeking one very well qualified energy and cyber security professional to help guide them for a six month period commencing in mid September.

The New England Conference of Public Utilities Commissioners, Inc. (NECPUC) has issued an RFP for which responses are due NLT 5 pm August 8, 2013. I provide the URL to the RFP below but to save you an unnecessary trip, here are the qualifications required if you or your small firm want to even be considered for the job:

• Background and knowledge of utility sector industrial control system and business operations
• Knowledge and expertise in computer systems security and related physical security issues
• Certified Information Systems Security Professional or similar computer security management certification preferred
• U.S. Government security clearance of “Secret” or higher preferred

NIST Thinking about Cyber Security for Critical Infrastructure Company Boards and CEOs

I just returned from the beautiful UC San Diego campus (hmmm, if only I could travel back in time and attend this school instead ...) where NIST assembled hundreds of cyber security (and other) professionals to advance the initiative known as the Critical Infrastructure Cybersecurity Framework, or CSF for short.

So far some are happy with progress made and some are quite the opposite. I think a little more time will have to pass and we'll have to see what comes out of the NIST oven ahead of the final workgroup session coming up in Dallas.

NIST Critical Infrastructure Cyber Security Framework (#NISTCSF) Effort Steaming Ahead

Five hundred souls or so are expected in sunny San Diego this week for the 3rd round of meetings intended to produce new cyber security guidelines for operators of US critical infrastructure.

This article gives you the most recent update on status including cares and concerns related to privacy, business case, and getting senior management buy-in to even consider following this framework in the first place:

http://insidecybersecurity.com/Cyber-Daily-News/Daily-News/nist-meeting-poses-major-test-for-obama-cybersecurity-push/menu-id-1075.html

It references this DHS doc from earlier this year that attempts to pave the way for CEOs to become more engaged in their organization's cyber security efforts, called Cyber Security Questions for CEOs:

https://www.us-cert.gov/sites/default/files/publications/DHS-Cybersecurity-Questions-for-CEOs.pdf

Lastly, if you want to see more of the process without actually getting your feet weight (or getting on a west-bound plane) here are a few resources for you:

The emerging framework itself: http://www.nist.gov/itl/cyberframework.cfm

Details on the San Diego workshop: http://www.nist.gov/itl/csd/3rd-cybersecurity-framework-workshop-july-10-12-2013-san-diego-ca.cfm

Live webcasts of the proceedings can be viewed via these URLs:

Day 1 (Wednesday) Webcast: http://www.youtube.com/watch?v=3hJww5_BDSQ
Day 2 Webcast: http://www.youtube.com/watch?v=SLVW0vFw0gI
Day 3 Webcast: http://www.youtube.com/watch?v=-9hORcAcXNA

I'm flying out today, along with a few of my IBM colleagues. Looking forward to seeing some of you there.

Photo credit: The San Diego Union-Tribune

All the NIST Critical Infrastructure Security RFI Responses You Can Eat

Re: the many and various submissions from companies and individuals to NIST, someone who knows more than a few things about grid security recently tweeted twice thusly:

Reading - and in many cases laughing at - #NISTCSF responses

and ...

The responses? Mostly neutrally irrelevant, some nonsensical. I've marked only 14% so far for "real" read later

I just want you to set your expectations bar sufficiently low before you click HERE and read all of the responses.

By the way there were a few good and very good responses too.

If, after reading, you not only feel like you have something to suggest that hasn't yet been suggested, but you also want to physically transport and immerse yourself in this grand sausage making activity, then ...

For more information on the 2nd workshop coming up in late May in Pittsburgh, and a link where you can register, click on THIS.

Photo credit: @Doug88888 on Flickr.com

Helpful Clarifications Still Leave NERC CIP Version 4 Changes Feeling Overwhelming

If your job is to ensure your utility complies with new version 4, certainly you've been scouring info like this for a while now. But if you're a member of electric sector support or regulatory communities, including services providers and state commissioners, it'll behoove you to get a better feel for the massively numerous and often ambiguous compliance hoops through which these folks have to jump.

EnergySec Welcomes NERC CIP Virgin Utilities with Version 4 Briefing

Titled "Get Ready for Version 4" the deck linked at the end of my words has some great and helpful info in it, not just for utilities transitioning from version 3, but for brand new utilities who for the first time come under the tender embrace of the CIPs. To them, all of us in the community say, "Welcome aboard !!!"

An all-star energy and security team, including Steve Parker, new President of the Energy Sector Security Consortium (EnergySec), and Honeywellers Tom Alrich and Donovan Tindill, shared some sobering, cold, hard, urgent facts. Those from Tom Alrich were particularly rich:

Metrics Mark the End of Faith-based Cybersecurity

Thanks to Dark Reading for covering the RSA 2013 metrics panel and for the article: "Governance Without Metrics Is Just Dogma."

To whom do we owe this powerful and provocative headline? Not the editors at Dark Reading, though they were smart enough to grab it and put it at the top. It was Alex Hutton, an Operations Risk and Governance director at Zions National Bank.

In case you're not used to seeing the word dogma in this context, let's refresh ourselves with a definition (thanks Wikipedia):

Dogma is an official system of belief or doctrine held by a religion, or a particular group or organization. It serves as part of the primary basis of an ideology or belief system. 

DHS' CSET: a Remedy for Electric Sector Security Measurement and Reporting Complexity Pains?

Sorry about that ridiculously long title, but felt it couldn't be helped this time. Thanks to Dr. Les Cardwell of Central Lincoln PUD, a publicly owned utility serving communities on the coast of Oregon.

Les wrote in and shared some of what he recommended to NIST and DOE regarding the recent RFI on the "Framework for Reducing Cyber Risks to Critical Infrastructure."

I'm not going to reprint the entirety of his submission, but will share with you two things here. First, Les' articulation of the need for a way to keep complexity in check as we go about this search for a new/better security framework for our community:

Heralding the Dawn of Critical Infrastructure Security Metrics

You may like this blog because of its emphasis on business-oriented security metrics and measurement. Or you may loathe it for the same reason (though if you do, you shouldn't still be visiting much).

Can't measure, can't manage. On this we agree, right?

So ... we're two weeks past the Presidential executive order (EO) that kicked off a new round of meetings that will ultimately produce a new NIST framework for grid security. You can read about the goals for this thing, including the RFI process HERE.

Thanks for EnergySec's Patrick Miller who tweeted yesterday that this round of work is designed, among other things, to produce metrics that can be used to assess the current security posture of your organization.

So Far, it Seems WAMPAC Systems are Insecure by (Lack of) Design

Thanks to colleague Jeff K for pointer to recent NESCOR reports.

First things first: in IBM and elsewhere the phrase "secure by design" is used to describe a project or a system where security requirements are considered at the earliest stages, right along with all the functional requirements.

Now for new initiates, WAMPAC = Wide Area Monitoring, Protection and Control, and the term refers to a group of new technologies and capabilities that will put the Smart in Smart Grid much more than the more attention grabbing Smart Meter.

Perhaps Better Fettered: 2nd Thoughts on ENISA's Cybersecurity Report from this Side of the Pond

Had a number of reader responses to this week's post on the European information security organization's proclamation of intent and recommendations for the electric sector and Smart Grid. 

My post welcomed the attention to the issue by the EU, but expressed, hopefully in a mainly professional way, that this feels, to invoke a common American idiom, a day late and a dollar short.

Here are two additional observations I got:

1. One US respondent says "It contains no call for cooperation with US-CERT, FERC or equivalent body on problems that are clearly of interest to both sides. Compare with various DHS initiatives (such as DHS ICSJWG) which have included foreign participants."

Concur. References to SANS, NIST and DHS in the bibliography notwithstanding, it does appear that explicit calls for trans Atlantic, interagency cooperation are missing, and that this should be rectified in a next version.

2. Another true blue American notes "ENISA reports do not adequately address control systems."

While the bibliography is littered with entries for SCADA and Control Systems-related texts, it doesn't seem like much of that research made it into the final document. Still, while most of the 10 recommendations involve getting ready to get ready to do something, and control system security seems to be largely glossed over, there is, in requirement 6, language that might point to operational systems at some point:

Recommendation 6. Both the EC and the MS competent authorities should promote the development of security certification schemes for components, products and organisational security.

So I'll leave it at that for now. Would welcome an ENISA response. I always try to not be too hard on 1.0 documents because there's always the chance, if not the likelihood, that we'll see them improve in subsequent versions.

I know it doesn't want to be a fetterer, but my sense is that Europe will come to see the wisdom of getting a bit more explicit and comprehensive in these matters.  I know from experience that some of its utilities are looking for more guidance. OK? Back to the Olympics!

Unfettered: ENISA Announces European Smart Grid Security Intentions

Here's how the European Network and Information Security Agency put it a few weeks ago:

We are happy to inform you that ENISA has recently published a new study on smart grids’ security. This study makes 10 recommendations to the public and private sector involved in the definition and implementation of smart grids. These recommendations intend to provide useful and practical advice aimed at improving current initiatives, enhancing co-operation, raising awareness, developing new measures and good practices, and reducing barriers to information sharing. This guidance is based on the results of a thorough analysis of the opinions of the experts who participated in the study.

Couldn't possibly be softer, gentler, or less threatening, I'd say. Sort of like what some of the North America utilities wish they had to deal with instead of the teethy and time consuming NERC CIPs. Certainly this ENISA stuff is much higher level, earlier stage guidance than the NISTIR 7628 which has now been available in some form for over 2 years.

But I note that we're hearing of no more significant cybersecurity breaches in the European electric sector than we are at utilities in the US. Maybe what some say, that expensive and time consuming compliance burdens and activities cut into the utilities' own cybersecurity efforts. The argument goes that if it weren't for the NERC CIPs, utilities might be able to better secure themselves.

At this point, it's hard to discern a difference in effectiveness between the European laissez faire approach to setting electric sector security rules and the more prescriptive North American one. Maybe the pluses and minuses of each roughly cancel out and for the moment, both are in reasonably good shape.

Although I bet that's a message you're not going to hear at the ICS CyberSecurity Conference coming up in October.

You can download the ENISA document HERE.

Europa Image credit: Wikipedia Commons

The State of the States and Smart Grid Security

Readers, working your way through this comprehensive yet non alarmist EPIC PIECE of Smart Grid security journalism will take some time, because author and former NH PUC commissioner Nancy Brockway has done her homework and then some.

And unlike some unschooled energy security bloggers I know, she knows all the business angles. To whit:

Utilities might argue that they need pre-approval and current recovery of cybersecurity costs. Utilities and their smart grid industry partners sometimes claim that without such cost recovery, a utility will lack the ability and resources to pursue cybersecurity with vigor, presumably because in and of themselves, cybersecurity investments don’t generate revenue. However, the industry has it backwards.

See what I mean? OK, here's the cybersecurity funding smackdown:

If a utility executive says the firm won’t vigorously pursue cybersecurity absent a tracker to recover its costs outside the normal ratemaking treatment, the utility is signalling that it might not have fully embraced the goal of such security. And a utility that tries to reassure the commission that such guaranteed revenues can be clawed back on a later finding of imprudence might be hoping the commissioners are naive about how prudence reviews work.

Hold on; one more volley and it's over:

There’s a huge difference between pre-approving and providing extra-rate-case recovery of utility investments in cybersecurity, and making it clear that the commission understands the need to change out obsolete equipment and technology, beef up staff, and make investments to protect the grid. But if a utility cares so little about cybersecurity that it won’t pursue the smart grid or the cybersecurity component of the smart grid absent guaranteed, dollar-for-dollar, few-questions-asked revenues awarded outside of normal cost recovery, this should be a red flag to the commission about letting that utility install the connectivity inherent in the smart grid.

About the only point Ms. Brockway seems to have missed re: State actions is the recent publication of a pretty decent and helpful guide by NARUC, which we posted on earlier and you can view HERE. Didn't seem like you could comment on the article, but I'll be very interested to hear what folks make of her positions on these matters, particularly the funding aspects.

Workshop Alert: ENISA Flexing Grid Security Muscles in Brussels

This announcement, from the European Network and Information Security Agency (ENISA) hit my inbox earlier today and you might like to see it, especially if you are based in Europe (or would like a reason to visit). I reduced it down for your more rapid consumption:

• Title: Workshop on “Security Certification of Smart Grid Components”
• When: June 27, 2012
• Where: Rue de la Loi, 130-1040 - Bruxelles (that's Brussels, Belgium, for you non Euro types)
• Who (should attend): Participants and speakers of the workshop would be national certification authorities, EU officials, hardware and software manufacturers, energy service providers and certification laboratories from EU and US
• Organizers: ENISA in cooperation with the European Commission
• For details and to register, click HERE

The stated objectives of the workshop are to:

• Support the Member States in better understanding the challenges of the Smart Grid component certification process 
• Contribute in the harmonization of different certification policies followed by the Member States 
• Invite Member States to present their national certification schemes and private sector to present their views on the matter 
• Debate about the possible steps to take, at national and EU level, to speed up the secure introduction of Smart Grids

Sounds somewhat akin to IEC 62443 2-4. Perhaps there's some overlap or potential to leverage existing work. Anyway, if you've got something to contribute, or a desire to learn, go if you can ... and don't skip the mussels.

Wishful CERAWeek 2012 Energy Sector Security Thoughts

Had the great pleasure of participating in CERA's 31st annual energy conference last week in Houston. I was only there for one day, Wednesday, as I participated in a security panel that evening.

Earlier, the lunch keynote presentation was delivered by Royal Dutch Shell CEO Peter Voser, who addressed environmental and community concerns about the new natural gas recovery technique called fracking.

He suggested that the best approach was for the the industry to be as up-front and transparent as possible, and cited his own company's self-policing policy called the "Tight sands/shale oil & gas operating principles", posted on Shell's website for all to see.

Essentially, Voser asserted that Shell's safety, environmental protection, and community partnering policies around fracking were not just a sound strategy for getting "out in front" of a potential PR problem, they were simply good business.

It struck me that perhaps here was a model here for electric utility self policing re: cybersecurity and privacy. Maybe if  more companies in our sector would get out in front of cybersecurity fears and concerns with clearly broadcast policy and messaging, Congress and other oversight orgs (NERC, for example) would feel less compulsion to legislate additional layers of compliance requirements.

As my colleague Matt F pointed out, it may be too late to stop the 2012 Cybersecurity Act from becoming law. Utilities would have had to start their self-policing campaigns much earlier to stay Congress' hand. And with the recent mock attack on NYC, demonstrating, among other things, that current regulations like NERC CIP version 3 don't cover distribution networks, it looks like a fait accompli.

All full of speculation and wishful thinking here, but I definitely have a sense that this could have played out differently. And who knows, maybe the utility security self-policing idea, if it caught on and went wide, could begin to obviate and undo the need for the legislation, and lead to its eventual repeal.

Smart Grid Security Conference Alert: GridSec 2012 Coming Soon

Here we go again, with what appears to be the best line-up yet. Noticeably, there's going to be significantly more utility representation this time.

It already started moving in this direction in the last conference or two (San Diego, Knoxville) and hopefully we'll be able to move the center of security discussion from AMI and Smart Meters to securing increasingly automated substations, control centers, SCADA and control systems, and the various juncture points between IT and OT networks.

As usual, I'll be on a panel or two, and moderating some as well. 

Here are deets for you, as well as the means to get a discount if you have yet to register:

• When: 27-29 March 2012 (the 27th is a workshop day)
• Where: the Irving Convention Center in Irving, TX
• Site URL:  http://www.gridsec.com/2012/

Discounts of various sizes are available depending on what kind of work you do. Go HERE and use this code BVAYVN

Photo credit: David Kozlowski on Flickriver.com

Full Disclosure from 2012 Distributech's Keynote Security Panel

It's fun to connect with and catch-up with energy sector security friends, and not always at security conferences. I think we all get a kick out of seeing each other and then dispersing back out into the world to promote the cause and fight our battles in all the different ways we do it.

In fact, it feels a little more special when gather inside a larger conference context, which without a doubt is what you get at the mighty annual Distributech, which took place this year in sunny San Antonio, Texas.

So, enough chit chat. Let's dive into what was discussed on Thursday morning by these folks. Moderator Mike Ahmadi of GraniteKey expertly led a panel of experts on the topic of Security Standards, including:

• Bobby Brown, Enernex 
• Alan Rivaldo, Texas PUC 
• Nate Kube, Wurldtech 
• Darren Highfill, Man of Many Hats 

The guys covered several different topics in depth, including security metrics, vulnerability handling in IT vs. OT, social engineering, and perhaps, most provocatively, security information disclosure ethics and ramifications. Below find a few highlights for each one:

Metrics and Measurement

• In the shadow of Basecamp (which we'll get to shortly), trying to gauge industry progress on security or lack thereof, Mike asked: "are products getting better?" and the response surprised some of us I think. Nate, who has been testing grid products and systems since he was knee high said "absolutely!"
• Others chimed in that, slowly but surely, increased awareness has raised the bar for what's expected from vendors. Sometimes it's because utilities' RFPs' demand it, other times it comes from the vendors themselves. Altogether it's certainly too slowly for many of us, but the consensus seemed to be: tangible improvement is happening out there
• Darren introduced the new DOE RMMM (in early development), referenced other maturity models and frameworks, and he and the panel seemed to contend that all of these, to a greater or lesser extent, help organizations baseline and roadmap their security functions and goals ... and who wouldn't want that!
• Bobby Brown got some laughs (from me, anyway) when he likened the concept of security maturity standards for SG products to the carnival sign we all know that says "You must be this tall to ride this ride"
• Nate praised an audience member's phrase: "at the speed of Metasploit". This set the stage for the later discussion on disclosure. (There's more on the Metasploit vulnerability and exploit development framework HERE if this is your first time hearing the term.)
• Much to my delight, much was said about metrics and measurement in the early going, as we moved back and forth between contrasting the development and evolution of standards and guidelines (e.g., NERC CIPs, NISTIR 7628, IEC 62443 2-4, etc.) with demonstrable improvement in the security posture of utilities

Vulnerabilities in IT vs. OT

This may be obvious to many folks, and I've heard it mentioned quite a bit myself especially concerning meters. But the point was made that in the IT universe, one of the primary modes for dealing with newly surfaced vulnerabilities as well as new types of threats, was rapid change. Rapid change of hardware (we all want the latest gadgets, laptops and servers) is facilitated and driven by customer expectations a refresh on these items every few years or so.

And we see even more rapid change in IT software, as patches to some systems are generated once a month, once a week or pretty much any time. We not only tolerate this pattern, we've come to expect it as a natural part of using the latest and greatest (and safest) software.

That of course brought us back to the OT part of our world, and its intrinsically different set of economics, values and certainly, hardware and software lifecycles. For many good reasons, the systems that support our operations centers, generators, transmission and distribution functions, to include both the hardware and the software, have simply not been built to accommodate frequent change. 

And the culture which wraps around these systems, both the users and the suppliers, is still largely hard-wired to make decisions based on comparatively very lengthy spans of time elapsing between changes.

According to Darren, factors that play into the longer OT hardware and software version lifecycles include:

• How a system is built
• How systems around that system are built
• How we use these systems

And a question arose: are systems that are being designed today looking like they're more able to facilitate faster change cycles? Don't think we arrived at an answer on that ... and that means the answer might be "no"

Social Engineering

The panel got a question from an attendee on social engineering, that is, using plain old people skills (e.g., charm, friendliness, charisma, urgency, faux credentials, etc.) to gain physical access to secure areas, access control information, system configuration information, and just about anything else.

All agreed that typical utility workers' (stereotype to follow) inherent goodness and sense of trust and helpfulness made the energy sector more susceptible to this type of threat than say financial services on Wall Street, where (only slight exaggeration to follow) everyone is mean, greedy and suspicious of everyone else

One of the panelists from a testing org said social engineering is 100% whenever they use it (ouch). Though the same person that social engineering assessments often one of the first services lined out by a utility when negotiating a contract for a comprehensive assessment.

Allan Rivaldo, the Texas PUC representative, after he made it perfectly clear that his statements made on the panel were not necessarily representative of his org, followed by saying that Texas takes insider and social engineering threats very seriously.

Disclosure and Information Sharing

Someone dropped a bomb (of a question) near the end. The panel was asked what it thought about the recent public disclose of PLC/SCADA vulnerabilities in the OT products of half a dozen vendors, to include the attack code for each crafted in Metasploit. 

While it seemed like most panelists believed that Dale Peterson of Digital Bond had acted with good intent: to speed up the remediation of the vulnerabilities by their respective vendors, there was substantial disagreement on whether this approach was justified and on whether it would induce the result Peterson said he sought.

One panelist contended that this action was necessary and valuable for "shining a light" on a broken process related to how DHS's ICS Cert works with vendors to resolve known vulnerabilities. The point being, I think, that following the official policies, many vulnerabilities go unremediated if the vendor provides a reason for leaving the vulnerability alone.

But another said that the Basecamp project researchers' unilateral release of vulnerability details and exploits did little except increase the level of risk to asset owners.

The thing that got me was that, knowing the guys on the panel as well as I do, knowing that they are all men of extremely high intelligence and good will, and that they only want what's best for the community, I was really surprised that they disagreed substantially on the issues that the Basecamp disclosure episode surfaced. 

Clearly this is complicated stuff: ethically, technically, culturally. But I think there's no doubt that our thinking is maturing in some respects, and that the industry community, both the users and the vendors, is responding. It will take a long time for Basecamp to fully play out. Hopefully we'll mainly agree, when it does, that it had a net-positive affect on the electric sector's security posture.

European Smart Grid Cyber Security through American Eyes

You know, there are ways in which the EU Smart Grid Security & Privacy standards process mimics the structural problems that have so far stymied solutions to the EU budget crisis:

The initiatives are not harmonized. For example, the Netherlands’ approach to smart meter data privacy would be illegal in Germany because it forces a choice between personal data privacy and energy efficiency. Yes, the much loved opt-in has been outlawed in Germany.

See that? This is from Pike Research security analyst Bob Lockhart, who had the pleasure of attending the  recent European Smart Grid Cyber Security in Amsterdam. Bob's been keeping a close eye on security standards forming and evolving in North America, and we've both talked and wondered out loud about how things were going in Europe.

Well, it's seems like they're not going as well as they could be. Here's Bob again:

There is an entire document in the NISTIR 7628 series – Volume 2 – devoted to Data Privacy, an issue of great concern to European nations and their citizens. Someone suggested why not start with NIST’s cyber security guidelines, overlay European Data Privacy guidelines, and call it done? I am still trying to work out why that is not the answer. Instead there are ... five other efforts, all of which freely admit that they love the NISTIR documents, creating ... or recreating a new set of smart grid cyber security [and privacy] guidelines.

Bob goes on to talk about the need for urgency and haste, but you can just tell nothing's going to happen fast on that side of the Atlantic. And we thought things were slow on this side!

C'est la vie.

You can read his full post HERE.

Asset Owners Speak Out/Up at Smart Grid Security Summit West

What a great start. Five guys charged with improving the security posture of their large utilities all on stage, and fielding questions from conference organizer Mike Amadhi and an audience full of security minded folks from all walks of life.

In no particular order, here are a few notes I took organized by speaker:

Jeff Gooding - Southern California Edison

• Very interested in standards
• Vendor certification would be desirable, though preferably nothing as heavy as the Common Criteria
• Finds it takes approx 2 years for an IT security generalist to get up to speed and be competent in the operational technology (OT) arena

Ward Pyles - Southern Company

• (Partly tongue in cheek, partly not) said Southern Co. doesn't talk security anymore. Rather, it's all about reliability ... doing what's required to keep systems operational and available.
• To do this, he/they use a different, more business oriented vocabulary
• Also, working with vendors towards certification

James Sample - Pacific Gas & Electric

• Security is much more a people than an technology issue
• Would like to see more standards baked into products at time of manufacture
• Like Ward, increasingly uses reliability versus pure security in conversations across the business lines
• Spends significant amount of time pushing vendors to deliver secure solutions
• Wishes he could spend less time on vendors (above) and more time working with his people

Christopher Peters - Entergy

• Security pro's must be good communicators and tailor language to fit their audiences
• Bridging silos is one of his main jobs
• Having a CXO as a boss is very helpful in accomplishing the above

Stephen Mikovits - San Diego Gas & Electric

• Very thankful for CPUC's order that CA IOUs generate 10-year forward looking Smart Grid deployment plans, including a major emphasis on security
• This really helped SDG&E as well as the other utilities by giving them a platform to communicate security  requirements and recommended actions

So there you have it. Several themes emerge: security as reliability, language and communications, silo busting, supplier security and certification, importance of security standards. Seems like most in the audience felt like these were the right notes. I sure did.

BTW - I was working pretty fast. If you spot any typos or inaccuracies here, please let me know and I'll update the post asap.