Get Schooled on ICS Sec by SANS at SERC in Charlotte

Here's the facts, just the facts:

Legendary cyber training institute SANS has joined forces with industry leaders to equip security professionals and control system engineers with the cybersecurity skills they need to defend national critical infrastructure.

Course name: ICS410 -- ICS/SCADA Security Essentials 

Course description: ICS410 provides a set of standardized skills and knowledge for industrial cybersecurity professionals. The course is designed to ensure that the workforce involved in supporting and defending industrial control systems is trained to keep the operational environment safe, secure, and resilient against current and emerging cyber threats.

The discount: Receive a massive 5% off with discount code: SANSICS_SGSB5

To register: http://www.sans.org/info/161395

Venue and date: SERC Reliability Corporation, July 14 – 18 in Charlotte, NC

ICS Electric Utility Attack Video and Aegis to the Rescue

SANS Securing the Human - ICS Attacker

The excellent security-mined people at the SANS Institute have produced an 8 minute video that walks you through a control systems attack.  The money they saved by using animation instead of Matt Damon or Morgan Freeman was put to good use as you'll see. For such an esoteric subject, this is a first rate video. For more info please visit the Securing the Human site at http://www.securingthehuman.org/

Meanwhile, to calm you down after the video gets your heart rate up, you should start learning about a new tool that's set for release at the upcoming SANS SCADA Summit. It's called Aegis and it's not an anti-ballistic missile system.  It's a testing tool to help ensure systems communicating with one of the most common SCADA and controls systems communications protocols, DNP3, are harder to attack.

You can ready more about Aegis here: http://www.automatak.com/aegis/

And more about the SANS ICS Summit here: http://www.sans.org/event/north-american-ics-scada-summit-2014

Webinar Alert: UTC Cybersecurity Metrics Training

Never thought I'd see training on one of my favorite topics, but somehow the Utilities Telecom Council (UTC) is going to do it a week from now.  To some readers' pleasure and others chagrin, I've done a million posts on metrics, some absurdly long (see: HERE) and I for one, will be paying very close attention.

When: 12 November 2013, 2 - 3:30 pm ET

What: "This webinar provides an overview of metrics development and implementation approaches based on national and international standards and best practices. It describes how to develop and use metrics to gauge performance and facilitate improvement and gives examples from the utilities space."

How: Click HERE for more info and to register

Thanks again to tmorkemo on Flickr.com for this image ... my 2nd timing using it

Conference Alert: EnergySec and NESCO Town Hall next Week

Ok, so usually I'm giving a heads-up about some conference or seminar you might want to know about, or even attend. But this time I'm saying that, but also revealing I'll be there too.

And I note, in the town where Peyton Manning recently threw 7 TD passes in one game and one can easily procure Rocky Mountain Oysters, I'll be joining luminaries from industry and a number of utilities too.

Here are the deets:

• Where: Magnolia Hotel, Denver, CO
• When: 17 - 19 September, 2013
• What: Lots of stuff. Agenda HERE
• How: Easy. You can still register HERE

For your edutainment, I'll be moderating a town hall style discussion about the current state and future of the cyber security workforce in the energy sector. We'll be considering full life (as in human life) cycle issues, from birth to tablet training, from kindergarten to college curriculum, from entry level security practitioners to ICS forensics wizards and all the way up the managerial stack to CSOs and CISOs.

Hope to break some new ground and capture some new ideas we can share with all and will do here on the SGSB during and/or right after. Will also tweet whenever possible using the hashtag #ess13.

Hope to see some of you there!

Photo credit: Daily Mail online

The Things I've Seen Series: Part 2 - Execs Exempted

Last week I posted on an encouraging trend I witnessed over the past 2 years: the emergence in some utilities of security governance boards comprised of security and privacy leaders, often a rep from legal or compliance, and senior stakeholders representing different business lines.  Soon after it went live, I received multiple corroborations from friends in the field who have seen the same thing in their patches. This is all goodness.

But there are other, less uplifting trends you should be aware of if you're not already. I've seen senior executives who have not once met with their cybersecurity leaders and who feel they have no reason to do so. I've had senior state regulators tell me that they haven't really thought about cybersecurity until very recently. 

Training Alert: SANS SCADA Security Training

By now you know the drill:

• When: 16-20 September
• Where: Las Vegas, NV
• What: A hands-on SCADA Security course with over 20 exercises and labs that are performed on a portable SCADA lab that contains over 15 different PLCs, RTUs, RF, and telemetry devices. It was designed to bridge the skills sets of Control System Engineers, Technicians, and IT Security professionals

Click HERE to learn more and register.

And use this code to save some dough when you do: SANSICS_SGSB5

Photo credit: zekedawg00 @ Flickr.com

Rapidly Approaching Training Alert: SANS Control Systems Security

Depending on where you sit at the cyber security table, this might be for you or someone in your org.

Here's how the SANS folks describe it:

A rising number of cyber threats impacting industrial systems have increased the urgency to address security challenges for Industrial Control Systems. Learn how to develop an effective and comprehensive cyber security strategy and equip yourself with the technical know-how and skills to apply in these unique applications. Cyber security is an important element to achieve highly reliable and safe operations. SANS Hosted ICS training courses equip both security professionals and control system engineers with the knowledge and skills they need to safeguard these important systems.

Available classes: SCADA Security Training, Critical Infrastructure and Control System Cybersecurity, and Assessing and Exploiting Control Systems

OK now the details:

• What: SANS Industrial Control Systems Training
• When: 12-16 August 2013
• Where (Generally speaking): Washington DC
• Where (More specifically) : the Westin hotel in Georgetown

You can register here: http://www.sans.org/event/ics-security-training-washington-dc and if you use this code you'll get a discount: SANSICS_SGSB5

SANS cyber security awareness training for eager utility employees ... and their regulators

I recently stumbled upon some excellent online training materials from the well respected SANS Institute that could be quite useful to you and your organization.

In a series of online modules, many of them tailored to the particular needs of utilities, SANS "Securing the Human" courseware seems to be an easily digestible, self-paced way to get important cyber security awareness messages across to a large number of users.

Note: NERC CIP content here is constructed around version 3, so with newer versions now approved by NERC and FERC, SANS will want to update certain modules accordingly. But 99% of the material is right on the mark, and would be appropriate for electric sector personnel outside the US as well.

Wherever you fit in the ecosystem, whether you're an executive or a rank and file worker bee, whether you're in a utility, a regulatory agency, a vendor, or just a user of digital technology who wants to stay safe, recommend you check it out.

---------------

SANS URL:

http://www.securingthehuman.org/utility/index

Training Alert: ICS / 2 Control Systems Security Sessions Coming Up

SGSB readers: first a brief housekeeping note. Due to a dose of awareness I just received yesterday, I'll no longer be including live links in posts. When I want to recommend a web page for you to visit I'll give you the full URL, which you can paste into the browser of your choice (see below).

OK moving on. SANS is developing an ICS & utility focused security practice with NIPSCO's Tim Conway assisting.  And this effort is already bearing fruit, with training classes coming up next month.  Here are the deets for you:

• When: June 11, 2013 (Saturday)
• Where: Westin Houston Memorial City, Houston, TX USA
• What: two courses:

1) SCADA Security Training 

2) Pen testing ICS and Smart Grid

For more info and to register, do what you need to do with the following URL: 

http://www.sans.org/event/scada-training-houston-2013

Special SGSB Offer: use the code SmartGrid2013 when you register and you'll receive $150 off the Pentesting ICS or the Smart Grid or the SCADA Security Training course.

Conference Alert: SANS ICS Summit coming up fast

Smart Grid Security Blog readers: heads-up. I've decided that this year the time has come to do a massive press on Operational Technology (OT) Security issues.  I think the reason for the timing is obvious, but I'll make my case in a future post when I have more time.

And this won't be just for the US and North America, and it won't be limited solely to the electric sector. We'll look at OT security challenges and efforts in other industrial equipment-oriented critical infrastructure sectors.

But for now, get ready to see some announcements for upcoming conferences and webinars on this topic by some of the best and most experienced folks in the business. Details on the first one are right here:

Name

The 8th Annual SCADA and Process Control System Security Summit

Dates

Feb 6-11: Pre-Summit Courses
Feb 12-13: Summit (click HERE for Summit agenda)
Feb 14-15 :Post-Summit Courses

Venue

Walt Disney World Disney's Yacht & Beach Club
1700 Epcot Resorts Boulevard
Lake Buena Vista, FL 32830

To Register

Click HERE to register for Summit
Disney Website: Walt Disney World Disney's Yacht & Beach Club
Reservations & Discounted Park Tickets: http://www.mydisneymeetings.com/sans2013

This week and half would enable one to really immerse themselves in the topic. And maybe enjoy a little Disney time too.

USAF Seeking (More than) a Few Good Cyber Men and Women

Thanks to my friend and Academy classmate Chris Davis (USAFA '85) for the heads-up on this recent Air Force news.

Wonder if anyone in DOD has heard of the excellent NBISE, an organization dedicated to cranking out a better breed of cyber defense professional?  Anyone out there know Space Command's General Shelton, quoted within HERE? Maybe he could send some scouts to watch for talent at NBISE's upcoming US Cyber Challenge. It's open for registration now.

Here are a couple of plugs for the event. First, from the Hon. Mike McConnell former Director of National Security and Vice Chairman of Booz Allen Hamilton:

Our government and U.S. commercial companies are being besieged by attempted cyber attacks every day, and the nation needs as many resources as possible to prevent damage and the theft of intellectual capital. The U.S. Cyber Challenge offers a unique and exciting platform to identify the talent we need to defend our nation.

And here's Michael Assante, President & CEO, National Board of Information Security Examiners (NBISE):

The Cyber Quest competition and Cyber Camps are critical as our nation continually undergoes fast-paced changes in technology. Our growing reliance on digital technology requires concentrated efforts, like these, to identify and best develop the next generation of highly skilled cyber security professionals.

Please get the word out on this event if you can.

Help Build the Cybersecurity Workforce the Electric Sector Needs Now

So reports of successful attacks in every geography and sector just keep coming and you wonder whether our increasingly connected industry is going to survive the cyber deluge, what with aging infrastructure, aging people, and fraying nerves.

Well, some highly motivated people, unhappy with the status quo, are organizing a response and now you and your org can be play an important part. The National Bureau of Information Security Examiners (NBISE) in conjunction with DOE's Pacific Northwest National Lab are building .. (their words now):

.... a detailed Job Performance Model (JPM) for Smart Grid cybersecurity personnel in the functional areas of security operations, intrusion analysis, and incident response. We are currently in the process of identifying organizations to assist in the distribution of a Job Analysis Questionnaire (JAQ) devised in collaboration with a team of 30 senior cybersecurity professionals from stakeholder organizations involved in the development, deployment, and maintenance of the Smart Grid. This is an important effort to gather the experience of existing cybersecurity professionals from the industry.

I've played a small part in some of the early work and can attest these folks really have their act together.

So don't just sit there. The JAQ is coming Jan 25th and that's a little less than a week away. Click HERE for an excellent 10 slide overview, and please consider adding your expertise, as well as the heavy duty cybersecurity SMEs you're lucky enough to work with, to the team.

NERC set to Excercise Grid Cyber Security

We all know exercise is good for us, but not all of us regularly act on that knowledge. Well, NERC has seen our flab and is recommending we hit the gym.

NERC is sponsoring GridEx 2011, a cybersecurity exercise dedicated to incident response in the electricity sector in North America. The event will be held mid November 2011, and hundreds of utility companies are participating in various capacities.

You can see the press release HERE and if you work for a North American utility that's not involved yet, you can write NERC's Brian Harrell and he'll get you up to speed fast.

But remember this before you go getting all giddy: no pain - no gain.

Photo credit: Lululemon Athletic on Flickr.com

NBISE is Building a Better Smart Grid Security Professional

And the good news is, you can help. Click HERE to read a little more about this project, brainchild of erstwhile NERC CSO and overall grid security wunderkind Mike Assante.

If you're like me, you know how hard it is to find experts with solid grounding in IT security, control systems security and electric utility culture. There are, like, a dozen of them in the wild. And well, they're all a bit too busy to help with your problems. So Mike and his National Bureau of Information Security Examiners (NBISErs) colleagues have decided to grow them.

The SGSB has mentioned NBISE before (like HERE for instance). But now with a new website and a more mature plan, it's time the larger community gave them a real look. Another interesting new development you might want to start with is their ADAPTS program. Want it spelled out for you? That's Advanced Defender Aptitude and Performance Testing and Simulation. Good organization; great acronym.

Teaching the Old Grid New Tricks ...

... will require students versed in the art and science of engineering, including (but not limited to) electrical engineering. We used to say that in the future we'd need these folks. Well, with the recent passing of 2010, the future is beginning to look more and more like the present.

A present in which ...

A great deal depends on whether power companies can find and attract a sufficient number of engineers capable of designing, managing and maintaining the new systems the smart grid demands. And that’s by no means certain. The Center for Energy Workforce Development estimates that by 2015, 51 percent of the power-engineering workforce will need to be replaced because of retirement or attrition. And that’s just to maintain current levels. To drag our aging grid into the 21st century will require power engineers trained in the most sophisticated communications and control concepts.

Seems like the old immovable object about to be whacked by an irresistible force. In a tough job market, this much need can't and won't go unfulfilled for long.

This article quotes a manager at AEP as saying these vacant engineering roles will be filled by new personnel from one of three sources: re-trained internal folks, university programs and vendors. University investment in new teachers and courses has been constrained to say the least. Though the last word may belong to the DOE, which just slapped down a cool $100 million on the counter for Smart Grid training programs.

At the bottom of the article you may notice one reader asks "Just engineers?" The answer, of course, is of course not. Increasingly, folks with training in business and economics are called for as the old business models are poised for a most thorough revision.

And as for cyber security pro's to watch over the systems designed and built by the new crop of inspired engineers and business folks, they're going to likely come from vendors for a while longer, until organizations like SANS and the new NBISE can get a bunch more out the door with the requisite energy sector chops ... like a firm grounding in SCADA/ICS, for instance.

Photo credit: USAFA (my alma mater) graduation by Beverly & Pack on Flickr.com