Smart Grid and V2G Weather Advisory: IBM Twitterstorm Coming

Many SGSB readers, though well versed and skilled in the ways of technology, might nevertheless say, "what the hell is a Twitterstorm?"

It's a fair question, and my simple answer is it's an online conversation and Q&A session between a bunch of folks, conducted 140 characters at a time. Maybe by haiku. This is no place for the verbose, and maybe because of that, it should be information dense and entertaining.

As the title of this post indicates, the central focus is on EVs, PHEVs and their interaction with today's grid and the emerging Smart Grid. The Smarter Planet folks at IBM are hosting it this coming Monday, September 20th, and you can see details HERE on how to join in on the fun.

Please make it if you can. No umbrella necessary.

Photo credit: LISgirl / Emily on Flickr.com

(BTW, for those of you unfamiliar with Twitter and Tweets, prior to this BTW note, this post consumed 651 characters not counting spaces. Twitter counts spaces. That's brevity.)

SGSB Origin Story: Why Focus on Smart Grid Security

I got a chance this week to explain how I got fixated on Smart Grid security, which ultimately led to the formation of this blog. Took a few words (some might say too few, others too many) to connect the dots from an early environmental impulse when I was still in the Air Force, to a fixation, decades later, on this sprawling, ill-defined, complicated, still emerging yet nevertheless absolutely critical concept.

Either way, HERE's the piece ... and while you're at it, see if it in any way explains what you're doing here.

SANS Sounds Off on NIST and NISTIR 7628 1.0

Because it's a little hard to find unless you were already a subscriber to the online newsletter, here's a short piece from SANS NewsBites, Sep 07, 2010 edition re: the announcement that NISTIR 7628 1.0 is final.

For those not in the know, this SANS is not "without" in French. Wikipedia's description does the job:

The SANS Institute, founded in 1989, provides computer security training, professional certification through GIAC (Global Information Assurance Certification), and a research archive - the SANS Reading Room. It also operates the Internet Storm Center, an Internet monitoring system staffed by a global community of security practitioners. The trade name SANS (deriving from SysAdmin, Audit, Networking, and Security) belongs to the for-profit Escal Institute of Advanced Technologies.

The National Institute of Standards and Technology (NIST) has published "Guidelines for Smart Grid Cyber Security," a three-volume, 537-page report aimed at "facilitating organization-specific Smart Grid cyber security strategies focused on prevention, detection, response and recovery." The publication includes "high-level security requirements, a framework for assessing risks, an evaluation of privacy issues at personal residences, and additional information for businesses and organizations to use as they craft strategies to protect the modernizing power grid from attacks, malicious code, cascading errors and other threats."

Now you get three points of view from NewsBites contributing editors Tom Liston of InGuardians, John Pescatore of Gartner, and SANS own Allan Paller. Note, Pescatore, and, in particular, Paller, slam NIST pretty hard for getting the guidance out bass ackwards (burying the most helpful parts at the end of the report):

Liston: Unfortunately, "smart grid" is just the latest in a series of technologies that have been deployed with security as an afterthought. While I applaud any effort to better secure our infrastructure, it's a bit late to talk about "security strategies" at this stage of the game. The key question is whether some of the quite-sound recommendations can be retrofit into the existing deployment models. 

Pescatore: There is still an opportunity for better security to be built-in to the smart grid build out, vs. try to pretend a compliance regime like NERC/CIP will force it in later. Section 7 of the third volume has a good attack surface analysis that should be a starting point. 

Paller: John Pescatore's comment illustrates one reason that this NIST document and others like 800-53 are exacerbating the nation's cyber risk instead of helping to mitigate the risk. NIST buried the critical information (the attack surface) in the 7th chapter of the third volume (after lengthy, but non-specific descriptions of 197 separate controls in more than 350 pages).

Paller (cont): A central tenet of effective security is that offense informs defense. In other words, do the most important things first! That means guidance must start with, and be organized around, the attack surface; and guidance must be prioritized according to risk from each attack vector. Which of the 197 recommendations matters most? Which must be implemented first? How will we know that they were implemented effectively? If NIST doesn't know the answers to those basic questions, what are they doing writing guidance? For failing to prioritize the guidance, and for burying readers in information of little immediate consequence, NIST earns a grade of "D" on its new report.

Here's a LINK to third volume if you want to check out chapter 7. Begins on page 29.

I definitely support the editors' point that once again, we're seeking to add security after most of the horses have left the barn. Goes against the popular security mantras of the day: "Secure by Design, "Build Security In," etc. Though not sure how this could have played out otherwise.

I'd be interested in hearing a candid NIST response to this criticism. They worked fast and furious for a long time bringing 7628 together and there's a lot of goodness in it. I saw some of that process first-hand as an early (albeit very infrequent) contributor. In terms of how they structured it in the end and what they chose to emphasize, there was definitely a method to their madness.

Clock is Winding Down on NERC CIP 002-4 Mandatory Data "Request"

FYI: Utilities had until today, 7 Sep 2010 to respond to four not-so-simple questions/directives:

1. What is the number of elements in your Existing Critical Asset List?

2. For each element in the list above, use the criteria in the enclosed Attachment 1 (not provided here) to determine how it would be categorized. Each element on the list must be counted only one time. If a particular element could be qualified as multiple criteria, please choose the one that applies most to the element. The sum of the elements included in the answers to question 2 should equal the number of elements provided in the answer in question

3. Use the criteria in Attachment 1 to estimate the Critical Assets and each Critical Assets’ impact level that your Registered Entity would report for its share of the Bulk Electric System. Please count each Critical Asset only once. If a particular Critical Asset could be qualified as multiple criteria, please choose the one that applies most to the Critical Asset. It is understood that, given the time frame, this is a rough estimate and is not necessarily the exact number that you would report given enough time to perform a detailed analysis of your system.

4. Enter all of the NERC Compliance Registry (NCR) numbers that you are reporting on an enterprise-wide basis for.

Will be very interesting to see what comes of this activity. We should begin to get a feel for the version 4-driven increase in scope and complexity for NERC CIPS preparation, auditing and reporting pretty soon.

The NERC survey page can be seen HERE.

Photo credit: laffy4k / Chris Metcalf on Flickr.com

An Early Glimpse of V2G in Texas ... and a Volt Test Track

State fairs are big. Texas is big. So the Texas state fair is a monster (see BigTex.com). This year's version has something big in the electric vehicles/V2G space, with an Electric Vehicle Showcase (EVS) on Thurs and Friday, Sep 23 & 24. Here are a few of the details from the site:

Auto Show: Witness the evolution into the next generation vehicle. Visit with companies, agencies, and municipalities involved in the development of the electric vehicle and infrastructure grid in North Texas in the adjacent exhibit area.

Exhibitors: DFW Clean Cities, North Central Texas Council of Governments, Oncor, TXU Energy, Green Mountain Energy, Chevy, Electric Vehicle North Texas, US Green Building Council North Texas Chapter, and others.

Chevy Ride and Drive Test Track: A unique opportunity to drive an Chevy Volt, activate the charging cycle, and learn how electric vehicles will not only be high performance, cost effective and convenient, but will also help air quality in North Texas.

Oncor Mobile Experience Center (MEC): The MEC will be on-site to demonstrate smart meter technology and give attendees a real-time look at managing electric usage that includes electric vehicle charging at home.

Location: Chevy Ride and Drive Test Track Pennsylvania Ave. Entrance - Gate 1

Sponsors: GM, Texas electric utility Oncor, IBM ...

You can mingle with executives from these and other companies at a VIP Reception Thursday evening. Tickets available HERE. And for more info on the EVS, click HERE.  I'll be there and hope you can make it too.

Photo credit: Wikimedia Commons

This Just In: The NISTIR 7628 Cake is Baked !!!

The final NISTIR 7628, “Guidelines for Smart Grid Cyber Security” is now available for download from the NIST Computer Security Division website. You can grab the three layers volumes:

HERE (Volume 1, Smart Grid Cyber Security Strategy, Architecture, and High-Level Requirements)

HERE (Volume 2, Privacy and the Smart Grid)

and HERE (Volume 3, Supportive Analyses and References)

But be forewarned: you'd better take small bites ... it's a big one!  By now, after so many rounds of incremental edits, we pretty much know what's in it. But give us a little time to digest this final version and we'll have some observational slices to share soon.

Photo credit: Kimberly Vardeman at Flickr.com

Energy Security by Design

Jack's been busy making commercials for IBM's Smarter Planet campaign, describing the company's new security mantra, "Secure by Design" in the context of Smart Grid and energy systems. Click HERE to see the first one on Youtube. And it looks like the film crews indulged him with another on a topic even nearer and dearer to his true passion: FOOD security.