Good Smart Grid Security News from the Land of Nowitzki

You know, as a staunch anti Smart Grid FUDdite, it's not easy for me to praise the article that contains this quote:

If I’m a burglar, for example, all I’ve got to do is hack into the smart grid, and I know when you’re home and when you’re not home.

Ha, it's clear that hacking meters is easy as pie !!!

I think of burglars and immediately wonder what's this person thinking (I almost wrote smoking)? Unless you view what the MIT students famously pulled off in Vegas (as depicted in the film Numbers) as burglary, I just don't see the average, or even the above average burglar investing in Smart Meter hacking school tuition. Heck, they probably don't even have the SATs to get in.

It may be important to note that said quote is from an attorney (and likely a good one) whose helps run his firm's Cloud Computing and Cyber-Security practice team. Certainly that type of statement could drive some revenue.

Nevertheless, the reason for this post isn't the quote and commentary above, it's the title and tone of the larger article that caught my eye. Goes against the grain of 99% of media reports warning of the impending Smart Meter led apocalypse.

Especially good, I think, is this bit near the end:

“It’s impossible to design an impenetrable security system, but we have a multi-layered approach that’s overseen by several offices.” Oncor has a full-time security team that is constantly monitoring and addressing each security alert ... If there are irregularities, the team investigates them. If a problem were to arise, the team would take measures to lock it out of the system.

You don't have to be bullet proof to be secure (enough). And being able to see what's happening, and ready to respond, is key. Got to like it.

How like Texas to be so unlike the rest. You'll find the full article HERE.

Oh yeah, and way to go Mavs !!!

Trailer for Smart Grid Security No FUD Zone

I had a really great time recording my first hour-long solo webcast recently, but sixty minutes of yours truly might be more than you can tolerate. If you're game, though, click on the image above for the webinar boiled down to a relatively spare 3 minutes.

Also recommend you register yourself HERE for the Virtual Energy Forum (VEF). These folks host a ton of extremely good energy speakers (if you'll allow for one recent exception, that is).

The Best Talk Ever on NERC CIPs and Grid Security ... Period

I've read some good stuff over the years, though never at work. In the classics department my favorites are The Heart of Darkness, Moby Dick and The Invisible Man. For somewhat shorter, if not lighter fare, I like Haruki Murakami and the Raymonds: Chandler and Carver.

But the line between pleasure reading and work reading has been big, bright and until recently, very, very bold. That is, until I found Stephen Flanagan's mature (by his own reckoning) perspective on the Critical Infrastructure Protection standards (CIPs), the culture of utilities, and the difference between compliance and commitment:

I have a problem with this term “compliance.”  In fact I think it’s bad terminology for the CIP program and gets us into the entire wrong mindset from the get-go. And why do I think this? Well although the term “compliance” has a more or less precise legal definition, its use among the uninitiated does not have the same connotations.  I fear that when many hear the term they look more to Webster than Black as the dictionary of choice.  And in Webster one is likely to find the word defined as: Compliance: –noun, 1. the act of conforming, acquiescing, or yielding. 2. a tendency to yield readily to others, especially in a weak and subservient way.

He asks "How does that grab you?" and continues:

... in my opinion, for reliability, and I stick CIP into the reliability program as a whole in this discussion, I think the better term would be “commitment” rather than “compliance.” Why “commitment” you may ask. Well again Mr. Webster provides some helpful insights: Commitment: –noun, 1. the act of committing, pledging, or engaging oneself. 2. a pledge or promise; obligation. 3. engagement; involvement. 

Flanagan concludes with "Now doesn’t that sound a whole lot better?" Yes, it sure does.

I've never heard the compliance vs. security conundrum more eloquently and simply put. Compliance mentality is an organizational, cultural disease that undermines real proactive security attitude and action. I'll take engagement and involvement every time.

There's a whole lot more to savor and appreciate in this learned, witty, irreverent article. You may find the occasional typo, and maybe the title's a bit alarmist, but that's likely because this isn't actually a work of great literature. However, in my experience, and in our space, Stephen Flanagan's keynote address is one for the ages ... a grid and Smart Grid security masterpiece.

You can read the whole thing HERE.

Electric Sector Supply Chain Responsibilities re: Security

I found a recent post "Fix the Problem, Stop Bailing out Vendors" on the Digital Bond blog quite compelling.
Author Dale Peterson begins thusly:

We, the SCADA Security community, need to put all our efforts and emphasis in the PLC, RTU, controller space on getting vendors to add basic security features to their models available for sale today. Beginning with authenticating the source and data sent and received from the PLC and continuing with other Security 101 features. We should not say or pretend that any other solution besides this is acceptable.

... and what follows is some interesting back and forth between Peterson and SCADAhacker Joel Langill, as well as a number of pretty well informed commenters, on how to best approach these challenges, and with whom the ultimate irresponsibility lies.

While Siemens is mentioned because its equipment was targeted by Stuxnet, all makers of intelligent, connected grid systems (and I'd certainly include grid and Smart Grid software and application vendors here as well) should have their feet held to the fire re: the security functionality of their products.

We can try to do that via regulation, or we can start asking, and then demanding it in RFPs and other sourcing docs. One way or another, solid security functionality is becoming a real requirement. Let's not pretend otherwise. And let's not let others pretend otherwise. Click HERE for the full post.

Photo credit: manpages on Flickr.com

How much Smart Grid has been deployed so far?

Not all questions can be answered on the fly.  In fact, not all questions can be answered, period:

• What, for instance, is black matter?
• What is my cat thinking?
• Is there intelligent life on Earth?
• How does Tim Thomas stop so many shots?

Heck, 99% of us can't even agree on what the Smart Grid is, let alone have a clue about when it's going to be here. Nevertheless, after being asked the question in the title above, I pledged to do some digging and post a response here on the SGSB as soon as I thought I had something. This came at the tail end of the recent Virtual Energy Forum (VEF) session called: "Lessons from the Smart Grid Security No FUD Zone." You can try getting to it by clicking HERE, but good luck.

Now without further delay, procrastination or obfuscation, here we go. If you look at this SmartGridNews write-up of a recent IDC Smart Grid market report, the picture may begin to come into view for you. Sometimes you can infer the past by getting a glimpse of the future (a nifty reversal of common wisdom that you can better imagine the future by studying the past).

Around the world, Smart Meters are being deployed in ever increasing rates. Home energy management systems are expected to go through the roof (so to speak). And grid automation is coming on strong. So, question: how much is deployed today vs. what will be ultimately deployed in 5, 10, or 20 years?

Answer: Some of it, not all of it. We're still in the early days. Given the pace of technology change, probably the very early days. It's a good question to keep asking, though, and for some of us to try to keep answering. But I reckon it ain't ever going to be fully answered, because the Smart Grid (if it's still called that in the future) won't ever be fully here.

Photo credit: Radar Communication on Flickr.com

NRECA's Great New Guide for Coop Cyber Security

We can thank the DOE, NRECA, and DC-based software security firm Cigital (and in particular, Cigital's Evgeny Lebanidz) for the impressive and thorough: Guide to Developing a Cyber Security and Risk Mitigation Plan, released recently.

What's NRECA?  Hmm, if you don't know that acronym, you must be some kind of big urban utility city slicker. So for your information, it's the National Rural Electric Cooperative Association, about smaller 900 utilities that makes sure that electricity gets not just from point A to point B, but all the way to points X, Y, and Z.

What I like best about this guide is that it has almost nothing to do with compliance, and therefore helps orgs focus on the policies and practices outlined in NISTIR 7628. Speaking of which, at almost 600 pages, it is just too big a beast for most utility security practioners (or anyone else for that matter) to digest. While the community is waiting for implementation guides from NIST that should make 7628 more practical, the just-released NRECA Guide does it break it down into actionable, prioritized parts, beginning with a quick start guide.

Actually, even before that, it reveals its scope and intent:

This document is intended to help cooperatives develop a cyber-security plan for general business purposes, not to address any specific current or potential regulations. Its foundation is the ... NISTIR 7628, which is a survey of standards and related security considerations for the smart grid ....  real security requires more than simply compliance with rules – the organization must embrace security as a basic requirement of business operations and develop a broad understanding of security. 

Often hungry if not starved for resources and guidance, coops need all the help they can get. With the arrival of the NRECA guide, they can begin down a well marked path towards better cyber security and risk mitigation planning in the age of the Smart Grid.

Photo credit: Gloucester on Flickr.com

What's Going On? - US Outage Reporting from DHS

Hat tip to IBM physical security pro Clayton Hollister for pointing out this great resource: the DHS Daily Open Source Infrastructure Report ... pronounceable acronym: DOSsIeR.

Simply click the day you want to check out, select "fast jump" to energy and you'll get DHS' account of some of the most significant (not too sensitive) electricity outages in the USA. Or pick another sector like nuclear, chemical or water to see how they're faring.

I think you'll agree this is pretty interesting if you haven't seen it before. Sure is a heck of a lot info and incidents to manage. Good thing DHS has 200,000 employees. Holy cow, that's huge. They're almost half the size of IBM!