Sunday, July 31, 2011

Grid Free & Gone ...


... backpacking, that is. This annual trek with a few trusted comrades never fails to reset all my clocks.


There's something about places like this that really settles you, no matter what's going on in the your personal life or the larger world (yes, even including Washington DC).


Hope you have a great week and I'll be back on the job the 2nd week of August. That's a promise. Andy
Posted by at 8:00 PM
Labels:

Friday, July 29, 2011

From the Left Coast comes Big News on Smart Meter Data Privacy Regs

No time to pontificate on this now, but wanted to make sure you saw the news. CPUC's formerly proposed decision has just become a decision. One, the implications of which, could ripple across the US and impact future Smart Meter and Smart Grid deployments. See the Jesse Berst quick take on it HERE.
Posted by at 9:33 AM
Labels: , , , ,

Weatherford speaks out on Compliance vs. Security

There's a lot to like in NERC CSO Mark Weatherford's new GovTech column on compliance vs. security in the energy sector, but my favorite part was the final paragraph:
Achieving a high level of security maturity and being compliant within a regulatory environment requires one fundamental component — a strategic vision for security. A strategic plan for achieving both your compliance mission and the overall corporate security goals should be complementary. But that’s a topic for a future column.
"Strategic plan" that melds security and compliance - absolutely yes. Make one or get one if you don't already have one. But "security maturity"? Let's have more on that. Definitely will be keeping an eye open for Mark's future piece.

The full article is HERE. And BTW, if you didn't catch it last month, a much longer and yet brilliant talk was given on this topic by a gentleman from FERC. Go HERE for a link to the SGSB post on it, as well as for the full transcript.
Posted by at 9:27 AM
Labels: , , , ,

Thursday, July 28, 2011

Generating Leaders


For regular readers of the SGSB, this piece may seem a little bit off topic at first. But recall for a minute how many of the posts on this and other Smart Grid related sites are concerned with people and cultural issues vs. technology. While tech issues like inter-operability and security are hard to grasp for executives who lack a grounding in those disciplines, it's often the "soft" cultural challenges that end up being the real obstacles to change and progress.

And how does one come to master these? Well, the answer is simple: leadership and clear communications. The ability to analyze tough problems, formulate possible outcomes, settle on the best (or least worst) option and execute across a distributed, often stove piped organization.

So where do these capabilities come from, anyway? I want to tell you why I send my kids to summer camp every year. It's because, in no particular order, I know that they're going to get:
  • A change of scenery - A change of tempo, rhythm and pitch from their normal school year activities, albeit with a lot more structure than "hanging out with friends" during summer break
  • New experiences - New skills development. Team building and team work. Camaraderie. Stamina and toughness. Some failures and losses. Some successes and triumphs. All are additive to character development
  • Connections with the past - The transference of cross generational lessons outside the confines of school and family. The counselors are some of the most amazing people I've ever met. While my time with them is relatively brief each year, I crave exposure to their dedication to the kids and the responsible, curatorial way they maintain and pass on enduring values
  • Dis-connection with the techno present - No iPads/Pods/Phones. No TV/Tivo/Nintendo. Replace these distracting cognitive noisemakers with silence, laughter, loon cries, rain on tent flaps, screaming, yelling and cheering during competitions of all kinds, quiet talks and less quiet songs around the campfire at night
  • Time alone and time together - You're alive here in ways you haven't had a chance to be anywhere else and you know it. You're at once totally on you own, and a blood brother/sister of inseparable tribe too
  • Encountering and connecting with other kids from other cultures - At my kids' camps in Maine, they share tents, cabins and athletic fields with peers from other states, countries, cultures. And yes, some stereotypes are affirmed: the campers from Europe and South America run circles around the US kids on the soccer fields. But, as they do, they teach the Americans some new tricks. The World Cup will be ours I'm sure ... eventually
  • ... and lastly, and not necessarily leastly, they have tons of just plain old summer FUN
One couple we met this year was from southern France. They had heard about this camp from American friends who had moved to France a while ago, and learned enough to know they wanted their son to have this experience. I met them on the sidelines of a really kinetic open field game called Speed Ball, a crazy mash-up of soccer and rugby with about 8 balls in play at the same time (pretty challenging for goalies, as you can imagine).


They said was they found their son transformed by his month at camp. A whole new type of self confidence was evident. Self confidence, they reported, was squashed down for kids like theirs back in France. And they gave highest praise to the counselors, whose love of the kids was clearly apparent to them, and to the kids as well. Discipline here, you see, doesn't require threats or raised voices. Everyone is on the same page, trying to grow, and learn, and play, as individuals but also as teams.

The nice French folks said the US often gets a bad rap in Europe, but that what they saw in Maine this year was the best of American values ... and something sorely lacking in much of Europe and the rest of the world for that matter.

So why tell you all this? How's this relate to the well being of the Smart Grid and other critical infrastructure that runs our nations and the world? My answer: Good kids become good adults, and the camp experience fosters and helps generate character earlier than it might otherwise appear. It's not the only proven character forming pathway (see: the military), but it's a damn good one, and it's been doing it for over a century. If your kid or kids haven't had a chance to try it yet, maybe you can get them here (or somewhere like it) sometime soon.

Photo credits: Camp Winona (boys) and Camp Wyonegonic (girls), in Bridgton and Denmark, Maine respectively
Posted by at 11:02 PM
Labels:

Monday, July 25, 2011

Attacking Trends

Thanks to an energy infrastructure-focused former Navy officer (but not Mike Assante) for distributing a link to this article over the weekend. That's the way security folks are btw. The weeks often blend seamlessly into and through the weekends. And it's neither good nor bad that they do. It's just the way it is. And it's the way they are.

You'll find this piece to be part history review, part current situation update, and finally prognostication about where cyber attacks trend lines are pointing. Overall, there's a lot to like in this Freakonomics article, but here are the two para's that stood out the most for me.

The first comes from cyber security pundit and blogger Bruce Schneier. To the question of whether things are actually getting rougher out there or do they just seem that way, he concludes:
It’s not that things are getting worse; it’s that things were always this bad. To a lot of security professionals, the value of some of these groups is to graphically illustrate what we’ve been saying for years: organizations need to beef up their security against a wide variety of threats. But the recent news epidemic also illustrates how safe the Internet is. Because news articles are the only contact most of us have had with any of these attacks.
I like that last line of course. And then there's this from security researcher Tal Be’ery of security product company Imperva, who paces us quickly through the evolution of cyberspace and the increasing value of what we (and the bad ones) can find there:
Here’s where we reach a critical problem: companies are poised for the old cyber security model which was designed to keep the bad guys out. However, the same convenience that allowed individuals to access data from their living rooms meant hackers could too, say from a Starbucks, or a dorm room or Timbuktu. The old paradigm—keep them out—stopped working. Protecting the network, while still important, became secondary to protecting data. Few have recognized this evolution—except hackers. Today, of the $16 billion spent on security [cross sector], less than 10% goes to data protection.
I'd add application security to data security to cover not just the target, but the new primary attack vector. Network and system security, as the saying goes, are necessary, but these days, far from sufficient. 

You can read the full article HERE, and I recommend you do. There's a lot more to it.

Posted by at 11:11 PM
Labels: , ,

Thursday, July 21, 2011

Why I am no Fan of SciAm's recent "Hacking the Lights Out"

For three reasons, primarily:

1. Misuse of the term "Hacking." The man on the street may have trouble using words correctly from time to time, but Scientific American is supposed to know better. Especially with terms, like hacker, that are clearly loaded. Hacking, by the way, used the proper way, doesn't constitute a bad thing. To the hacking and security conscious community, it's more like a creative (and often good) thing. This headline is not helping.

2. Can't read whole article and it costs $7.95 to buy the whole issue. And I don't see an option to buy just the article for less. IMHO that's way too much mula for one article by today's standards.

3. OK, the first two are really small potatoes compared to this one. How many times do I/we have to say it? Enough with the FUD mongering. Tabloids and other lower forms of journalistic life: from them I expect anything. But SCIAM, for me, anyway, is something greater ... better. Or at least I thought it was.

The "In Brief" section on page 1 lets me know up front they're going to discuss problems and threats, but it also says it's going to end with how security is being "ramped up". Fair enough.  I definitely want to hear about what the good guys are doing so our lights don't get "hacked out". But if you get a chance to read the whole article, you'll be surprised by how little time it spends on proactive, defensive measures being taken. My non-scientific estimate of FUD-to-what we're doing is about 9 to 1.

I want more balance. I want less alarmism. That's all I want. You can read the first page HERE.
Posted by at 7:58 PM
Labels: , ,

Monday, July 18, 2011

Dear Utility CEO: Would your Company's Services Providers withstand these Attacks?


Which attacks? The ones that recently (and very successfully) targeted the Department of Defense extracting what is admitted to be tens of thousands of files worth of sensitive data.

No this isn't Wikileaks. Bradley Manning is safely behind bars and the stolen info wasn't secreted away on CDs. You might want to think that Defense contractor systems are protected by super-strength security technologies, much more than you can afford, but in many cases you'd be wrong.

The strategies described in this FastCompany article from a couple days ago are relatively pedestrian (by today's standards), and they worked against the DoD by targeting some of its services and integration companies. To defend against attacks of this type, you would want to ensure that your providers had good corporate security policies established, kept current, enforced, and regularly audited. You would want to make sure that your own policies and controls were solid, and that your sourcing documents required your suppliers' policies were as good or better if they wanted your business.

Dark Reading has a story this month on supply chain threats that goes much deeper than what I have room for here. Here are five recommended questions you're recommended to ask your suppliers:
  1. What processes and technology do you have in place to detect security breaches and rogue employees? 
  2. Do you regularly validate your security measures and can you demonstrate your compliance?
  3. What contractual obligation do you have to protect my company’s data?
  4. What’s the minimum amount of access to my network and data that you need to do your job?
  5. For cloud service providers, what measures can my company take, such as encryption, to protect my data?
Another thing you'd want to do: make sure database security controls are deployed  (in your utility as well as in your suppliers) so that while a few documents might be lost in a successful attack, it wouldn't quickly escalate to hundreds or thousands.

Oh yeah, and one final change you can make to help: make sure everyone has their first cup of coffee NLT 6:30 am local. (If you read the FastCompany piece you'll see what I mean).

Photo credit: modomatic on Flickr.com
Posted by at 6:48 PM
Labels: , ,
Subscribe to: Posts (Atom)