Conference Alert: Wise up at GridWise Global Forum

This is a big one, and though it's not security focused, security topics will certainly be in the air, and yours truly will be on a privacy panel on Wednesday.

From what I heard of last year's event, this is one of the most high powered Smart Grid conferences on the planet. Note the presence of some senior and very senior international leadership from government and multiple industrial sectors (not just energy).

Details:

• What: GridWise Global Forum
• Where: Washington DC, Ronald Reagan Federal Building
• When: 8-10 November 2011

For more info on speakers, agenda and to register, click HERE

Conference Alert: European Smart Grid Security & Privacy

Lately, my work has included significant amounts of privacy, data security and information governance, so that makes this conference coming up in two weeks, with its mix of security and privacy, seem particularly helpful and timely. 

In energy sector, privacy has been primarily associated with Europe and Canada in the past, but now that the California PUC has ruled on customer usage data privacy, we're expecting to see it come to the fore in the US as well.

Here are the details if you want to check it out:

• What: European Smart Grid Security and Privacy
• When: Nov 14 and 15
• Where: Amsterdam

For more info on the conference and to register, click HERE

For more info on the venue, click HERE

BTW - if you have a chance to walk around Amsterdam and crave food that's fast, good for you, inexpensive and extremely fresh and tasty, I found Wok to Walk my last time there and loved it.

Photo credit: Leo-seta on Flickr.com

DOE doing Little to Demonstrate or Inspire Cyber Security Confidence in the Sector it Regulates

I don't want to sound harsh or ungenerous, but the timing of this audit report, paired with its sad contents, is not great.

Long story short: known vulnerabilities in DOE systems are up; successful attacks endured by DOE systems are up, and DOE spokespersons are trying to cover it up / play it down:

We are concerned that a casual reader of this report might not fully understand that the findings, while important, do not represent demonstrated risks.

This from the agency's associate administrator for management and budget, in a letter to the DOE Inspector General.

As I said in a recent post, I'm now beating the bushes in search of energy sector exemplar organizations and am starting to find some ... two large Investor Owned Utilities (IOUs) so far. Would like to find similarly forward leaning examples of other types, including muni's, co-ops and Federal. 

IMHO DOE should be the model Federal organization when it comes to implementing and managing cyber security policy and controls and leading by example. That it's apparently another basement dweller, according to multiple recent audit results, only invites more scrutiny and more attacks.

Would love to see an energetic turnaround expert / change agent get in there, work on the culture and get them far better results next time. Sure you would too.

Here's the article in Reuters.

McAfee signals "All Clear" following its Duqu Alarm

Was able to attend most of the webinar today, where Peter Szor, senior director of research at McAfee Labs, laid out his and his company's latest thinking on the Stuxnet variant to a largely electric sector audience.

Here's the essentials, according to Szor:

• There's been no control system involvement
• Duqu is not targeting energy or utility assets
• Attacks have been observed in the UK, US and Iran
• Also maybe in Austria, Hungary and Indonesia
• The command and control server is/was based somewhere in India

That's it. I hadn't posted on Duqu yet because I was trying to gauge its potential impact on our industry before making an alarmingly sound myself.

So far it looks like you can go back to security business as usual, which means you're paranoid, anxious and jumpy, and that a note like this telling you Duqu is harmless only makes you more certain that it's anything but.

Such is life in this happy profession.

Welcoming Weatherford to his new DHS Cyber Security Post

I've got a note here this morning from National Bureau of Information Security Examiners (NBISE) founder and former NERC CSO Michael Assante. Perhaps there's no one who understands the challenges Weatherford faced at FERC more than Mike. As a frequent advisor to FERC and Congress on critical national infrastructure security issues, few are better placed to know the obstacles and opportunities that await the new DHS Cybersecurity leader:

I would like to extend my congratulations to Mark Weatherford on his appointment as the new Deputy Under Secretary for Cybersecurity for the National Protection and Programs Directorate (NPPD) and am very pleased to see such a capable and experienced leader take the helm. 

Mark has always carried a deep sense of mission into his assignments and in doing so has been able to motivate people, build teams, and mobilize entire communities. His background makes him an ideal choice for the Deputy Under Secretary position as he has experience working across large government enterprises and his most recent post, as the NERC CSO, has prepared him to appreciate the unique challenges involved with cybersecurity and industrial control systems.

At NERC, Mark helped broaden our thinking about cybersecurity and our digitally reliant infrastructures. His vision has pushed organizations to look beyond compliance to develop a comprehensive approach by including system engineering, planning, operations, risk management and security into efforts to secure our infrastructures. Mark’s leadership will help ensure national efforts align with front line reality as our nation continues to modernize our grid to increase productivity and efficiency.

We should look for opportunities to support Mark and the department in the months ahead to achieve greater cyber-resilience in our nation’s critical infrastructure.

Hear hear. Mark Weatherford has now seen how the cyber security policy sausage is made at the state level twice and Federal level once, in a large company, and in the DoD for the US Navy at the beginning of his career.

Sausage making is never pretty. But if you know how it's done, how it can go wrong and what ingredients are required to produce the best stuff, you can do a lot of good. Let's wish him well, and, seconding Mike's call to assist, pitch in wherever and whenever we can. Even with a strong leader, this type of sausage making is, after all, a team sport.

Photo credit: Govinfosecurity.com

Do it for Mom: Knocking out Smart Grid Vulnerabilities Early this Holiday Season

Unless you're in Texas where until recently roofs where melting and tires exploding, you've noticed the new autumnal smells in the air, right? So right about now who wouldn't want Smart Grid security, motherhood and/or apple pie? That's what this new Oak Ridge National Labs (ORNL) project promises:

Rather than wait for signs of a security problem to crop up in smart-grid technologies, wouldn’t it be better to automatically analyze software and hardware to uncover vulnerabilities, whether accidental or malicious?

I think this must be a trick question; the answer seems so obvious:

Add one part DOE lab, another part respected energy sector security service provider Enernex, and a generous dollop of AMI vendor Sensus, and it appears you've got a formula for something that's been missing in Smart Grid supply chain security ... until now.

Let's see how this goes.

Click HERE to read more on this.

Photo credit: cotaroba at Flickr.com

Electric sector security evolution: forward leaning exemplars vs compliance-focused knuckle draggers

This is the last of my posts from last week's Smart Grid Security Summit West, held in an unusually damp San Diego.

OK, knuckle draggers may be a little harsh. I apologize. But there may be a whole new approach emerging, to meeting security, privacy and compliance demands in the electric sector, and, depending on where you work when you read this, it's one I think you'll like a lot.

The outlines of a new approach appeared during the security metrics panel on day 1 and continued to resonate till the end of the conference on day 2, and basically it came across like this:

While the vast majority of utilities today seek to achieve an acceptable level of security and risk reduction via compliance with version 3 of the NERC CIPS, and preparation for what looks likely to come from NERC in subsequent versions, a couple of utilities, supported by their CEOs and/or empowered by recent crises, intend to set and implement higher-level security baselines for themselves.

I won't say who they are; it's probably best if you hear that directly from them or infer it yourself. But if these 2 can get the process started, and perhaps coax another 1 or 2 to join them, then they may be able to carve a wide path that many of the precedent-following rest can follow.

Imagine an industry where mere compliance with the lowest government enforced controls is no longer considered a best, or even a good business practice. Wait, this is starting to turn into a John Lennon song. Probably a good idea to stop here, but stay tuned for more on this.