Thursday, March 29, 2012

GridSec Texas Wrap-Up: One More Time with Tweets

Here's a few of the tweets from myself and others from GridSec day 2 to give you a tapas-style version of what when down:
  • Erfan Ibrahim: a mosaic of entities hold liability for grid security, but customers usually know/interact with only one. #GridSec
  • At #GridSec, Darren Highfill says we're already paying for security, we're just not calling it that, invoking Russian Roulette metaphor.
  • Both keynoters said cyber security maturity models (like DOE's bldg now) & business metrics might reduce likelihood of legislation”#GridSec
  • Brese & Gunther both said cyber security maturity models (like one DOE's bldg now) & business metrics might reduce likelihood of legislation
  • At #GridSec just asked DOE's Robert Brese & Erich Gunther what would utilities have to do to put Congress more at ease re cyber security ... 
  • Recommend using Gunther's #GridSec preso 4 coaching security folks on thinking/speaking in language that's understandable to business folks 
  • Enernex CEO Erich Gunther kicking off #GridSec day 2. Echoing yesterday's theme of connecting security w/ safety for better business comm 
  • At #GridSec good presentation on offensive cyber security aka Active Defense. Discussing Hactivism, Cybercrime, Cyber Espionage, Cyber War 
  • Strong messages from speakers @ #GridSec on importance to move from geek speak to business speak so those C level folks get #ICSsecurity 
  • Several presentations at #GridSec are finally linking security to safety. #ICS http://www.us-cert.gov/control_systems/icsjwg/presentations/spring2010/08%20-%20Walter%20Sikora.pdf is a preso given a couple years ago 
  • #gridsec You can stop the Stuxnet artifact, but private industry does not have the means to protect against nation-state adversaries 
What was different this time? Well:
  • Without any prompting, I heard metrics, and especially business metrics mentioned quite a lot this time
    There was much discussion around control system security. In fact, one guy who attended the "Beyond AMI" panel yesterday said it was exactly because it wasn't about AMI. Duh!
  • As I said in a previous post and tweets above, linking security and safety was a common theme this time around
  • Lastly, we had more utilities here this time than ever before. Seems like a no brainer, but without their real-world, pragmatic "what works" insights, this effort wouldn't be half as worthwhile
Sad to see it come to a close, but close it always must. Re-connected with all the old folks, and met many new ones, and that was great. Didn't get to say anything like a proper good bye to folks so it looks like au revoir until October back on the west coast when we do this again. Andy
Posted by at 11:11 PM
Labels: , , , , , , , ,

GridSec in Near Real Time - A Tale of the Tweets

This must be some type of social media sin, but I 'm building this post almost entirely out of Tweets I did from yesterday's GridSec conference. In reverse chronological order, they were:
  • Attending Chris Blask's great ICS security panel. Good to see more attention to control system security at the conference this time#GridSec
  • "Beyond AMI" panel co's include Waterfall, Cisco, McAfee, GE and AlertEnterprise at #GridSec
  • At #GridSec, attempting Tweeting-while-moderating. A high wire act. But Beyond AMI panel off to good start with experts from 5 companies.
  • #GridSec Infra security panel seems to concur that appropriate info sharing is security goal #1 for next few years
  • #GridSec talk on sad topic: utilities won't report any attack that could earn them a compliance penalty, so helpful info doesn't get to help
  • In the Security Infrastructure panel, ERCOT speaker said one key focus area needs to be situational awareness. #GridSec
  • From #GridSec - linking security and safety in budget talks.
  • Rea#GridSec conf. First session is CXO perspectives with Vermont Electric's CEO David Hallquist bringing his usual candor, energy and insight
  • Tweeting from #GridSec conference this week http://bit.ly/HhIyj1

Have to keep this short for now, so only commentary I have on the above is that unless you have comprehensive situational awareness, (one speaker's suggestion), then information sharing isn't that big a priority, as you have little to share. Utilities, and any organization for that matter, have to know what's happening with their systems in order to detect, hopefully thwart, and also report this info so others can be on their guard.

Day 2 begins soon ...


Posted by at 7:07 AM
Labels: , , , ,

Wednesday, March 28, 2012

Tweeting from GridSec conference this week

Howdy from Dallas. This is the evolution of Mike Ahmadi's Smart Grid Security East and West events, which have been running twice a year since the fiest one in San Jose in 2010. Will shoot to summarize key messages in a post when it's over, but also will blurt out the occasional tweet on the fly using the #GridSec hash tag on Twitter.
Posted by at 11:49 AM
Labels: , , , , , , , , , , , , ,

Thursday, March 22, 2012

Woolsey Ominous at GigaOm re: Smart Grid Security

I'm a fan of former CIA Director and energy security "Green Hawk" James Woolsey and find myself on the same page at least nine times whenever he voices ten opinions. But at a recent energy tech conference he weighed in pretty heavily against electric utilities taking security challenges nearly seriously enough.

Two links coming at you. In this one, from the SmartPlanet blog, the primary impression seems to be that Woolsey wants to move the US as quickly as possible to more distributed forms of generation as a means of diversifying and decentralizing our sources of power.  Hard not to agree there's goodness in that idea; it's the matter of expeditiously implementing that type of change on a large scale that's a grand challenge.

But in this post, from conference host GigaOm, it sounds more like Woolsey has an ax to grind against the utilities. This is a paraphrase I'm sure, but the point gets through:
Right now they’re more concerned with adding fun new features, but it won’t be so fun if the electric grid goes down for a few days.
"Fun new features" doesn't sound like the goal of any utilities I've been in contact with. Not even close. I assume that's his attitudinal short hand for modernization activities a la the Smart Grid. But nobody I've talked to is doing anything for the fun of it: not Smart Meters, not AMI networks, not distribution automation, not demand management, not efficiency.

Woolsey's been known to call the Smart Grid "dumb" and belittle new capabilities as if they were gadgets for consumers (e.g., saying people can turn down their AC with their phones on hot days, for instance, and then China-baiting by saying somebody in Beijing or similar can also reach your AC the same way).

To me this sounds like another voice in the growing chorus for more Federal regulation along the lines of the 2012 Cybersecurity Act. NPR had decent, relatively balanced feature on the looming legislation this morning, HERE. And we discussed the pro's a little and the con's a lot of this type of action on an SGSB post a few weeks ago, HERE.

I'm sure most would agree that improving the overall security of the electric system is desirable and doable. For example, perhaps adding a few carrots to the menu that's currently comprised of sticks might foster some better results.

While I'm confident their intent is constructive, IMHO, I'm not sure government is equipped to bring about the types of change Woolsey, CSIS's James Lewis, and many others think (or hope) they'll achieve through legislation. It would be great to see more utilities start taking the lead on this topic and control their own destiny, versus having it set for them.
Posted by at 10:56 PM
Labels: , ,

Wednesday, March 21, 2012

Webcast Alert: NESCO on PKI for AMI, Smart Grid and ICS Networks

For those unfamiliar, NESCO = National Electric Sector Cybersecurity Organization (NESCO). And NESCO is running an upcoming webinar on Public Key Infrastructure (PKI) in the context of modernized (and modernizing) grid systems and networks, including control systems.

Here are the details you need:
  • When: Tuesday, March 27, 2012 at 10:00 AM - 11:00 AM ET
  • Link to Register: Click HERE
  • Associated NESCO PKI white paper is HERE
For more about NESCO, including how to get involved, click HERE

I'm getting a little tired of these all-capital HERE links, but let's do one more before calling it a night:

Click HERE to find out how New England fans feel about Tim Tebow joining the Jets today.
Posted by at 11:33 PM
Labels: , , , ,

Monday, March 12, 2012

Wishful CERAWeek 2012 Energy Sector Security Thoughts


Had the great pleasure of participating in CERA's 31st annual energy conference last week in Houston. I was only there for one day, Wednesday, as I participated in a security panel that evening.

Earlier, the lunch keynote presentation was delivered by Royal Dutch Shell CEO Peter Voser, who addressed environmental and community concerns about the new natural gas recovery technique called fracking.

He suggested that the best approach was for the the industry to be as up-front and transparent as possible, and cited his own company's self-policing policy called the "Tight sands/shale oil & gas operating principles", posted on Shell's website for all to see.

Essentially, Voser asserted that Shell's safety, environmental protection, and community partnering policies around fracking were not just a sound strategy for getting "out in front" of a potential PR problem, they were simply good business.

It struck me that perhaps here was a model here for electric utility self policing re: cybersecurity and privacy. Maybe if  more companies in our sector would get out in front of cybersecurity fears and concerns with clearly broadcast policy and messaging, Congress and other oversight orgs (NERC, for example) would feel less compulsion to legislate additional layers of compliance requirements.

As my colleague Matt F pointed out, it may be too late to stop the 2012 Cybersecurity Act from becoming law. Utilities would have had to start their self-policing campaigns much earlier to stay Congress' hand. And with the recent mock attack on NYC, demonstrating, among other things, that current regulations like NERC CIP version 3 don't cover distribution networks, it looks like a fait accompli.

All full of speculation and wishful thinking here, but I definitely have a sense that this could have played out differently. And who knows, maybe the utility security self-policing idea, if it caught on and went wide, could begin to obviate and undo the need for the legislation, and lead to its eventual repeal.
Posted by at 9:30 PM
Labels: , , , , ,

Monday, March 5, 2012

Balu Ambody on Smart Grid Security Gains at IBM's 2012 Pulse Conference


I'm still back in unusually warm Boston, about to head to Houston to join a cybersecurity panel at CERAWEEK on Wednesday.

But want you to know that a smart guy I've shared the stage with before, AMI vendor Sensus' Director of Information Security Balu Ambody, will be giving a talk on Smart Grid Security at the MGM Grand tomorrow.

It's part of IBM's huge annual "Pulse" conference, and if you happen to be there, you can bee-line it to his session armed with the following info:
  • Session ID: BSI-1714
  • Title: "Smart Grid Security" 
  • Day/Time: Tuesday 3/6/12 at 14:00-15:00 Pacific Time
  • Venue: MGM Grand Conference Center, Room 306
  • Abstract: An introduction to smart grid security challenges, followed by a discussion of Sensus' use of IBM's security solutions to enhance the security of their smart meters and smart meter management system
Photo credit: Kevin Hutchinson on Flickr.com
Posted by at 1:22 PM
Labels: , , ,
Subscribe to: Posts (Atom)