SGCC Releases Smart Grid Privacy Fact Sheet

In January of this year we gave you a privacy post related to the Smart Grid Consumer Collaborative (SGCC) from a panel session it organized the day before the Distributech conference in San Antonio.

Time has passed and now the same great org has produced a short, sweet, and very helpful fact sheet on Privacy for the layman, also known as the "man on the street", the "generalist", the "consumer" or from the electric utility industry's point of view: THE CUSTOMER.

The 2-sided sheet contains lots of helpful orienting bits like what's a "smart grid" and "what is a smart meter", but the part I like best comes near the end:

The privacy of electricity usage data is protected now and that will not change with the use of smart meters. Electric companies, the federal government, and the suppliers of critical electric grid systems and components are working together to strengthen consumer safeguards, develop a best-in-class data security model and enforce its implementation.

Talk about a pure pro-education / anti-FUD message. I am think I am in love.

Photo credit: Roland at Flickr.com

WSJ on Speaking Cybersecurity Truth to Power

This is a short post with a security message that appeared in a prominent place, a message worth repeating.

In the Wall Street Journal's relatively new CIO Journal, editor Michael Hickins highlighted recent statements from a local Boston-area healthcare CIO, and pointed to preliminary findings in a Carnegie Mellon cyber security and corporate governance report.

In "Speak Cybersecurity Truth to Power", Hickins said:

Boards of directors are clueless when it comes to cybersecurity — and that’s a great opportunity for CIOs to prove their worth. John Halamka, the highly regarded CIO of Beth Israel Deaconess Medical Center in Boston, tells CIO Journal that “cybersecurity is a great way to stay in touch with the board because there’s high visibility.”

Measuring Security? In the Electric Sector? Are you Serious? Someone Is.

Tried making the case most recently with Time for Electric Sector to Measure Up on Security and Smart Grid Security Truth: You Can't Do What You Don't Measure but couldn't detect a measurable response.

Without a lingua franca for security, how will anyone ever know which organizations are doing a comparatively better or worse job? Whether one's own organization is kicking butt or having its butt kicked?

Chances are the only folks with this information today are hackers who spread their attacks across dozens of them. They can see which utilities offer them an easier path in than others. But I don't imagine they're sharing this information too freely.

I'm tired of this ambiguity. Perhaps you are too. And so, it seems, is the State of California.

Re-reminding you about NESCO's upcoming Electric Sector Risk Management Session

In a few weeks (30-31 May to be specific) there will another grid security and risk management conference. As someone who keeps an eye on all of them, not all conferences on this topic are created equal, and this one run by the DOE-funded National Electric Sector Cybersecurity Organization (NESCO) appears to be one of the best.

Posted on it a few weeks ago HERE, or you can go directly to the event site HERE.

Photo credit: New Orleans Marriott

Announcing the First Electric Sector CSO List

You've been holding your breath for this, I know, so I'm happy to announce you can resume normal respirational activities. As the title says, this post begins the process of assigning kudos to utilities who've been so bold and proactive as to appoint and empower a senior professional to run cyber security across their organizations.

By this I mean a senior business (more than a technical) professional charged with developing, promulgating and enforcing security policy across operational and information technology boundaries, across all lines of business.

IBM CISO Study as Predictor of Future Electric Sector Cyber-Security

IBM recently interviewed security leaders in a bunch of companies, recorded their responses, and teased out findings that I think you'll find interesting.

Respondents ultimately fell into one of three categories: Influencers, Protectors and Responders. I can't say how many electric sector professionals were queried, but there's a callout box featuring an anonymous VP of IT who is quoted as saying:

Security leaders are becoming more closely integrated into the business – and more independent of information technology.

Right on, and from my interactions with the community, that statement holds true for a small but growing number of utilities.

Another Disclosure, this time with ICS CERT's Blessing

We're only a few months past Basecamp, and here we go again. Only this time there are fewer voices urging restraint.

Wired's Threat Level blog put up a story of a certain control system OEM that seemed uniquely unaware of the risks it had built into its products, and unwilling to make a change of any kind. At the time of publication, 25 April 2012, the company still hadn't budged.

Then, on 1 May 2012, the Christian Science Monitor was telling a different story: the vendor pledged to make and distribute a fix.

The Wired article ended with a couple of sentences that concisely capture this problem and make you want to laugh and cry at the same time:

Numerous researchers have been warning about the vulnerabilities for years.  But vendors have largely ignored the warnings and criticism because customers haven’t demanded that the vendors secure their products.

Have your heard the term "goat rope"?  How about "goat rodeo"?  This situation is definitely one of those ... and maybe both. Hope both the vendor and user sides figure out how to get their ducks in line, and fast.

Photo credit: Mike Baird at Flickr.com