ICS Lab for Grid Security Research, Training and Demonstrations

In case you're not already tuned into this community, but might want to be, I submit for your review the contents of an email I received yesterday.  It goes like this:

Greetings ICS-ISAC Members and partners! 

The ICS-ISAC and MS-ISAC are partnering with several key Members to create an ICS Security Lab as a shared asset for research, training and demonstrations. Physically hosted in Livermore, CA by Robot Garden the Lab is now in Phase One of procuring equipment and establishing the virtual capabilities that Members can have access to. 

If you are interested in participating in this activity or have equipment that would be of benefit to this endeavor please send a note to ICS-ISAC Chair Chris Blask at chris@ics-isac.org
There is also a LinkedIn group for collaboration at http://www.linkedin.com/groups?home=&gid=4932821&trk=anet_ug_hm&goback=%2Emyg

Acronym Legend:

ICS-ISAC = Industrial Control Systems Information Sharing and Analysis Center

MS-ISAC = Multi-State Information Sharing and Analysis Center

That's all I got.

EnergySec Welcomes NERC CIP Virgin Utilities with Version 4 Briefing

Titled "Get Ready for Version 4" the deck linked at the end of my words has some great and helpful info in it, not just for utilities transitioning from version 3, but for brand new utilities who for the first time come under the tender embrace of the CIPs. To them, all of us in the community say, "Welcome aboard !!!"

An all-star energy and security team, including Steve Parker, new President of the Energy Sector Security Consortium (EnergySec), and Honeywellers Tom Alrich and Donovan Tindill, shared some sobering, cold, hard, urgent facts. Those from Tom Alrich were particularly rich:

NatGas Cybersecurity getting a lot more Visibility

Thanks to colleague H. Chantz for spotting this article and sending this way.

As has been the case quite a bit this year, once again we are in the realm of SCADA/Control System security. William Rush of the Gas Technology Institute states it plainly, if somewhat dramatically:

Anyone can blow up a gas pipeline with dynamite. But with this stolen information, if I wanted to blow up not one, but 1,000 compressor stations, I could,” he adds. “I could put the attack vectors in place, let them sit there for years, and set them all off at the same time. I don’t have to worry about getting people physically in place to do the job, I just pull the trigger with one mouse click.

There are no NERC CIPs for the gas industry, but with 25-30% of US electric power and a whole lot of home heating coming from gas, it's time to get moving on better securing this infrastructure.

Pipeline operators, now alerted to the fact that sensitive access control information to important subsystems is in the hands of folks outside the industry (and outside the country it seems), need to get moving. And I'm sure they will, but it's a BIG job.

The whole Christian Science Monitor article is HERE.

Photo credit: War News Updates

Boxing the Fundamental Assumptions of Cybersecurity Risk Management

Here's something to wrap your head around (or more literally, put in your head) as you head to NIST on April 3rd to make your contribution to the Critical Infrastructure Cybersecurity framework development processes, an effort begat by the recent Presidential Executive Order.

Many in our community love to talk about risk management as the common sense, business oriented antidote to the mandatory and therefore inflexible and slow moving instructions in the NERC CIPs.

You could certainly put me at least half in that camp.  Well, after reading THIS sharp Brookings paper from Ralph Langer and Perry Pederson, that half of me is feeling a little wobbly.

Metrics Mark the End of Faith-based Cybersecurity

Thanks to Dark Reading for covering the RSA 2013 metrics panel and for the article: "Governance Without Metrics Is Just Dogma."

To whom do we owe this powerful and provocative headline? Not the editors at Dark Reading, though they were smart enough to grab it and put it at the top. It was Alex Hutton, an Operations Risk and Governance director at Zions National Bank.

In case you're not used to seeing the word dogma in this context, let's refresh ourselves with a definition (thanks Wikipedia):

Dogma is an official system of belief or doctrine held by a religion, or a particular group or organization. It serves as part of the primary basis of an ideology or belief system. 

Cybersecurity Workforce Developers Need You, Part Deux

Yes we can. The following is number 2 in a series of 2 un-paid public service announcements from what remains one of my favorite organizations. It begins, as it did the first time on March 2, thusly:

Power industry security stakeholders (if you read this blog, that means you!),

The National Board of Information Security Examiners (NBISE) is partnering with the Pacific Northwest National Laboratory to contribute to the development of the U.S. cybersecurity workforce. Toward this effort, a utility SME panel has mapped power system cybersecurity job responsibilities to the objectives of two workforce frameworks (NICE and ES-C2M2), the domains of training/education programs, and the objectives of key certifications. 

Recommended Reading: Industrial Safety and Security Source

3/8/13 Flash update - SGSB reader and contributor Ernie H suggests you visit Joel Langill's www.scadahacker.com site as well to further enrich your budding control systems security knowledge.
--------------------------------

As I've mentioned a few times before, this year I'm working on getting my OT security chops up to speed, and that means getting a lot more familiar with the way SCADA and ICS systems work when they're functioning properly, to better appreciate how they can be exploited when reached by those with impure thoughts and nefarious motives.

To that end I reach out to folks who seem to know more about this part of the world than I do (sadly, a group that must number in the hundreds of millions). I'm not always successful, but when I am, am happy to share my success so you can advance your own understanding, if necessar, as well.