Oil and Natural Gas Co's became Primary Attack Targets Last Year

At least according to analysis from cyber security company Alert Logic. This detail and more is captured in a report just released by the US Council on Foreign Relations (CFR).

According to authors Blake Clayton and Adam Segal:

Cyber attacks on energy companies are increasing in both frequency and sophistication, making them more difficult to detect and defend against. Cyber espionage is being carried out by foreign intelligence and defense agencies, even organized crime or freelance hackers.

An Industry Starts to Pivot: Electric Utilities' Shifting Business Models in the Rise of Solar

Amory Lovins and Karl Rabago saw this coming a long time ago.

Now the Wall Street Journal (not Grist, not Mother Jones, not Rolling Stone) references the EEI distributed solar dispatch from earlier this year and runs with it. Not just early/first mover NRG, but the old guard is chiming in too: AEP, Duke, Southern Co, Nextera, Dominion, PG&E ... you get the
picture.

First up is Nick Akins, American Electric Power CEO:

On its face you would look at it and say distributed generation is a threat. But on the other hand we see it as an opportunity because our business is changing. There's no getting around it.

Other big utility CEOs join the chorus and soon the message is unmistakable.

CPUC's Villarreal is the Real Deal for Grid Security from the US States' Perspective

From cybersecurity to privacy, the Green Button and security metrics, this recent deck from the California Public Utility Commission's (CPUC's) Chris Villarreal covers the entire grid security waterfront from a (very big) state's point of view.

This is well worth your time if you're a regulator in another state, a regulated entity in any state, or you just want to get a better feel for the way this process is evolving.

Note links on last slide to excellent CPUC security white paper by Chris and his security savvy colleagues, Liza Malashenko and J. David Erickson, and to NARUC's excellent "Cybersecurity for State Regulators 2.0" guide. There are other states upping their cybersecurity game as well, but California and Texas have been the two trailblazers. Of that there is no doubt.

----------------------------

URL for this deck, which accompanied Erfan Ibrahim's SG Educational Series webinar:

https://docs.google.com/file/d/0B83Q27_xggOTV3JpVTlSNnRGNGM/edit?usp=sharing

URL for another nice write-up on the work of Chris and his colleagues, from Greentech Media's Jeff St. John:

http://www.greentechmedia.com/articles/read/smart-grid-cybersecurity-the-california-way

Energy sector can learn from DOD's cybersecurity strengths (and weaknesses)

Last year the US DoD released a report by one of its Defense Science Board teams and I've seen it referenced a number of times in recent weeks, especially in articles announcing our loss of the most sensitive systems design details on dozens of current and next generation weapons systems.

See if you think this excerpt from the executive summary would accurately describe the current state at the utility you work for, or regulate, or invest in, or power your home with:

[The conclusion that we must do much better on cyber defense] was developed upon several factors, including the success adversaries have had penetrating our networks; the relative ease that our Red Teams have in disrupting, or completely beating, our forces in exercises using exploits available on the Internet; and the weak cyber hygiene position of DoD networks and systems.

If you think it might, then it's possible that you may find value in digging into the findings and recommendations within. I noticed this one on culture as being particularly relevant to our sector:

Individual and organizational cyber practices result in so many cyber security breaches that many experts believe that DoD networks can never be secure with the current cyber culture. The individual’s immersion in the civil sector cyber culture and the military’s focus on mission objective are the two most important contributors to DoD’s poor cyber culture. In the face of a threat that routinely exploits organizational and personal flaws, DoD leadership must develop a clear vision for the Department’s cyber culture.

It's very likely your utility is not targeted nearly as much as are the DoD's networks and systems, but I'd still say this report has lots of applicability for the way we think and act.

-------------------------

URL for full report:

http://www.acq.osd.mil/dsb/reports/ResilientMilitarySystems.CyberThreat.pdf

Grid Security Keynote of Note at May 2013 ISO Conference

Since you can't be everywhere, there's the SGSB (which can).  Former Seattle City Light CISO and current Verizon control systems security ace Ernie Hayden gave a keynote presentation at the recent ISO New England and New York ISO Energy Conference held in Boston, and we've got it for you.

If you don't know ISO, it stands for Independent System Operator, a term which is often used interchangeably with another acronym: RTO, or Regional Transmission Organization. In North America, these organizations are like referees and traffic cops, trying to keep the peace among utilities and ensure the smooth and reliable flow of appropriately priced electricity across multi-state regions.

It's good to see Security get such a prominent platform at a high profile industry event like this. Certainly a sign of the times.  Ernie's slides will take you through the past, 2013/present and future of grid security, and though some of the info would clearly benefit from his accompanying narration, a lot of this works quite well as is. And if you really want the audio, then I'm sure Ernie will agree to come to you and do it again, as long as you treat him right.  URLs below.

-----------

Ernie Hayden deck

http://www.isoenergyconference.com/pdf/Ernie-Hayden-Keynote.pdf

Conference home page

http://www.isoenergyconference.com

Looking Again at the Markey-Waxman Grid Vulnerability Publication

Where would I be without feedback? Many thanks to SGSB readers who chimed in on this.

I recently published a post titled "House of Reps Report Reams Utilities on Cybersecurity." Not accurate and all you have to do is read the cover page which, just below the House seal, says "A Report written by the staff of congressmen Edward J. Markey (D-MA) and Henry A. Waxman (D-CA)". Mea Gulpa.

So on second look I looked a little closer and found some things to like and some things I had to wonder about. For example, I'm happy to see congressmen seeking more information about the current state of security in our sector. Who could argue with that?

But their methods are not fully sound.

House of Reps Report Reams Utilities on Cybersecurity

Was trying to capture spirit of Jesse Berst's headline on the same subject:

Utilities to FERC: Take your security measures and shove it

That's not very nice, is it?  I think they toned it down with a later change, but this headline was what was in my inbox in this morning's SmartGridNews.com newsletter. The subject is a recent report published by the House of Representatives that's highly critical of electric utilities behavior to date re: grid cybersecurity.

Moving on! The Wall Street Journal's Rachel King did a fine write-up of recent testimony from the CEO of the American Gas Association (AGA), Dave McCurdy. King began by noting that:

The oil and gas sector faces many of the same cyber security challenges as the electric industry. Yet, there’s one major difference between the industries, both of which need to secure software-based industrial control systems from intruders. There are no regulations governing cyber security among the oil and gas companies.