Whitsitt on What's Up with the NIST CSF

Before you click through on the link provided below, I have to tell you that this write-up is not just about the NIST Critical Infrastructure Security Framework (CSF), but it's also a review of the current state of the security profession/practice/belief system, depending on your vantage point.

Penned by Jack Whitsitt of EnergySec, who among other things helped design the cyber security policies for the Transportation Security Agency (TSA) when it was just getting started. Be forewarned: Jack is no ordinary security guru. Because he's a practicing artist too, he brings both hemispheres to this challenge, and as a result, his perspectives and insights are unlike what you'll likely encounter anywhere else.

Security at the Edge of the Grid

We used to be very concerned about traveling too close to the edge of the world, remember?  Then some smart math and science guys figured out, surprisingly, Earth has no edge, so we were free to move about about the globe.

Now as we approach the end of the beginning of the Smart Grid era, what began as an initiative to add visibility, flexibility, and yes, smarts all over the grid is now seeing change accelerate close to the points of consumption.

Of course, amid all the excitement about innovation in distributed generation, distribution automation, energy efficiency, demand management, microgrids, storage, etc., one could forget that there's some basic housekeeping to attend to in the categories of power regulation and security.

The former, which includes maintaining the quality of electricity and keeping dangerous phenomena like harmonics in check, has been the province of utilities and ISO/RTOs and that's not going to change.  Ever increasing percentages of distributed generation are, in anything, going to make utilities' capabilities in this area even more essential to safe and reliable power delivery.

The other housekeeping item, now that it's 2013/2014 and not 1963/1964, is that all the new edge devices have several attributes in common:

• They send, receive and store data
• They constrain access to their data and/or services to certain other systems
• They receive control signals, sometimes from humans (think: iPhone apps) and sometimes from other systems (think: Nest thermostats)

Of course this is an oversimplification, but astute readers will notice that the integrity of all of these activities depends entirely on capabilities from the security domain.  My job as part of Greentech Media's new Grid Edge Executive Council (see my humble logo above nestled among the titans) is to ensure less-than-sexy security attributes are baked into the functional requirements of all the new products that plan to participate in this edgy arena.

That way, when 2023/2024 arrives, we'll be powering our homes, businesses and country with power we can depend upon.

Beroset on AMI and Smart Meter Security Considerations - Late 2013

Ed Beroset is the Director of Technology and Standards at one of the main smart meter making companies, Elster, and I've had the good fortune of meeting him on several occasions when both had speaking duties at grid security conferences. In this case, tech director also = security strategist and spokesman.

Recently, as I've started to prepare myself for work with Greentech Media's Grid Edge council, I wanted to check up on the current state of security thinking around AMI and smart meters.

Lo and behold, here's Ed who just put it down in pixels with 3 questions to ask yourself, along the lines of what are you protecting and why, and 7 to ask your vendors.  In the latter category, I particularly like #1 and the advice that follows:

What security measures does your system employ? 

Don’t settle for vague or imprecise answers to this question. Any reputable vendor will be able to give you a clear and detailed answer. Furthermore, don’t accept the excuse that the security measures are proprietary and top secret. As any security expert can attest, in modern systems, it is not a secret algorithm, but a secret key, that ensures security.

This may be more advanced than your typical energy sector start-up is ready for or need be ready for, but it's a good example of the types of scrutiny mature product suppliers like Elster have come to expect as a matter of doing business with increasingly security-aware customers.

You can read the full article HERE.

A Means to a Measured Approach to Cybersecurity

Having posted innumerable times on the many benefits the energy and other critical infrastructure sectors would achieve if they would identify a few security metrics and start measuring them, it seems that a practical means to at least partially achieve this objective may be at hand.

Just came upon a new company that appears to be pursuing a good part of the SGSB playbook, though they appear to have found their way to these ideas by following their own path.

A few of the principles we seem to share include:

ICS Electric Utility Attack Video and Aegis to the Rescue

SANS Securing the Human - ICS Attacker

The excellent security-mined people at the SANS Institute have produced an 8 minute video that walks you through a control systems attack.  The money they saved by using animation instead of Matt Damon or Morgan Freeman was put to good use as you'll see. For such an esoteric subject, this is a first rate video. For more info please visit the Securing the Human site at http://www.securingthehuman.org/

Meanwhile, to calm you down after the video gets your heart rate up, you should start learning about a new tool that's set for release at the upcoming SANS SCADA Summit. It's called Aegis and it's not an anti-ballistic missile system.  It's a testing tool to help ensure systems communicating with one of the most common SCADA and controls systems communications protocols, DNP3, are harder to attack.

You can ready more about Aegis here: http://www.automatak.com/aegis/

And more about the SANS ICS Summit here: http://www.sans.org/event/north-american-ics-scada-summit-2014

Sandia and Hayden on Cybersecurity Strategies for Microgrids

First off, thanks to friend and colleague Ernie Hayden for writing a microgrid security post following his mini-immersion in the topic last week.  You can read his write-up HERE.

In particular, want you to see something he linked to: SNL's Microgrid Cybersecurity Reference Architecture.  That's Sandia National Labs, btw, not Saturday Night Live; talented though he is, Jimmy Fallon is not a contributor to this piece.

SCADA Primers Now for Grades 1-8 and Even More Managers

Earlier this year, the US Air Force's Robert M. Lee brought us SCADA and Me, an intro level graphic novelette optimized for very young children and certain managers. Now comes Haley Wauson of industrial automation company Cimation with a blog post that should help SCADA and Me readers advance to the level of middle school literacy and educate an even more advanced cohort of managers.

In her succinct post "What is SCADA Anyway?" Ms. Wauson uses infographic style visuals and multi-syllabic words to take readers to a level of depth that goes well beyond Robert Lee's Goodnight Moon-esque masterpiece.

Sounds like I'm joking around but actually works like these are just the thing for de-mystifying technology that's foreign to IT-centric folks.  SCADA and control systems are of central importance to making good things happen in our increasingly interconnected "Internet of Things" world, or as my recent alma mater IBM has dubbed it, the Smarter Planet.

Securing these things, now that's another matter. But first you have to know what they are, and where they are, in the first place!