Monday, May 24, 2010

Security (and other) Take-aways from GTM's Networked Grid 2010

I had the pleasure of attending and speaking at Greentech Media's annual Smart Grid conference in Palm Springs last week, and it was nothing less than a life affirming experience. One reason is because I finally got to see my first real wind farm and it was a doozy: thousands of turbines in one valley means you can drive at 70 mph for ten minutes and still find yourself surrounded by them. More on the San Gorgonio Pass Wind Farm can be found here.

But as with every good conference, it's the variety, depth of knowledge and generosity of the speakers and fellow participants that can make it a great experience. I had the privilege of moderating a strong panel on Smart Grid security topics that included:
  • Saadat Malik, Cisco
  • Rick Stephenson, Revere Security
  • Tom Parker, Securicon
  • Rilck Noel, Verizon Business
We began with this simultaneously humorous and cautionary anecdote from Smart Grid security guru, Massoud Amin of University of Minnesota, drawn from his most recent whitepaper:
Consider the following “sanitized” conversation showing the lack of awareness of inadvertent connection to the Internet for a power plant (200–250MW, gas-fired turbine, combined cycle, five years old, two operators, and typical multi-screen layout).
M.A.: Do you worry about cyber threats?
Operator: No, we are completely disconnected from the net.
M.A.: That’s great! This is a peaking unit, how do you know how much power to make?
Operator: The office receives an order from the ISO, then sends it over to us. We get the message here on this screen.
M.A.: Is that message coming in over the Internet?
Operator: Yes, we can see all the ISO to company traffic. Oh, that’s not good, is it?
The panelists then addressed a wide range of questions, some from me, and then some better ones from the attendees. The main message the panelists conveyed was that while the press loves to spread fears that Smart Grid vulnerabilities will create chaos, information on what's being done to secure the system in the trenches is the most effective counterbalance. These guys were good.

For me, though, the takeaways from this conference were several and often not directly related to security concerns. Here's three for you:
  • In a Home Area Network (HAN) panel, after lots of discussion on new functionality for homeowners and their utilities and service providers, a man stood up, and, addressing CEOs from HAN start-ups, spoke with authority: "I see your focus is on new Smart Grid functionality and capabilities. But remember: reliability trumps everything. Don't forget it." He's right of course, and it was a sobering moment
  • It was clear there was quite a bit of buzz about what microgrids might do to the industry, particularly from a business model point of view. Seemed to me that most of the utility pro's there might want to urge their orgs to get out in front of this movement before it goes around them
  • Lastly ... Holy crap this Smart Grid thing is complicated and complex - so many moving parts - so much we don't know yet about its ultimate shape, size and function. Good luck to all of us !!!
Photo credit: Wikimedia Commons

Monday, May 17, 2010

The First Webcast is Up!

Ok, so it isn't as polished as Sixty Minutes, but think of it as Smart Grid Security cinema verite'.

Anyway, after much effort, a version of the recent webcast, "An Introduction to Smart Grid Security" is now available. We recommend you watch it in youtube HD (720p). It runs about 15 minutes in total, and and you can watch Part One here:

And you can watch Part Two here:

Because the slides look blurry in lower resolution video, and because you may want to use them yourselves at some point, we are making them available to you in their original form, here:

While it is far from perfect, we finally decided just to get it out there because we wanted to get this one published without further delay. As this is our very first webcast for the blog, we are interested in your comments so that we can make the next one better, and more useful for you, our readers. Please hit the "What do you think?" feedback button, and let us know what you -do- think.

Thanks to all those who attended, and who asked questions during the session. We look forward to the next one, on May 26th, on "The Smart Grid and Data Security". See you (or you'll see us, I guess) then.

Tuesday, May 11, 2010

A Controlling Interest in Securing Utility Control Systems

Energy and utilities control system cyber security expert and firebrand Joe Weiss is making waves again, this time via an interview with CNET in which he describes the current state of progress (and its lack) in this most essential yet often overlooked Smart Grid domain. You see, when word got out that the previously tech-averse utilities were stirring thanks to this thing called the Smart Grid, IT and IT security professionals rushed to sell their services and wares to utilities' IT shops.

Little did they know (and some still don't) that they can market Intrusion Detection Systems (IDS), Intrusion Prevention Systems (IPS), Single Sign On (SSO), application firewalls, database security, pen testing and application security testing tools, not to mention NERC CIP compliance tracking and reporting systems and more ... till the cows come home, and still leave their utility customers, and their portion of the Smart Grid, woefully unprotected.

That's because of the other side of the house. You can call it field operations, or use an acronym like Operational Technology (OT); either way, it's a place where IT professionals fear to tread. And because of organizational culture reasons and the fact that SCADA-based operational systems are so unlike standard IT systems, the IT guys (vendors and utility employees alike) are generally unwelcome outside IT.

Weiss, a one man army, has been trying to get this message out to government and industry decision makers for years and is starting to make some significant inroads. Here's an excerpt from the CNET piece, though we highly recommend you read it all:
[A] utility's human resources network or their customer information networks are more cybersecure than any power plant, including nuclear, any substation, or any control center in the U.S. [Why?] Because the utilities got together and came up with a set of criteria, called the NERC critical infrastructure protection (CIP) standards. In those standards they input a number of exclusions and allowed them to self-define what would be "critical." NERC has put out emergency warnings on some of the areas that have been excluded, like telecommunications, but NERC CIPs specifically exclude them. Can you imagine doing a cyber assessment of your IT systems and being told "do not address telecom?" Because of the Energy Policy Act of 2005, electric distribution which is the heart of the smart grid is specifically excluded even though the electrons move from distribution to transmission and back. It simply doesn't make any sense.
Here's the full CNET Q&A. And while you're at it, you should read Forrester's take on the CNET-Weiss interview here. It's a little bit utopian in places, but it reminds us that we've been dealing with control systems security for years in other industries, and we like the emphasis on people vs. technology for a change, like here:
Deploying smart technologies is not enough. Take time to redefine existing processes and invest in people’s skills and education. You should invest the time and energy in marketing security and risk measures when deploying smart cities and smarter grids from day one.
Of course, the people Forrester is talking about dwell in both sides of the utility house. And if Joe Weiss had his way, there'd be more of an open floor plan, with security planning and implementation discussions reaching both IT and operations, and vendors and utility professionals alike understanding that their job's not done until they've secured the whole enchilada.

For more SGSB coverage of Joe's work, click here.

Tuesday, May 4, 2010

Calling all Energy Idealists, or: Where is Chris Davis?

For those of us immersed in energy matters in our day jobs, it may be hard to imagine that there's a virtual farm system out there where independent self-starters working in other fields imagine alternative uses of their energy. To whit, I wrote energy tech blogs for years before I had the good fortune of landing (via M&A) in a company that's staking its future on being an important part of our country's and the world's energy future. Now this has happened again, to a close friend of mine.

Not long ago my Air Force Academy classmate (1985) and Discovery Channel energy co-blogger Chris Davis wrote a post announcing my departure from Discovery, and the launch of two new blogs, one of which you're now reading. Well, the the tables are now turned and it's Chris who recently left his loyal readers wondering what became of him.

One of the last posts Chris did before wrapping up his Discovery Channel tech assignment was called "Visualizing the Electric Car 2015" and it gives you a feel for how forward-leaning his thinking is on renewables tech in general and Vehicles to Grid (V2G) in particular. Now, having transitioned from two decades of pure construction jobs to Dallas-based electric services co Facilities Solution Group (FSG), Chris is paid to pursue his passion.

Today he's active in North Central Texas Council of Governments (NCTCOG) future transportation initiatives, bridging his expertise and experience in the building industry with what he knows about electric cars, Smart and microgrids, to accelerate that organizations' great work. We talk all the time, and he's one of the happiest, most fulfilled people I know.

For anyone visiting this blog from a vocation far removed from Smart Grid, energy management and/or other renewables-enabling pursuits, and wishing they were closer to the action, please take courage from our examples. If Chris and I could make the leap, so could anyone. And the energy future needs many more talented, passionate people to get involved and make it happen.

Photo credit: Chris Davis on 4 Pass Loop Route, Snowmass, Colorado. Click on it for much larger version