Wednesday, August 11, 2010

Day One Recap from the 1st Smart Grid Cyber Security Summit

I'm afraid it's a little too late to go for complete coherence, so here are some bleary eyed bullets summarizing a few (but not nearly all) of the first days' highlights:
  • Scott Borg of the US Cyber Consequences Unit showed how the US economy can easily weather ~3.5 day outages, but that when you get beyond that duration across a broad region, you get into large and very large effects, as in "massive ... breathtakingly bad." So small, short duration security incidents we can handle and don't need to worry about too much. But we should move (and spend) heaven and earth to ensure we don't experience even one of the very big ones
  • Bob Gohn of Pike Research gave us the latest Smart Grid security findings and trends, and announced the release of Pike's latest report on Smart Meter Security
  • FERC Commissioner Philip Moeller, whose NERC CIP experience goes back to some of the earliest draft language from the year 2000, acknowledged the challenges NERC faces fielding a uniformly solid field of CIPS auditors, and told us to keep our eyes open for a possible collaborative effort involving FERC and state regulators
  • I could do an entire post on Joe Weiss' presentation, but for now let it suffice to say that the Stuxnet virus is much more problematic than initial reports (including one made on this blog) indicated. Here's a decent Stuxnet update from Symantec. Among other things, note the lengths this malware goes to to protect itself from detection
  • Joe also made it clear that Smart Grid or no Smart Grid, SCADA/ICS systems are a disaster waiting to happen and that there's not a heck of a lot we can do about it. He supported this point by saying: 1) we have basically zero forensics capabilities to investigate SCADA/ICS attacks; 2) OT hates IT in all sectors, not just energy, and that this culture war gets in the way of migrating good security practices to the SCADA/ICS world; 3) there's nothing at all comprehensive about NERC CIPS; 4) there are 5 or fewer utilities going beyond the security controls required by the CIPS; 5) to work, SCADA/ICS security must be a living program, as every time you change or add something, you impact security; 6) NERC CIPS have made the grid less reliable by enticing some utilities into removing IP connections from some important devices, which makes them exempt from NERC CIP while leaving them dependent on serial connections, which are themselves quite susceptible to attack
  • After Joe left the NERC CIPS in smouldering ruins, Rob Shein, HP Cyber Security Architect, coaxed them back to life with a balanced review of what they do and do not cover, and provided reasonable steps orgs can follow to achieve compliance
  • Lastly, I moderated a roundtable session on "The Perspective and Path Forward for Energy Utilities" with 3 outstanding panelists: Mike Echols of the Salt River Project, Bobby Brown of Enernex, and Chris Peters from Entergy. They hit a bunch of topics that even late in the day held the audience's attention and responded to lots of questions after they reached the end of my prepared list. But for me, the most memorable of all was also the simplest. Each was asked: would your org be more or less secure in a world without the CIPS? To which the unanimous response was less. So despite all the abuse heaped upon the CIPS during the day (and IMHO, they richly deserve it), the folks fighting this security battle in the trenches say they help far more than they hurt. For me, that fully topped off an already great day, and I'm really looking forward to whatever lessons we can tease out of day 2 of the 1st Smart Grid Cyber Security Summit.
San Jose Photo credit: the_tahoe_guy at

No comments: