Thursday, December 30, 2010

Preview of 2011 Smart Grid Security Conferences


Happy New Years Eve Eve. As we say goodbye to 2010, here's a look at what's coming up next year, conference-wise.

NIST Smart Grid Cyber Security Conference
Northeastern University, Boston, MA
18 January, 2011
Details: HERE

Smart Grid Security East
Enernex
1-2 March 2011
Details: HERE

European Smart Grid Cyber Security Forum
London, UK
14-15 March 2011
Details: HERE

Also, be on the lookout for another European conference (in Amsterdam) from the same team that hosted the first 2-day conference on Smart Grid Security in August 2010 and that's running Smart Grid Security East. This page gives you a round-up of that first conference, and here's a write-up I did on the blog when it was over.

And as always, keep your eyes open for conference and workshop announcements from NIST, IEEE, DOE and others as the year progresses - I'll try to spot them early and list them here to give you as much advance notice as possible.

Meanwhile, please have a safe and fun night tomorrow night.

Photo credit: MoLeY2k on Flickr.com

Tuesday, December 28, 2010

The Counterintuitive Security Benefits of a Sub-Optimal Smart Grid


Even though I’d always take the worst form of government in the world except for all the others, over all the others, sometimes one might be forgiven for longing for a country with an omnipotent, benevolent, entrepreneurial, clear-thinking, decisive, dictator (see above). Perfect, centralized direction could crush cultural and bureaucratic inertia, and make sector modernization a lot simpler than it is in some places right now. Right?

Consider the situation in the US and other countries where power, particularly power over power systems, is distributed across many organizations. Earlier this month, Pike Research Smart Grid analyst Bob Lockhart responded to a few questions regarding the state of grid security ownership. You can read this exchange HERE.

Lockhart notes that in the US, the bulk of the electric system (not to be confused with the Bulk Electric System) falls outside the jurisdiction of Federal authorities. The burden for guiding and protecting the distribution system belongs to the utility regulatory offices in each state, each which sets its own policy. It should also be noted that in the absence of Federal policy on privacy, that too is left to each state.

It's Good to be King
In countries where the utilities are 100% owned and operated by the government (not normally a very effective or efficient approach I am compelled to mention), the guy(s) in charge can move directly to issues of how they want to develop and operate their grid, how fast they want to modernize, and how much security rigor they want to enforce ... or not. I mean, who's going to tell them "no"?

But Kingship has its Limits
Lest we envy other authoritarian countries' ability to orchestrate grid changes too much, even the world’s most powerful, best intentioned dictator could only do so much with the current slate of challenges that comprise the overall Smart Grid security challenge. Imagine you were this dictator and wanted to bring rapid, comprehensive security improvement to your nation's electric infrastructure ... what would you do with the following:
  • Employee awareness and education. Email, web use, mobile, USB and other removable media safe use practices, etc. Would the death penalty for policy violations due the trick?
  • Ensuring compliance with emerging interoperability and security standards, internal and international. Actually, if you're a real pariah state, who cares about international?
  • Making sure new grid systems, those built by utilities themselves as well as by vendors in the supply chain, are developed with security baked in from the get-to, applying Secure by Design principals. This is important on both IT and operational technology (OT) systems like SCADA and Intelligent Control Systems (ICS). How to motivate the supply chain is a big issue. I mean, you can't kill your suppliers, right? 
  • Devising rules and standards for comprehensive security controls for grid systems, from generation, transmission, distribution, consumption and edge. You're going to SMEs for this,and unless you've completely sealed your borders, many of these folks long since departed to countries where they were paid fairly for their expertise.
In these issues and others, the dictator may find his wickets just as sticky as those facing other governments. And there’s another aspect that levels the playing field on behalf of countries with multiple layers of jurisdiction and guidance that varies by region or state. Countries with government owned monopolies may establish large, country-wide sourcing contracts which tend to homogenize the equipment that gets deployed. This is great for interoperability, but makes in easier for an attacker who, once in, can potentially cause great and widespread harm via a single point of attack (note: Stuxnet's apparent success on systems sourced from just two suppliers) .

The Security Benefits of Variety
Lockhart sums it nicely:
... countries with a government monopoly grid can take a one-size-fits-all approach. On the down side for them, that implies that a single attack against their entire national grid could be successful and there is probably a single point of attack for that grid. Here in the USA we have over 3,200 utilities -- some with millions of customers, others with a few thousand. So obviously they are not going to all be running on the same infrastructure and therefore the same security approaches will not work for all. It is not unthinkable that some smaller utilities will end up clients of service providers running cloud computing environments. Those will probably be private clouds, but still a centralized, third-party cloud. Personally I think that’s a good thing because small enterprises cannot afford as sophisticated security as a large-scale integrator of clouds will implement.
Agreed. So maybe the takeaway is that as much as we rail against and lament the chaos, inefficiency and sub-optimality of our current approach, it is, from a security perspective and with apologies to Voltaire: the best of all possible worlds.

Photo credit: Allstar/Paramount/Allstar

Tuesday, December 14, 2010

A 2010 End-of-Year Glimpse Behind the SGSB Curtain


No, I'm not going to show you how this blog's sausage is made. Instead, wanted to give you an idea of who else is partaking on a regular basis as one indicator of which countries and organizations are taking grid security most seriously, or at least are most curious about it.

The following is a simple list, in order from most to least, of which countries read (in English only) the Smart Grid Security Blog the most often in 2010.

Top ten

USA, Canada, UK, Germany, India, France, EU, South Korea, Australia, Japan

The rest in order

Netherlands, Italy, Brazil, Belgium, Israel, Singapore, Spain, Sweden, Ukraine, Taiwan, Philippines, Iran, Switzerland, Ireland, Malaysia, Portugal, Finland, New Zealand, Denmark, Greece, Indonesia, Norway, Pakistan, South Africa, Russia, Mexico, Austria, Poland, Turkey, Hong Kong, Thailand, Czech Republic, Romania, China, Egypt, Chile, Columbia, UAE, Saudi Arabia ... and more.

A few other details while we're at it

In 2010, a typical day at the SGSB saw visitors from a 15-20 different countries read this blog, a third arriving via Google or Bing, another third via FeedBurner email subscriptions (over 600 now and counting), and the rest coming from links in articles and on other sites.

In terms of types of organizations these folks come from (which you can sometimes see and sometimes not), all or most of the larger US, Canadian and European utilities, Federal and State regulators, technology and services providers, and universities are all well represented.

While millions-of-hits per day sites like the Drudge Report and ESPN.com have little to fear from the SGSB, I'm expecting a slow and steady up-tick in readership next year as more Smart Grid initiatives roll out, as standards begin to mature, and as new business models emerge and evolve. Not to mention threats and responses.

Had a great 2010 - thanks for being a part of it. Looking forward to 2011 !!!

Photo credit: havankevin on Flickr.com

Friday, December 10, 2010

Looking Back and Looking Forward on Smart Grid Cyber Security at GridWise 2010

As Mark Twain (or Hemingway, Cicero, Voltaire, Blaise Pascal or George Bernard Shaw) once said "If I had more time, I would have made it shorter." That's true of the 25-min audio that accompanies  - feel free to fast forward. But believe you'll find the content here interesting, and depending on your line of work vis a vis the Smart Grid, maybe even helpful.
There were several good questions and comments during the Q&A session that followed, but the one I appreciated most was that this wasn't the typical doom and gloom message that typifies many energy sector security presentations.  I count that as good news as that is a design objective. As we've said before, no good work gets done by people in the fetal position. And we've got plenty of work to do.

For more from GridWise here's a LINK to the organization's cyber security resources page. These are great people moving mountains as they advocate for Smart Grid progress. Highly recommend you give them your support and/or get involved if you haven't already.

Thursday, December 9, 2010

Pike's New Smart Grid Security Report Available


Boulder, Colorado-based Clean Tech research firm Pike Research recently released a comprehensive report on the current state and market size of the security business related to global Smart Grid initiatives. This is such a nascent market, you've got to give them credit for even attempting this project. And having seen it, I can say it's a darn good piece of work. You can see Pike's own description and the table of contents HERE as well as register to pay and get a copy (yes, it costs significant money).

If you want to get a better feel for the experience of the lead author, Bob Lockhart, THIS detailed Q&A on Smart Grid security was just posted yesterday, 8 December 2010. There's a lot of goodness in the interview, and I like this comment here on getting employees on the right (and same) page:
One area of security that gets too little attention in smart grids is employee awareness. It is critical for employees of utilities, systems integrators and other involved entities to understand what security is implemented, why it is there, and their responsibilities to support it. This requires a proactive education program. Whether we’re talking e-mails, Web courses, or stand-up instruction matters less than that the points are gotten across to the workforce.
In light of this year's biggest attacks: the one targeting IP theft at Google and dozens of other large co's, Stuxnet, and Wikileaks, it's clear that employee awareness (and it's lack) and behavior played a major role in all of them. In his big report, Bob tackles standards, business drivers and technology challenges too, and I think he describes it all with a substantial amount of mastery. Might be worth your while to check it out.

Photo credit: krytofr on flickr.com

Wednesday, December 8, 2010

Life's Rich Pageant: Smart Grid Resistance Movements


Since I've been covering their emergence, Smart Meters, the gateway drug for the Smart Grid, have been  alleged to do some or all of the following:
  • Cause confusion or brain cancer
  • Facilitate attack by foreign nations
  • Help utilities get rich by cranking up rates forever
  • Give Barack Obama control of your house
  • Signal criminals when your house is ready to be robbed
  • Reveal to the government when you're doing naughty things
  • Reduce fertility in laboratory mice
These stories pop up all over, but here's the latest from Maine and California. And lest you think this is a phenomenon unique to the USA alone, here's a vigilant gentleman chiming in from north of the border:
... these so-called 'Smart Meters' may be deliberately 'tricked' to register a higher consumption reading than is actually true. Obviously, this would produce more revenue for the greedy utilities and the greedy governments which are constantly looking for new ways to screw the people.
Well said Sir! And tell you what - if after reading these you find yourself converted, you can go HERE for all your anti-Smart Meter propaganda needs including bumper stickers and yard signs.

We're trying to update the grid for the 21st century: bringing better efficiencies, improving reliability, and enabling greatly increased use of renewables and EVs, and this is the response from some folks.

As Charlie Brown used to say, "Good grief."

Photo credit: "Radio Waves" by Thomas Anderson on Flickr.com

Tuesday, December 7, 2010

FERC and NERC Down the 2010 Cyber Security Standards Home Stretch


Been saying it all year: tension is building between those who want to tighten up security standards faster and those who was to take a gentler, but more predictable path. FERC and NERC have been the primary protagonists in this struggle, as described a few months ago HERE.

For those who are paying attention, a few items that have surfaced as the year winds down, and here's a short summary for you:

First we have the so-called "bright line" ruling in which FERC says we (especially NERC) need a new and crisper definition of the bulk electric system (BES). Here's an excerpt in their own words:
Today's final rule directs NERC to revise its definition of the term “bulk electric system” to ensure that the definition encompasses all facilities necessary for operating an interconnected electric transmission network .... FERC said the ultimate goal ... is to eliminate inconsistencies across regions, eliminate the ambiguity created by the current characterization of the 100 kilovolt (kV) threshold as a general guideline, provide a backstop review to ensure that any variations do not compromise reliability, and ensure that facilities that could significantly affect reliability are subject to mandatory rules. 
So the ball's in NERC's court on that one. A few days after that press was released, FERC Commssioner Jon Wellinghof spoke out on security and the Smart Grid for Forbes.com. Seems like he really wishes things could go a lot further and a lot faster than they have so far, and that Congress hasn't come through yet:
... there have been a number of legislative proposals put forward, none of which have been passed….
Without mentioning it by name, he also plugs the GRID Act which is still stuck half-way through Congress:
We do believe that there’s some additional authority necessary with respect to cyber-security, especially with respect to an imminent threat or vulnerability. We think FERC needs the authority to issue an order to the utilities to take a specific action. Right now we don’t have that authority. It all has to go through the National Electric Reliability Corporation…. It’s kind of a cumbersome process now, that takes a lot longer than you would want if you knew of some immediate threat or vulnerability….
Which brings us to some analysis of what's on deck for 2011 in the NERC CIP world. From NERC CIP compliance experts Abidance Consulting, here's their well informed take on which way this will likely play out in version 4 of the CIPs:
The NERC CIP Standards are being reviewed and updated by various NERC committees to include the Standards & Development Team .... The new version(s) will categorize Critical Assets and Critical Cyber Assets based on impact assessment as “High”, "Medium" and "Low". The new methodology will not use the current Critical Assets and Critical Cyber Assets. [Rather], CIP standards will be customized to each category based on their impact on the BES ....
That's a heck of a lot of change. Too much for some, though others would call it long overdue. And here's a big (and good) one:
The new version of CIP will expose several assets to CIP compliance requirements unlike today as the serial connection will no longer be able to provide immunity from compliance.
This change, if and when it takes effect, will reverse a trend that some analysts have used to argue that the CIPs actually weaken grid security.

We could go on, but this is a blog and our job is to keep these posts short and tasty. Kind of like tappas. Speaking of which, there's plenty of action on the menu for 2011 for utility security pro's and everyone in the community who wants to see them succeed. Looking forward to it!

Photo credit: Erik Fitzpatrick on Flickr.com

Monday, December 6, 2010

Get Ready, Grid - First Wave of Volts Being Born


Lovingly hand-assembled one at a time like a Phantom?  Uhhh, no.  The Volt manufacturing process seems to draw more from Tron than from Rolls Royce. Check it great video HERE.

So GM has invested big time in being able to create a large number of Volts fast. Good thing, because GE recently committed to buying 12,000 Volts next year, and sales are just beginning in New York, New Jersey, Connecticut, California, Texas, Washington, D.C., and Michigan.

I've always felt that the huge efforts to accelerate the arrival of the Smart Grid at residences was a case of too much spending for too little benefit, and that the prospect of trimming 5-15% off their home electric bill would not be a sufficient motivator for the majority of Americans to change their behaviors

But electric vehicles (EVs) like the Tesla Model S and Nissan Leaf, and plug-in hybrid electric vehicles (PHEVs) like the Chevy Volt, depending on their rate of adoption, may have me revising that opinion. You see, while they are charging, each of these cars draws the electricity of another entire house (or more). That's enough electricity use to make savings more desirable, and enough additional demand to prompt utilities to closely monitor which neighborhoods are adding EVs the fastest, so as to avoid overloading local transformers through preemptive, targeted upgrades.

Let the good times roll. Oh, and this just in via a sharp-eyed colleague and worth your time: Why Electric Cars will Drive the Smart Grid.

Photo credit: Betsy Weber on Flickr.com