Saturday, December 24, 2011

SGSB Quick Look Back at 2011 Smart Grid Security

Instead of hitting you over the head with a sledgehammer of an epic year-end wrap-up post with dozens of links to as many posts, how about I take it easy on you and point back to just a couple of stand-outs?

The first is was the most widely read post, with over 3,000 separate views, and it was called "The Value of Black Hat for Smart Grid Security." It basically makes the case that vendors of insecure or un-secure-able electric sector products will eventually be called out in one fashion or another, and concludes with:
Suppliers thinking they'll save money by moving slowing on improving the security characteristics of their products are playing with fire. The lesson of Black Hat is that they'll be found out. It may not be by NERC. And their utility customers may be focusing on other pressing challenges. But sooner or later, the Black Hat crew will be on your case and when they do it'll take more than tons of money to get your troubles behind you.
The second is mentioned here simply because it was my favorite, as well as the favorite of many folks who told me so via email or at conferences and such. "The Best Talk Ever on NERC CIPS and Grid Security ... Period." It's not the blog post, so much as the talk by FERC's Stephen Flanagan to which it linked, that got people worked up. In my mind, never was the corporate psychology of compliance so artfully skewered.

Lastly, I'm psyched about the re-emergence of early SGSB blogger, fellow IBMer, and eternal cyber security guru Jack Danahy on these pixelated pages. Beginning with "A New Breed of Security Attributes for our Time," he's begun a series of deep dives on thoroughly rethinking cyber security strategies, policies and practices in this and other sectors. Am greatly looking forward to see where he takes this in 2012.

Hope everyone is taking a little bit of well deserved down-time with friends and family. We've got a ton of work to do next year and it'll be best to hit the ground running with a fresh pair of legs.

Merry Christmas and Happy New Years.  Andy

Photo credit:

Friday, December 16, 2011

Industrial Defender Report Highlights Control Systems Operators' Increasing Responsibility Overload

The sharp folks at ID just released a survey-based report called "Managing Automation Systems: Critical Infrastructure Operators’ Challenges & Opportunities" which is chock full of interesting findings. You'll quickly see the challenges that rose to the top of their findings include issues are much more about people and process than about technology.

Here's a sample from the overview:
  • On paper responsibilities don’t align with day-to-day activities. Over the past several years, industrial automation professionals have seen their responsibility broaden from managing operations to managing security and, in some instances, managing compliance. However, there is a clear gap between the time these individuals commit to each requirement, regardless of whether they own a high degree of responsibility
  • Similar management requirements exist across security, compliance and operations functions. In other words, actions and activities necessary to support a security program may be strikingly similar to what’s required for compliance management and operational management within critical infrastructure
  • Infrastructure operators are constrained in their ability to manage these overlapping requirements. This is particularly true when it comes to managing multi-vendor environments with assets from a mix of industrial automation suppliers
It's a familiar story, right? Too much being asked of too few, with the quality of the work that gets done likely to be, well, sub-optimal. Sounds like some business process optimization and automation is in order ... and in the meantime, maybe pay increases for the folks who are asked to get this mountain of important work done.

Recommend you read the full report ... it's a brisk read at <10 pages.

Friday, December 9, 2011

Go On Admit it: You're Exposed and Vulnerable on the Holi and all the other Days

What began last week with a call for a new set of security attributes, now continues with a fleshing out and update of our thinking re one of the key security constituents: vulnerabilities.

In his latest mega-post, you'll find some cyber security truth telling that's as much psychology as technology. With Sigmund F staring you down, one arm akimbo, the other hoisting a cigar, Jack begins with a consideration of how much emphasis our society places on identifying and remedying personal weaknesses of all kinds, and the effects thereof:
... most people overreact to their personal insecurities, and even those imaginary weaknesses can create wholesale changes in behavior.
And then quickly pivots to the cyber security realm:
Once we switch tracks to begin the discussion of vulnerabilities within software or systems, our nature somehow changes. We stop compensating and obsessing, and begin the easier tasks of ignoring and rationalizing. We do not treat vulnerabilities as potential disasters, and we definitely do not get therapy to help us talk through the underlying issues that have created our vulnerabilities and insecurities. We seem to just move on, waiting for the actual disaster to prod us into some reaction to problems we had known about (at least in the abstract) for a good long time.
We build armies, navies and air forces to protect ourselves from actually and potentially hostile other nations. With some exceptions, we buy and don expensive helmets in case we fall or get hit when riding our bikes. We wash our hands in an attempt to keep potentially harmful germs at bay. So why do we think of cyber security threats and responsibilities differently? 

The FULL POST offers more insights and potential solutions. And if you want more Sigmund, and a little bit of Carl, you go see David Cronenberg's latest film which features both of them: A Dangerous Method.

Friday, December 2, 2011

A New Breed of Security Attributes for Our Time

I've been on the subject of grid and Smart Grid security measurement and metrics now for quite a while, and all around are signs that we're making slow but steady progress.

In Jack Danahy's latest mega-post on security from an industry perspective, you'll find a call to substantially overhaul the way security practitioners do business, with an emphasis on, among other things, measurement:
We should be able to describe how much time and money is spent to prevent the introduction of vulnerabilities vs. preventing the exploit of vulnerabilities vs. preventing the release of private information. We should be able to point to the documented practices in place to remediate vulnerabilities that are found, or to interrupt exploits in process, or to clean-up after a breach has occurred. In order to justify the strategic importance of security we must take a fresh look at the criteria by which we judge and measure it.
Warning: this material is not for the meek or groggy. Make sure you've got your got your thinking cap on straight before digging into the full post, HERE.

And note: this isn't the first time Jack has summoned the Parkerian Hexad. He took his first electric sector-specific run at it on a year and a half ago, HERE.

Image credit:

Follow-up on Illinois Water Pump Hack Case

This isn't pretty, but it would be good if you knew the whole, emerging, story. My recent post said it wasn't an international cyber attack ... or a cyber attack at all, and that we had been through yet another round of grid security FUD.

But the truth seems to be worse that that. I've got a fuller picture now, having had some contact with Joe Weiss who is, for better or worse, in the thick of it. Here's yesterday's post from his Unfettered Blog:
This story would be funny if it wasn't so scary. Wired magazine has broken the real story (or the latest iteration of the real story). The link is here. So it wasn't evil hackers from Russia after all. From the sound of it, more like a Keystone Cops fire drill. Nobody checked with anybody. Lots of people assumed things they shouldn't have assumed, and now it's somebody else's fault and we're into a finger-pointing marathon.
Securing our infrastructure is complicated and tough enough as it is, without self-inflicted wounds of this type. From what I could see, the water pump control system in question was a complete security mess, connectivity and configuration-wise. It's connection to the web easily visible with Shodan.

Don't know Shodan yet? You should. Seriously. Here's a nice intro from John Matherly on it. If you're an asset owner and you can see your system on Shodan, you've got some work to do. 

And if you're part of a government or industry org charged with getting information out to help keep owners and operators appraised of threats, please do a great job. We're depending on you.

Wednesday, November 23, 2011

Security Scare Tempest in a Water Pump

There's an adage that goes something like this: think before engaging mouth. Though sadly I'm not always successful, I try to adhere to a modified version of the same principle: wait a while before posting on breaking (and especially alarming) news.

This approach paid off again, as the facts are now officially available. Here's what you need to know about the recent, widely-reported water utility control system attacks ... from the US Industrial Control Systems Cyber Emergency Response Team (ICS-CERT):
After detailed analysis, DHS and the FBI have found no evidence of a cyber intrusion into the SCADA system of the Curran-Gardner Public Water District in Springfield, Illinois.
and furthermore ...
There is no evidence to support claims made in the initial Fusion Center report – which was based on raw, unconfirmed data and subsequently leaked to the media – that any credentials were stolen, or that the vendor was involved in any malicious activity that led to a pump failure at the water plant.  In addition, DHS and FBI have concluded that there was no malicious or unauthorized traffic from Russia or any foreign entities, as previously reported. 
So what can we/you do?
At this time, there are no specific recommendations other than to ensure you are following security best practices. ICS-CERT recommends reviewing Improving Industrial Control Systems Cybersecurity with Defense-in-Depth Strategies.
So it's time to once again to get back off the ledge and go back to work. Thanks to various Big Blue and other industry colleagues who helped keep me up to date on this. For the full ICS-CERT note, click HERE.

Photo credit: Tim Parkinson at

Monday, November 21, 2011

European Smart Grid Cyber Security through American Eyes

You know, there are ways in which the EU Smart Grid Security & Privacy standards process mimics the structural problems that have so far stymied solutions to the EU budget crisis:
The initiatives are not harmonized. For example, the Netherlands’ approach to smart meter data privacy would be illegal in Germany because it forces a choice between personal data privacy and energy efficiency. Yes, the much loved opt-in has been outlawed in Germany.
See that? This is from Pike Research security analyst Bob Lockhart, who had the pleasure of attending the  recent European Smart Grid Cyber Security in Amsterdam. Bob's been keeping a close eye on security standards forming and evolving in North America, and we've both talked and wondered out loud about how things were going in Europe.

Well, it's seems like they're not going as well as they could be. Here's Bob again:
There is an entire document in the NISTIR 7628 series – Volume 2 – devoted to Data Privacy, an issue of great concern to European nations and their citizens. Someone suggested why not start with NIST’s cyber security guidelines, overlay European Data Privacy guidelines, and call it done? I am still trying to work out why that is not the answer. Instead there are ... five other efforts, all of which freely admit that they love the NISTIR documents, creating ... or recreating a new set of smart grid cyber security [and privacy] guidelines.
Bob goes on to talk about the need for urgency and haste, but you can just tell nothing's going to happen fast on that side of the Atlantic. And we thought things were slow on this side!

C'est la vie.

You can read his full post HERE.

Friday, November 18, 2011

He's Baaaaaaack: Jack Danahy on a Courtroom Drama that could Radically Upend the Cyber Security Apple Cart

Just Judy's not working this one, but my colleague, and once and future energy and security blogger Jack Danahy is on the case.

Now new, improved, and more succinct than ever, he writes:
In reading the case of Gaffney et al vs. Tricare Management Activity et al, the question arises: "Is there a price to be paid for the loss of personal, private information of individuals, when it appears that due care may not have been taken for its protection?" With 4.9 million individuals affected, and sought damages of $1,000 per injured party, the potential $5B outcome of this case could very quickly reshape the landscape of investment in security measures.
There's lots of good food for thought in this one. You can read it all, HERE.

New Smart Grid Security Book coming from Sorebo and Echols

This is the first new book on the topic in over a year, and as you know, a lot has transpired over the last 365. Awareness of Stuxnet, Night Dragon and other control system-targeting Advanced Persistent Threats (APTs), for example.

I didnt' have too much exposure to the previous one, but at first glance can tell you that Gib and Mike bring a heaping helping of hands-on industry experience to the table. Prove it, you say? Alright then:

Gib built and has been running SAIC's grid security team for quite a while. He also has been a leader on multiple security standards working groups. And Mike was Security Compliance Manager at the Salt River Project, a big power and water utility in Arizona and a security officer at the Western Area Power Administration.

The title is: Smart Grid Security, an End-to-End View of Security in the New Electrical Grid, and it's coming out on Dec 12 (just in time for Christmas!). You can read more about it and get an order started on Amazon HERE.

I should be getting a copy soon myself, and will do a short review on the SGSB as soon as I am able.

Friday, November 11, 2011

GridEx 2011: NERC CyberSecurity Exercise is Upon Us

Practice makes perfect ... or at least makes you better.

I mentioned this back in July HERE, now thanks to Dave Dalva of BAH, I can tell you a big exercise is coming up this week, starting tomorrow:
The grid security exercise, scheduled for November 15-17, will test NERC’s and the electricity industry’s crisis response plans, and validate current readiness in response to a cyber incident. The exercise also will serve as an opportunity to enhance collaboration and strengthen industry security processes and capabilities.
Follow this LINK to a bulletin on the exercise as well as a compilation of some of the best grid security presentations I've ever seen, from NERC's recent conference in New Orleans (see Presentations tab at bottom of page).

Results and findings should be available around mid December, and I'll be sure to post material that's cleared for public consumption.

Thursday, November 10, 2011

GridWise Global Forum (GGF) - Privacy Panel Perspectives

Couldn't tweet this one as I was on the panel, but yesterday (day 2) we had an excellent session expertly and amiably moderated by David Leeds of GTM called: "Smart Grid Data: Insights, Privacy or Both."

Excellent fellow panelists included:
  • Lee Tien, Electronic Frontier Foundation
  • Vesa Koivisto, Fortum Corporation (Finland-based utility)
  • Elias Quinn, Colorado PUC (former consultant)
  • Daniel Cleverdon, DC PUC

Here are a few take-aways for you:

When California's Privacy and Data Security decision came up (as we all knew it would) Dan Cleverdon said (and I'm paraphrasing here) that "every state PUC is all over it, and they'll deviate from it at their own peril."

It's great to have a precedent, isn't it?  California, as it has so many times before, has done its homework and is blazing a trail on data and privacy for the US. So far the consensus seems to be they did a good job, so as Dan said, a state will have to justify itself when it heads in a different direction, as some likely will. This is good process I think.

Lee Tien cited a long established example of trust between an organization and the public: the USPS has been carrying and delivering and not reading your mail for over one-hundred years. It's been done before and it can happen again with the utilities.

Vesa Koivisto described the way electric bills have been presented to customers in Finland, with 11 monthly estimates followed by an end-of-year adjustment (up or down). Pretty familiar, right? He contended that this wasn't a great way to establish trust and that if utilities could simply provide their customers with timely and accurate billing information, that would go a long way towards establishing a better relationship and trust. Great point.

Well, that's good news then, because thanks to AMI and Smart Meter deployments, this is the experience many customers are enjoying today, and many are getting even better visibility than that. Before you can have a trusted relationship you have to have a relationship, and accurate bills are a big step in the right direction.

Prompted by a lead-in by David and a question from the audience, we had a mini debate about how much of an individual's personal information is already exposed via social media, online transactions, smart phones, cable television, etc. and how much more could be revealed by Smart Meters and home area networks (HANS). We kept it civil and decided to research this question in more depth as a team, and maybe produce an infographic that could be useful to the industry ... and to the public.

Lastly, in my opening monologue I pledged to share a couple of information governance best practices from other sectors, and while I recalled one: frequent auditing (internal and external) of privacy policy and controls, I blanked on the second. Well, now it's come to me: the other one was about practicing for privacy-related data breaches. Make the whole organization get a visceral feel for what it would be like, and pressure test policies, procedures and technical security controls to see how they hold up in the heat of a (simulated) real world event. Practice makes perfect, as the saying goes.

All-in-all it felt like an educational and entertaining 90 minutes. The panelists, myself included, seemed to think we covered some worthwhile ground (credit goes to the moderator), and from the GGF audience feedback I got, it seemed they liked it too.

Monday, November 7, 2011

Getting Smart at GridWise Global Forum this Week

This just in from the SGSB social media desk - I'll be at the Reagan building in DC starting tomorrow armed with MacBook Air, Twitter and Blogger to both speak at and cover this year's GridWise Global Forum (agenda HERE).

Will be paying particular attention to the opening keynote moderated by IBM Energy & Utilities sector GM Guido Bartels with DOE Secretary Steven Chu and Uzi Landau, who runs Israel's Ministry of National Infrastructures (Tues at 12:45 pm ET), and the following panels:
  • "Guarding the Grid: Smart Grid and Grid Vulnerability" (Tues at 4:30 pm)
  • "The Technology Horizon: Future Trends and Potential Disruptions" (Wed at 8:30 am)
  • "Smart Grid Data: Insights, Privacy, or Both" (Wed at 10:30 am)
  • "Smart Grid and the Regulatory Landscape: Evolution or Revolution" (Wed at 1:30 am)
Two of these sessions will be broadcast live (and free) by our friends at Greentech Media. Follow THIS LINK to tune in at the appointed times to "Guarding the Grid" and "Smart Grid Data."

BTW: will using the #IBM@GridWise hashtag for denizens of the Twitterverse.

Wednesday, November 2, 2011

State Exemplar Colorado gets Well Deserved Cyber Security Leadership Attaboy

Sorry, but I was a little slow on the uptake on this one.  Not an exemplary blogger, am I, that's for sure.

But self flagellation aside, want you to know that there's at least one US State out there that's done what myself and others have been urging for large utilities. Namely, appoint and empower a CSO or CISO with enterprise-wide policy setting and enforcement authority.

For Colorado, that's Travis Schack, who's at the helm as CISO. It's important to note that Colorado didn't have to make this position, it chose to. That's right, and it neither regulator nor competitive pressure that drove this decision. Colorado has a CISO because it thinks its operations require, and its citizens deserve one.

Weird, huh?

Well check this out, from Travis's own blog, and you'll see that he's asking questions near and dear to our sector right now. Of government agencies he asks:
... do you have a data classification process in your organization? Do you know what systems process, store, and/or transmit each type of data within your organization? Do you know who has access to each type of data, where is the data being accessed from, when is the data being access, and what is being done to your data?
Ahem and Amen. Nice job, Colorado. And thanks to the Center for Digital Government for shining a light on these folks.

Monday, October 31, 2011

Conference Alert: Wise up at GridWise Global Forum

This is a big one, and though it's not security focused, security topics will certainly be in the air, and yours truly will be on a privacy panel on Wednesday.

From what I heard of last year's event, this is one of the most high powered Smart Grid conferences on the planet. Note the presence of some senior and very senior international leadership from government and multiple industrial sectors (not just energy).

  • What: GridWise Global Forum
  • Where: Washington DC, Ronald Reagan Federal Building
  • When: 8-10 November 2011
For more info on speakers, agenda and to register, click HERE

Conference Alert: European Smart Grid Security & Privacy

Lately, my work has included significant amounts of privacy, data security and information governance, so that makes this conference coming up in two weeks, with its mix of security and privacy, seem particularly helpful and timely. 

In energy sector, privacy has been primarily associated with Europe and Canada in the past, but now that the California PUC has ruled on customer usage data privacy, we're expecting to see it come to the fore in the US as well.

Here are the details if you want to check it out:
  • What: European Smart Grid Security and Privacy
  • When: Nov 14 and 15
  • Where: Amsterdam
For more info on the conference and to register, click HERE
For more info on the venue, click HERE

BTW - if you have a chance to walk around Amsterdam and crave food that's fast, good for you, inexpensive and extremely fresh and tasty, I found Wok to Walk my last time there and loved it.

Photo credit: Leo-seta on

Tuesday, October 25, 2011

DOE doing Little to Demonstrate or Inspire Cyber Security Confidence in the Sector it Regulates

I don't want to sound harsh or ungenerous, but the timing of this audit report, paired with its sad contents, is not great.

Long story short: known vulnerabilities in DOE systems are up; successful attacks endured by DOE systems are up, and DOE spokespersons are trying to cover it up / play it down:
We are concerned that a casual reader of this report might not fully understand that the findings, while important, do not represent demonstrated risks.
This from the agency's associate administrator for management and budget, in a letter to the DOE Inspector General.

As I said in a recent post, I'm now beating the bushes in search of energy sector exemplar organizations and am starting to find some ... two large Investor Owned Utilities (IOUs) so far. Would like to find similarly forward leaning examples of other types, including muni's, co-ops and Federal. 

IMHO DOE should be the model Federal organization when it comes to implementing and managing cyber security policy and controls and leading by example. That it's apparently another basement dweller, according to multiple recent audit results, only invites more scrutiny and more attacks.

Would love to see an energetic turnaround expert / change agent get in there, work on the culture and get them far better results next time. Sure you would too.

Here's the article in Reuters.

Monday, October 24, 2011

McAfee signals "All Clear" following its Duqu Alarm

Was able to attend most of the webinar today, where Peter Szor, senior director of research at McAfee Labs, laid out his and his company's latest thinking on the Stuxnet variant to a largely electric sector audience.

Here's the essentials, according to Szor:
  • There's been no control system involvement
  • Duqu is not targeting energy or utility assets
  • Attacks have been observed in the UK, US and Iran
  • Also maybe in Austria, Hungary and Indonesia
  • The command and control server is/was based somewhere in India
That's it. I hadn't posted on Duqu yet because I was trying to gauge its potential impact on our industry before making an alarmingly sound myself.

So far it looks like you can go back to security business as usual, which means you're paranoid, anxious and jumpy, and that a note like this telling you Duqu is harmless only makes you more certain that it's anything but.

Such is life in this happy profession.

Welcoming Weatherford to his new DHS Cyber Security Post

I've got a note here this morning from National Bureau of Information Security Examiners (NBISE) founder and former NERC CSO Michael Assante. Perhaps there's no one who understands the challenges Weatherford faced at FERC more than Mike. As a frequent advisor to FERC and Congress on critical national infrastructure security issues, few are better placed to know the obstacles and opportunities that await the new DHS Cybersecurity leader:
I would like to extend my congratulations to Mark Weatherford on his appointment as the new Deputy Under Secretary for Cybersecurity for the National Protection and Programs Directorate (NPPD) and am very pleased to see such a capable and experienced leader take the helm. 
Mark has always carried a deep sense of mission into his assignments and in doing so has been able to motivate people, build teams, and mobilize entire communities. His background makes him an ideal choice for the Deputy Under Secretary position as he has experience working across large government enterprises and his most recent post, as the NERC CSO, has prepared him to appreciate the unique challenges involved with cybersecurity and industrial control systems.
At NERC, Mark helped broaden our thinking about cybersecurity and our digitally reliant infrastructures. His vision has pushed organizations to look beyond compliance to develop a comprehensive approach by including system engineering, planning, operations, risk management and security into efforts to secure our infrastructures. Mark’s leadership will help ensure national efforts align with front line reality as our nation continues to modernize our grid to increase productivity and efficiency.
We should look for opportunities to support Mark and the department in the months ahead to achieve greater cyber-resilience in our nation’s critical infrastructure.
Hear hear. Mark Weatherford has now seen how the cyber security policy sausage is made at the state level twice and Federal level once, in a large company, and in the DoD for the US Navy at the beginning of his career.

Sausage making is never pretty. But if you know how it's done, how it can go wrong and what ingredients are required to produce the best stuff, you can do a lot of good. Let's wish him well, and, seconding Mike's call to assist, pitch in wherever and whenever we can. Even with a strong leader, this type of sausage making is, after all, a team sport.

Photo credit:

Tuesday, October 18, 2011

Do it for Mom: Knocking out Smart Grid Vulnerabilities Early this Holiday Season

Unless you're in Texas where until recently roofs where melting and tires exploding, you've noticed the new autumnal smells in the air, right? So right about now who wouldn't want Smart Grid security, motherhood and/or apple pie? That's what this new Oak Ridge National Labs (ORNL) project promises:
Rather than wait for signs of a security problem to crop up in smart-grid technologies, wouldn’t it be better to automatically analyze software and hardware to uncover vulnerabilities, whether accidental or malicious?
I think this must be a trick question; the answer seems so obvious:

Add one part DOE lab, another part respected energy sector security service provider Enernex, and a generous dollop of AMI vendor Sensus, and it appears you've got a formula for something that's been missing in Smart Grid supply chain security ... until now.

Let's see how this goes.

Click HERE to read more on this.

Photo credit: cotaroba at

Tuesday, October 11, 2011

Electric sector security evolution: forward leaning exemplars vs compliance-focused knuckle draggers

This is the last of my posts from last week's Smart Grid Security Summit West, held in an unusually damp San Diego.

OK, knuckle draggers may be a little harsh. I apologize. But there may be a whole new approach emerging, to meeting security, privacy and compliance demands in the electric sector, and, depending on where you work when you read this, it's one I think you'll like a lot.

The outlines of a new approach appeared during the security metrics panel on day 1 and continued to resonate till the end of the conference on day 2, and basically it came across like this:

While the vast majority of utilities today seek to achieve an acceptable level of security and risk reduction via compliance with version 3 of the NERC CIPS, and preparation for what looks likely to come from NERC in subsequent versions, a couple of utilities, supported by their CEOs and/or empowered by recent crises, intend to set and implement higher-level security baselines for themselves.

I won't say who they are; it's probably best if you hear that directly from them or infer it yourself. But if these 2 can get the process started, and perhaps coax another 1 or 2 to join them, then they may be able to carve a wide path that many of the precedent-following rest can follow.

Imagine an industry where mere compliance with the lowest government enforced controls is no longer considered a best, or even a good business practice. Wait, this is starting to turn into a John Lennon song. Probably a good idea to stop here, but stay tuned for more on this.

Monday, October 10, 2011

Recipe for better teaming on outages

Three parts to this exciting new recipe. Mix together:
  1. A large electric utility
  2. A DOD service (or other large consumers)
  3. Social network service

In this case, a major power outage became an opportunity for teaming, and here the local Navy base gets kudos for lowering demand, something that helped San Diego Gas & Electric restore power to all its customers in very short order.

Twitter facilitated comms in the early phases of the outage, and here, it enabled a high profile attaboy from the utility before an audience of over 18,000 (SDG&E Twitter followers). Hard not to like this.

Thursday, October 6, 2011

Electric Utility Silo Busting Strategies Emerge from Smart Grid Security Summit West

One theme kept surfacing across panels at the conference this year. It was that as Smart Grid projects increasingly lead utilities' cybersecurity professionals, most often reared in the IT world, to wade into non-IT business divisions, there are better and worse ways for making connections across organizational silos or stovepipes.

In one case, a senior security professional cited the responsiveness he gets from being a direct report to the COO. Some said top-down power can spur instant movement, though it's likely not helpful for creating and maintaining sustainable good will over time.

Another, less senior guy said that at first he used to try to impress folks in operational organizations with his technical and security credentials up front.  And man, did that approach bomb.

He reported quickly learning that a more humble approach was far more effective. These days, this same guy simply begins with something like, "Hi, I'm John from IT, and I'd like to learn more about your business" and gets better cooperation every time.

Remember the embedded journalists in Iraq? They lived/slept/ate/worried/celebrated and sometimes were wounded or killed alongside the soldiers they were closest to. I think one approach a large utility might employ to infuse more security awareness and capability into its different business units might employ something like this approach.

I suggest that trust is the industrial-strength, organizational-stovepipe-dissolving solvent of first choice. And that  other forms of soft power will go much further in bridging the cultural divides required to foster a most security conscious climate, enterprise-wide. OK, I'll leave it at that for now.

Image credit: CStreet360 on

Tuesday, October 4, 2011

Asset Owners Speak Out/Up at Smart Grid Security Summit West

What a great start. Five guys charged with improving the security posture of their large utilities all on stage, and fielding questions from conference organizer Mike Amadhi and an audience full of security minded folks from all walks of life.

In no particular order, here are a few notes I took organized by speaker:

Jeff Gooding - Southern California Edison
  • Very interested in standards
  • Vendor certification would be desirable, though preferably nothing as heavy as the Common Criteria
  • Finds it takes approx 2 years for an IT security generalist to get up to speed and be competent in the operational technology (OT) arena
Ward Pyles - Southern Company
  • (Partly tongue in cheek, partly not) said Southern Co. doesn't talk security anymore. Rather, it's all about reliability ... doing what's required to keep systems operational and available.
  • To do this, he/they use a different, more business oriented vocabulary
  • Also, working with vendors towards certification
James Sample - Pacific Gas & Electric
  • Security is much more a people than an technology issue
  • Would like to see more standards baked into products at time of manufacture
  • Like Ward, increasingly uses reliability versus pure security in conversations across the business lines
  • Spends significant amount of time pushing vendors to deliver secure solutions
  • Wishes he could spend less time on vendors (above) and more time working with his people
Christopher Peters - Entergy
  • Security pro's must be good communicators and tailor language to fit their audiences
  • Bridging silos is one of his main jobs
  • Having a CXO as a boss is very helpful in accomplishing the above
Stephen Mikovits - San Diego Gas & Electric
  • Very thankful for CPUC's order that CA IOUs generate 10-year forward looking Smart Grid deployment plans, including a major emphasis on security
  • This really helped SDG&E as well as the other utilities by giving them a platform to communicate security  requirements and recommended actions
So there you have it. Several themes emerge: security as reliability, language and communications, silo busting, supplier security and certification, importance of security standards. Seems like most in the audience felt like these were the right notes. I sure did.

BTW - I was working pretty fast. If you spot any typos or inaccuracies here, please let me know and I'll update the post asap.

Covering the 3rd Smart Grid Security Summit

Have iPad with Twitter app loaded: will travel. When I'm not tripping over words as a moderator or panelist over the next two days, I'll try to give you a feel for who's saying what here in San Diego.

I came in late today and caught the tail end of the privacy workshop. Then onto a social gathering sponsored by the Canadian Consulate in a so-called Tiki room (see reference image above - conference attendees, you decide), where we got a little more privacy, courtesy of the Ontario Information and Privacy Commission. Other workshops today covered advanced AMI security and security testing.

All good stuff, and ready to dig into security topics tomorrow. For Twitter followers, will use #smartgrid #security and #sgssummit. And once again, here's the conference site.

Photo credit:

Thursday, September 29, 2011

Prepping for the Risk Management Process (RMP) Panel

In San Diego, Wednesday morning of next week I'll have the good fortune to be moderating a panel comprised of some of our industry's heavy hitters, including:
  • Marianne Swanson, CSWG Chairperson, NIST
  • Craig Miller, PM, National Rural Electric Cooperative Association (NRECA)
  • Lisa Kaiser, Security Consultant, DHS
  • Matthew Light, Infrastructure Analyst, Office of Electricity Delivery and Energy Reliability, DOE
  • James Sample, Director, NERC Critical Infrastructure Protection, Pacific Gas & Electric
As you may or may not know, a new document (in draft) which ties all of these organizations (and FERC and NERC and more) together has been released for public comment. Call the "Electricity Sector Cybersecurity Risk Management Process (RMP) Guideline" or RMP for short, it's viewable HERE and you can register to make comments HERE.

During the panel session, we'll be moving quickly through intro's and prepared Qs&As so that the audience will have ample time to ask questions of the panelists.

But here's an ultra short intro to the dock in case you won't get a chance to be there in person or to look at the draft yourself. One way I've heard it described is to say the RMP attempts to blend and extend traditional IT security with OT and thereby bridge internal utility stovepipes. That's ambitious for sure but most would agree, sorely needed.

The draft breaks out the following objectives right up front, presented here, with my color commentary in color:
  • "Effectively and efficiently implement a risk management process (RMP) across the whole organization" - So they're saying there should be policy that extends across the entire enterprise; that'll be new to most utilities.
  • "Establish the organizational tolerance for risk and communicate throughout the organization including guidance on how risk tolerance impacts ongoing decision making" - Figuring out how much risk is acceptable  and how much is too much is classic business case material. To do this you have to do some solid translation between cybersecurity geek speak and hard business requirements ... should be interesting to say the least, but definitely well worth the effort.
  • "Prioritize and allocate resources for managing cybersecurity risk" - Prioritizing with confidence becomes possible once you've got a defined and level playing field. This could be quite refreshing for execs who get this far.
  • "Create an organizational climate in which cybersecurity risk is considered within the context of the mission and business objectives of the organization" - Culture change 101, but much more difficult by far than technology change IMHO.
  • "Improve the understanding of cybersecurity risk and how these risks potentially impact the mission and business success of the organization" - Also sorely needed and well worth the effort: drawing solid line connections, where they exist, between cybersecurity and reliability. If it's not about reliability, or some of the lesser values like efficiency, or cost effectiveness, why bother?
OK, that's enough for now. Will try to take notes so I can write up the RMP panel session highlights here afterwards. Meanwhile, you can click HERE for conference website if you seek more info.

Monday, September 26, 2011

Smart Grid Security Social Metrics

For a bunch of tech geeks and policy wonks, the folks in our community sure do like to congregate and socialize. There are a spate of new conferences coming up, the most temporally proximate being next week's EnergySec Smart Grid Security Summit West in San Diego.

I'll be there speaking on security metrics, including the IBM-initiated Smart Grid Security Maturity Model (SGSMM) as well as the developing IEC 62443 2-4 standard. One way to think of these two projects is that the former seeks to look at security maturity from an organizational (i.e., utility) perspective, while the latter employs technical metrics to evaluate, and in some circumstances, certify, products, depending on their levels of security goodness.

Will also be involved in a panel comprised of the participant orgs in the Risk Management Process (RMP), including DOE, DHS, NIST, NERC, as well as NRECA and a CA utility. Among other things, we'll be talking about the draft RMP document, currently out for public comment. Click HERE for that.

But if San Diego is too soon, or too far away, or too comfortable for you, you've got three more options to socialize with Smart Grid security folks in coming months thanks to the London-based SMi Group:
Hope you can make one or several of these. They're definitely useful for working out some of our more intractable issues face to face. And they usually serve adult beverages at some point as well.

Thursday, September 22, 2011

2011 (exceedingly short) Energy Security Book List

There are two new books out in the last few months I want you to know about. Whether you have time to read them, even if I am successful in getting you worked up about them, well, that's another story. So again, it's only two books, which is probably one or two more than you'll be able to get to given your current workload. But here's why you should give them a shot.

Neither addresses cyber security too much, but I consider all of this part of the broader "energy security" domain, and as such, this info is part of the foundation one needs to understand the full context of our cyber security, privacy and compliance landscape, where it's been and where it's going.

The first one is by former Austin Energy CIO Andres Carvallo, called The Advanced Smart Grid: Edge Power Driving Sustainability. Co-authored with frequent technology writer John Cooper, this book is relatively short at ~200 well illustrated pages, and is a pleasure to read. I'm going to re-use some of the laudatory words I recently posted in an Amazon review.

Before they invite you to travel with them into the future, Carvallo and Cooper do a solid job of orienting the reader with concise summaries of where the grid came from, how it's evolved over time, and as accurately as possible, how it's doing in its current state. For the many immigrants who've recently moved to energy from other sectors (like me), this is a great grounding.

The authors then look past the current climate of activity, much of it initially fueled with government grants, to a phase where business drivers alone dictate what gets deployed next. Ultimately, they begin to unveil for us a blurry but emerging vision of "the advanced Smart Grid", that's predicated on pervasive IP networking, tons and tons of data, microgrids, EVs, virtual power plants, new business models and more.

I particularly liked this point when the authors did pause for a moment on security:
As a foundational infrastructure, the Smart Grid cannot afford to get out in front of its ability to remain secure.
That's right ... what a concise way of saying so much. For me, it was well worth the time, and depending on your background and/or day job, it might be for you too.

Book number two is from one of the (if not, THE) true giants of global energy thinking over the past decades, Daniel Yergin. Best known (to me, anyway) for his biblical telling of the history and future of the oil industry in The Prize, his new book, The Quest: Energy, Security, and the Remaking of the Modern World, expands in scope to consider all energy sources. Recently reviewed in the NYT, this excerpt seems apropos:
When it comes to assessing the world’s energy future Mr. Yergin is a Churchillian. He argues that we should consider all possible energy sources, the way Winston Churchill considered oil when he spoke to the British Parliament  in 1913. “On no one quality, on no one process, on no one country, on no one route, and on no one field must we be dependent,” Churchill said. “Safety and security in oil lie in variety and variety alone.”
... and one more thing, for which the a smarter grid is the essential precursor:
One of Mr. Yergin’s closing arguments focuses on the importance of thinking seriously about one energy source that “has the potential to have the biggest impact of all.” That source is efficiency. It’s a simple idea, he points out, but one that is oddly “the hardest to wrap one’s mind around.” More efficient buildings, cars, airplanes, computers and other products have the potential to change our world.
Sounds great, right? Well, the bad news for you travelers is that, from a weight perspective, is that it tops 800 pages, though if you get the ebook version it's as light as can be. Now reading it, or the majority of it, that's another story. If it's too much for you to consider, maybe you can wait and hope for a movie version. But I wouldn't count on it.

Happy reading!

Photo credit: Miamism on

Tuesday, September 20, 2011

This Week the Economist Loves and Hates the Smart Grid

I confess I typically love The Economist magazine. Its tempered and wide-ranging world news reporting and "tough love" takes on the US culture and economy form a nice middle path at a time when many media outlets have gone decidedly left or right.

But while it's unusual for me to find much fault with their news, the opinion piece in this week's issue "Reliability of the Grid: Difference Engine - Disaster Waiting to Happen", about the recent San Diego outage and the current state of the grid really rubbed me wrong.

By now you probably know the drill:
What is rarely mentioned in all the proselytising about the smart grid is that it adds a vast layer of hackable points to the network—some 440m by 2015, according to Lockheed Martin’s Energy and Cyber Services. Every smart meter in the home will be a hackable device. The same goes for all the routers at substations. As the saying goes, if you can communicate with it, you can hack it. Today, you can cut off the power to someone’s home by shinning up the nearest electricity pole and throwing a switch at the top. Once smart meters become widespread, you will be able to do that remotely, from the far side of the world.
Proselytising? Jeez. Security challenges are "rarely mentioned"? Yeah right. This blog's primary mandate is countering, in its own modest way, the overwhelming ratio of FUD based Smart Grid scare articles with ones that tell a fuller albeit less dramatic story. And thank you, large defense contractor, for adding fuel to the fire (not). The author of this Economist piece went back almost a year to find a FUD-soaked interview with a now departed Smart Grid security practice manager for the 440 million hackable points factoid. There's more I could say about this excerpt and the rest of the article but let's move on. This is supposed to be a short, readable post after all. Get in, get out.

In a piece dated one day later, September 17th, titled "Energy in Japan: Out with the Old" we get the counter argument for a Japan recovering from Fukushima :
Japan needs a smarter grid, with electricity prices that vary according to demand. Power should cost more when demand is high and less when it is low, giving people an incentive to run the washing machine in the middle of the night. It should also be simple for new producers of electricity—from clever start-ups to big industrial firms—to sell power back to the grid.
Nice, but oh so different in content and tone. So what's your ultimate recommendation, Economist? Should we freak out and do our best to scuttle all local, regional and national Smart Grid initiatives due to the looming horrors you describe in article 1? Or should we keep our heads on straight, and build out the Smart Grid for the sound economic reasons you give in article 2, while working overtime to ensure it's as safe and secure as possible? Inquiring minds want to know.

Photo credit: Steve Snodgrass on

Wednesday, September 14, 2011

Win Free Tix to EnergySec Smart Grid Security West conference

Last week I promised you a trivia question and here you go.  If you can respond correctly and quickly enough, you could save some significant money and attend this conference as I've got 3 free passes to give away. OK? Here you go:
Q: What animal will you typically find 11,000 million of per wooded acre?
Hint: the answer is in some ways quite relevant to our interests on this blog.

And don't despair if that doesn't work out for you. Because of the good relationship the SGSB enjoys with the organizers of this event, you can click HERE to get half off the regular registration fee, either for single days or the entire 3 day event, including workshops on day one.

Hope you can make it, one way or another!

BTW: you can reach me at andybochman at gmail dot com

Tuesday, September 13, 2011

The Normally Strong Grid's Self Inflicted Wounds

So only a few days ago you saw a post here about grid lessons from Hurricane Irene. Now we're back with another major grid event and I'm not sure what to call it other than the recent Arizona, San Diego and Mexico outage ... SanMexiZona outage perhaps?

Investigations are still being conducted, but what do we know so far? Well, a transmission maintenance issue impacted a substation in Arizona, and then:
  • Cascading failure reached into California and Mexico, knocking power out to millions
  • And caused 2 nuclear facilities to shut down
  • Navy and Marine bases turn to back-up diesel generators and kept non-essential personnel home
  • And many other types of trouble you'd expect from a black out in a large US city ensued, driving cost estimates into the hundreds of millions.
It's weird. In some ways the grid is a beast, capable of absorbing the worst insults and continuing operations largely unaffected. It virtually scoffs at earthquakes, raging fires, hurricanes, tornadoes ... and across the Pacific, even Godzilla stomping out of Tokyo Bay once in a while. Sure, some outages occur in the areas where equipment is destroyed. But the grid is usually a master of defense and containment.

But then a little thing happens during routine maintenance and a big chunk of the grid unexpectedly swoons. Amory Lovins and others on the 2008 DoD Science Board (DSB) task force on Energy identified the US grid as brittle and a threat to CONUS military readiness. Here's Lovins in 2010:
The US electrical grid ... is very capital-intensive, complex, technologically unforgiving, usually reliable, but inherently brittle. It is responsible for 98–99 percent of U.S. power failures, and occasionally blacking out large areas within seconds—because the grid requires exact synchrony across subcontinental areas … and can be interrupted by a lightning bolt, rifle bullet, malicious computer program, untrimmed branch, or errant squirrel.
Seems like some of the worst behaviors we see in the grid are avoidable. In addition to the many other benefits we often describe to regulators and general public with the Smart Grid build out, improvements to reliability have got to be high on the list, if not #1.

BTW - Try Googling "Errant Squirrel" - it's simply amazing how active (and errant) these critters have been!

Image credit: KUSI News San Diego

Thursday, September 8, 2011

The Importance of Context when discussing Smart Grid Security

Sometimes those of us who speak with the press end up finding that our intended meaning, stripped of context, can become distorted beyond recognition in articles which then spread more darkness than light. What follows is an open letter, just released, from former NERC CSO Michael Assante to you, and all the members of the community that seeks to keep the US and other global grids (as) safe (as possible) from cyber attackers.

I recently had an opportunity to learn about the importance of context. I tried to help someone understand the challenges of regulation and cyber security in the context of smart grid technology deployments and electric infrastructure, and learned once again how polarized this topic can become. Certainly many can appreciate the challenge of communicating with clarity on this topic, as it can be nuanced, highly-technical, process-laden, and mired in the details of a little-followed piece of history and U.S. federal and state law.

Let me begin by providing some of the context, or background, that explains why I work hard to help develop a better understanding of how cyber security impacts operational technology in critical infrastructures. As a boy I was fascinated with the engineering required to generate and deliver electricity. To me, the power system represented a grand achievement that demonstrated what dedicated men and women could accomplish.

My father worked for a utility and was rightfully proud of the public service his company delivered to homes, schools, manufacturing plants, and hospitals. He worked with impressive machines that excavated coal, and cutting edge control centers with analog light displays. But the thing that made the biggest impact on me was the dedication with which my father and his colleagues performed jobs, and their uniform sense of mission, as they clearly understood that what they did made people’s lives better. I was quick to appreciate the vision, investment, and effort that enabled vast natural resources like coal and hydro-power to be turned into electricity, which was then transported and delivered over vast distances to every household and business.

The success of the electricity industry in designing, building and maintaining an incredible system of systems, continues to inspire children and adults alike. It has grown to become a critical infrastructure that underpins modern society. The delivery of highly-affordable and reliable electricity has paved the way for the industrial and technological revolutions that have transformed global economies. It is ironic that over the last forty years of progress, we have also created a significant set of challenges that need to be addressed as a consequence of our continued innovation.

The rapid advancement and application of digital technology has improved electric system operations, reliability, and process efficiency. But it carries with it a heavy responsibility. We must now safeguard this increasingly ubiquitous element of the grid from those who would seek to disrupt technology and cause harm.

This dilemma of digital technology is that, like electricity, it enables great things but can cause great damage if not managed properly. There is one very important difference, though. The nature of electricity is understood sufficiently to prudently manage the risks it can present, whereas cyber threats are constantly evolving and are co-adaptive (the threat will consider the protections you have employed and find ways to circumvent or compromise them). This has led me to conclude that many of the difficulties we experience addressing cyber security come less from how the electricity industry behaves, and originate more from the complex nature of digital technology and the unique risks it engenders.

Many of you know that I have often shared my thoughts on the difficulties of managing cyber risk in the complex and vast systems that comprise power grids. There are a number of necessary constraints, such as the golden rule of “first, do no harm” (do not negatively impact system reliability and safety). Other challenges have more to do with state of industrial control system technology and the tough job of keeping up with the rapid changes in technology and the evolving capabilities of would-be cyber attackers.

NERC and the industry have pioneered the use of mandatory reliability standards as one tool to manage risks to reliability across the complex weave of entities that comprise the bulk power system in North America. I am confident that progress will continue to be made by NERC and the industry, but it takes time to learn what works well when dealing with the scale of the bulk power system and specifically, when trying to address the difficult-to-bound risk that comes from cyber threats. I, like many others, understand that we must continually evaluate the processes we use to develop and manage the CIP standards. We must consider the effectiveness of the standards requirements when compared to how digital systems are being compromised by current cyber attackers. Cognizant of the risks of unintended consequences, we need to fully understand the behaviors we are promoting by using standards that require strict compliance. Finally, we need to be mindful of the spirit and goal of the standards and the importance of providing enough flexibility so that utility security programs can adapt to best confront the threats they face.

I have had the pleasure of working alongside of some of the most gifted experts in power engineering and industrial control system security over the years. The power industry has a rich collection of experts often passionately inclined to work together as a community to solve complex problems. Their expertise is essential in determining how to best apply cyber defenses in the highly-specialized environments of power generation, transmission, and distribution. We would also, however, benefit from the experience and learnings of other industries’ cyber professionals who themselves labor to defend highly-targeted networks. I have grown to appreciate the adaptive nature of cyber threats and importance of maintaining a current understanding of how systems are compromised. NERC has engaged with the U.S. government to benefit from its understanding and should continue to look for opportunities to learn from government and cyber security experts from other industries bent on tackling this common problem.

Context matters in how we think about these problems, in how we frame our concerns, and in how we formulate new approaches so that we may attain the many benefits of new technologies while managing the risk. I am confident that we will begin to engineer away the worst consequences, continually find more effective practices and develop the necessary skills to better address sophisticated and ever changing cyber threats. This is a difficult task that will continue to require our best efforts, to include regulation. It is a task that demands a prudent approach as the effectiveness of our investments needs to be measurable and demonstrable. We must continue to innovate if we're to fully enjoy the many benefits of affordable and reliable electricity.

Michael can be reached at

Wednesday, September 7, 2011

Conference Alert: EnerSec Smart Grid Security Summit West 2011

This conference series, the first ever dedicated to Smart Grid Security and Privacy, had a great start last year in San Jose and now returns to California with a head of steam after robust attendance and some very strong content earlier this year in Knoxville.

The lineup keeps getting stronger and this session promises a compelling mix of workshops on day 1, followed by days 2 and 3 with regulator and industry updates, round table discussions and lots of back and forth with what has been in the past a very energized audience.

You can expect a bunch of utilities will be present, and not just the big 3 from California, plus state regulators from CA and TX, fed folks from DOE, NERC, FERC and NIST.  Also, owing to proximity to one of the largest USN bases in the world, we'll likely see some energy-minded sailors present too.

Here's the basic facts for you:
  • Dates: 3-5 Oct 2011
  • Location: San Diego
  • Venue: Town and Country Hotel - click HERE to reserve a room
  • For more info and to register for the conference, click HERE
Next week I plan on throwing a few trivia questions at you. Correct answers may earn you a significantly reduced rate for the conference, or at the very least, hearty congratulations.

Photo credit: http2007 on

Tuesday, September 6, 2011

A Couple of Closing Thoughts on Hurricane Irene

Damaged power lines burned in Nag's Head as Hurricane Irene hit the northern Outer Banks of North Carolina.
Hurricane Irene fully cleared my city (Boston) last week, we've had nice weather since, and everyone (or almost everyone) in Massachusetts has their power back at the time of this writing. Folks in some other states aren't quite so lucky.

But before we file away the memory and move on to the next storm or cyber incident, check out this Irene-related online exchange between a residential customer and a utility executive doing his best to keep his customers as informed as possible:
Q: Why am I getting calls to see if my power has been restored when in fact it has not been? I have a 4 year old and 1 year old and you can imagine what it is like being without power. 
A: One of the reasons we perform call backs is because crews have made repairs in the neighborhood and surrounding areas, and we want to ensure that each house has been restored. Without requesting a call back when you report an outage, we wouldn't know the service to your house is still out. Please make sure to report all outages to 1-877-xxx-yyyy.
Sounds like a region ripe and ready for its residential Smart Meter deployments, doesn't it? I'd say it's well worth the extra time and effort cyber professionals need to develop a secure Smart Grid to relegate conversations like this to history.

And the image of the totally chewed up poles (from Nag's Head, North Carolina) really caught my eye. Aren't the poles supposed to be holding up the lines ... and not the other way around? As immigrants to the electric sector quickly learn: cyber risks are one thing; Mother Nature is something else entirely.

Photo credit: Nicholas Kamm of AFP

Friday, September 2, 2011

Newsflash! A Reasonably Balanced Article on Grid Security

First of all, kudos to Discovery News writer Eric Niller for penning a relatively fair and balanced piece this week on Smart Grid Security, with a decent, non-alarmist headline to boot. He quotes me a fair amount, but enough about me, it's two of the other quotes I'd like to address.

First, here's one I don't like, attributed to a large and otherwise highly reputable security firm:
One of the more startling results of our research is the discovery of the constant probing and assault faced by these crucial utility networks. Some electric companies report thousands of probes every month ..."
As you know I'm not a big fan of using words like startling in this context, especially in describing phenomena that are not at all surprising, let along startling. Of course utilities' networks are being probed. And it's a good sign they've got the systems and processes in place to be aware of it. 

Go ahead and plug a new PC in and turn on its wifi radio. Within minutes, if not seconds, even with good security controls enabled, that machine is going to come under some serious scrutiny. It's a fact of life these days. Bothersome? Yes. Annoying? Definitely. Startling? Not in the least. Get real, above-mentioned report writer for large and otherwise highly reputable security firm.

This one I like better. It's a straightforward statement from a straightforward person:
What we are doing is laying a new digital infrastructure over the very reliable and sturdy bulk power system. This digital infrastructure provides a lot of new attack vectors into the electrical system that didn't previously exist.
That's NERC CSO Mark Weatherford speaking, and as you can see, he balances the comment about new attack vectors by reminding the journalist (and thereby, the readers of this piece), that underpinning all the new Smart Grid stuff  is a very robust legacy system. A system that's delivered increasing volumes of reliable power to hundreds of millions of customers for a long, long time.

Overall, pretty good work, especially when so much of the popular press delivers, on a daily basis, heaping helpings of unmitigated FUD. You can read the whole piece HERE.

Thursday, August 25, 2011

Conference Alert: 2011 ICS Security

It's that time of year again. Time to get up to speed on recent attacks on industrial control systems and update your knowledge re: potential solutions. In other words, it's the (11th annual) Joe Weiss show.

If you want to see what Joe's been thinking and doing since the 2010 version, you can track him here on his "Unfettered Blog".

Some folks of note who are going to be presenting this year include:
  • Mike Assante
  • Ralph Langner
  • Dillon Beresford
  • Gary McGraw
Now for the logistics:

Dates: 20-22 September 2011
Venue: Washington Hilton, Washington DC
Conf URL
Draft Agenda

Hope you or someone from your org can make it.

Friday, August 19, 2011

Silly Smart Grid Security Headline Winner

Here it is: "Survey: 77% of IT Security Professionals Concerned about Smart Grid Cyber Security"

Question: What's going on with the other 23%?

In my experience (and probably yours as well), "IT Security Professionals" are nothing if not concerned ... about almost everything. Maybe the relaxed 23% taking the survey didn't understand the question. Or maybe they didn't bring a #2 pencil.

Well, at least the writers didn't invoke the usual FUD hysterics:
  • Cyber Pearl Harbor
  • Armageddon
  • Apocalypse
  • Alarmed, Alarming, etc.
  • amd of course ... Cyber 9/11
Compelling (not) full article HERE.

Wednesday, August 17, 2011

California Shows the Way with Customer Electricity Usage Data Security & Privacy Ruling

Show me another state (or country for that matter) that's doing this much. The California Public Utilities Commission (CPUC)'s proposed decision became a decided decision while I was away, so if you haven't had time to check it out yet, here's a good short summary from IDC's Usman Sindhu.

In play are:
  • HAN networks (for real)
  • Real-time pricing signals for consumers
  • 3rd party access to usage data with customer consent
  • New security and privacy rules for the big 3 CA IOU utilities with CPUC oversight
But if you insist on reading the entire ruling, then by all means, click HERE for it. I won't try to stop you.

Monday, August 15, 2011

International Smart Grid Security - East meets West and West meets East

My job just keeps getting better and better. A few weeks ago, just prior to the backpacking vacation from which I recently returned, I had the great honor of meeting a sharp senior security analyst and energy sector researcher from South Korea.

Along with a stellar IBM colleague who not only possesses substantial cyber security and pen testing chops, but also knows how to say hello and more in Korean, we reviewed approaches and exchanged ideas on to best protect important grid and Smart Grid equipment and data.

It seemed like we accomplished some important, if early, work together, and had a few good laughs along the way. And then our friend was off to Black Hat. Depending on which sessions he attended, there were certainly several good grid security-related lessons to take back across the Pacific (as posted previously HERE).

I don't know if Dunkin Donuts coffee is powering Korea yet, but as shown above, it certainly fueled our conversation towards the end of our great afternoon together in Boston.

Thursday, August 11, 2011

The Value of Black Hat for Smart Grid Security

When it comes to spotting flies in the energy sector security ointment, perhaps regulators are too polite to utilities, and utilities too polite to their suppliers. No such problem with the security hackers who jump up on Black Hat's global soap box every year and show the world what they've found.

The conference wrapped up last week, and I've got two completely different types of finding for you. One has to do with huge vulnerabilities in the systems related to home networks at the edge of the Smart Grid. The other is targeted at the heart of the legacy grid itself: SCADA systems and the programmable logic controllers (PLCs) that run important transmission and distribution equipment.

  • Click HERE for the home network piece
  • And HERE for the grid equipment vulnerability demo

Two years ago it was Smart Meter vendors who found themselves embarrassed, in the cross hairs of security pro's, who showed how easy it was to exploit weaknesses in their products. Now attention has shifted to other grid elements. And the beatings continue!

Suppliers thinking they'll save money by moving slowing on improving the security characteristics of their products are playing with fire. The lesson of Black Hat is that they'll be found out. It may not be by NERC. And their utility customers may be focusing on other pressing challenges. But man, sooner or later, the Black Hat crew will be on your case and when they do it'll take more than tons of money to get your troubles behind you.

For this, we should be grateful. Keep it up guys!

Wednesday, August 10, 2011

Smart Grid Security Blogger: Unplugged, Rebooted and Recharged

If the post from a few weeks ago called Generating Leaders was about why we send kids to camp (and how society benefits), then this one is about why I/we send ourselves away sometimes. I don't want to waste your time with extraneous personal details, but will share a few takeaways re: the purpose and benefits of taking these periodic time outs.

And in my case at least, as with the traditional summer camp experience in the US, my best time away involves deep, cell-phone-free immersion in nature with a few close friends, and pushing myself physically in ways I can't during everyday life.

In the aforementioned post on kids and camp, I called out the following ingredients:
  • A change of scenery
  • New experiences & new skills development
  • Connections with the past
  • Dis-connection with the techno present
  • Time alone and time together
  • Encountering and connecting with other kids from other cultures
  • Big fun
Not all these line up perfectly with my recent experience (unless you count what happens when Bostonians meet Texans as a cross-cultural encounter). But even for a near grown-up like myself, the similarities are many.

First of all, in the chaos of what constitutes a normal day and night as a full time IBMer + blogger + parent, I'm not sure the static and cross-talk going on in my grey matter could really be called thinking. It's certainly not deep thinking in any sense. But several things happen on these hikes that seem to help. The first is sleeping and waking in near total silence. Related, but on the visual front, is the complete lack of illuminated screens in the mountains. There's nothing to catch your gaze outside scenes of the most natural beauty, lit by only ambient light (see: Sun, Moon, Stars). Lastly, there's pushing my body hard enough that things start to quiet down between my ears, which creates a space for really thinking.

For construction workers, miners, linemen, and anyone else who does hard physical work for a living, trips like these may be redundant. Though likely not in the most serene surroundings, they already do hard work with their bodies day-to-day and that brings a certain stillness. But for sedentary folks like me and probably you (aka knowledge workers), tuning in to the world from a chair surrounded by LCD monitors and more than 1 phone makes concentration a scarce and precious commodity. Disconnected on remote trails, humping heavy backpacks up switchbacks and over passes above 12,000 feet, the mind quiets down and then turns on in a different and better way. Back at home in Boston now, I can still feel the difference.

There are other ways to achieve a similar effect, of course. And some are much simpler, logistically speaking. But for me, at least once a year, nothing beats a trip to the mountains. It's been Colorado lately, but I can hear the Alps calling.

So, since you made it this far, here's an aerial shot of the Four Pass Loop ... we did the 30+ miles in about 3 days. Some go slower, some go faster:

Four Pass Loop - click to enlarge

Here's a picture taken last week after crossing and coming down from the fourth pass in the Snowmass/Maroon Bells region:

And speaking of Snowmass (Old Snowmass, that is), look who my son Dylan and my friend Chris and I ran into the day after we re-entered civilization:

If you know energy efficiency and renewable energy, then you know that's Amory Lovins, founder of the Rocky Mountain Institute (RMI). We had the great fortune of spending time with him at his private residence and energy efficiency test bed, which you can read more about HERE.

All in all, a smashing success on many levels. I'm going to use the clarity I gained in my day job and on the blogs for as long as I can keep it. And as to the last item on the camper list ... you bet it was fun.

Monday, August 8, 2011

Town Hall Announcement: Measurable Security in the Electric Sector

We've trumpeted alerts for previous editions of this town hall series before, and here's another one on a topic that's near and dear to my heart.

Here's the deets:
  • Date: August 17, 2011
  • Time: 8 am - 12 pm PT
  • Host: Puget Sound Energy (PSE)
  • Town: Bellevue, Washington
  • Address: 320 108th Avenue NE, Bellevue, WA 98004
  • Fee: Free
  • More info and to register:
Hope you can make it.