Friday, January 28, 2011

NISTIR 7628 Conference Coming to the University of Maryland

When NIST held its most recent 7628 community outreach session in Boston at few weeks ago, it was snowing (big surprise!) and that made it hard for speakers and participants alike to get there. Nevertheless, for the hardy few who made it, NIST CSWG Vice Chair Alan Greenberg and company made it a thoroughly educational (and even somewhat entertaining) experience.

For those of a more mid-Atlantic persuasion, the show is coming to Baltimore on February 15.  The session is open to anyone, though registration is required.

All the info you need can be found HERE.

Tuesday, January 25, 2011

NERC CIPS: Latest Updates on Versions 4 and 5 ... and some Sympathy for the Folks Building Them

A few weeks ago I attempted to impart some wisdom on the status of the CIPs. (It remains to be seen whether that was smart.) Now the "Insecurity Culture" blog has an excellent new post, linking you (once you register) to two "open letters" describing in some detail how and why the CIPs are being made.

And while analysts and others grumble about the sporadic output of the Standards Development Team (SDT), the (probably) too many committees, and the cumbersome and confusing approval process, these letters paint a fuller picture of what's really going on. For example:
There are people who think the SDT is a bunch of regulators run amuck, dreaming up one new standard after another just to preserve their jobs. This might be a good criticism, were it not that a) the SDT members are all employees of NERC entities, b) that they aren’t paid for their SDT work, and c) that they all have full-time day jobs they have to do as well .... So why are they starting now to develop a new CIP version that will be a complete revision of the former versions (and thus far more work than even Version 4 was)? The reason is simple: They have to ....
I liked that account, and after reading this stuff all the way though, I'm pretty excited to track the SDT's progress with the ambitious Version 5. And amazed to think how much work utilities have ahead of them to meet the Version 4 requirements deadline. Follow this LINK to the post and look for the cowboy hat.

Smart Grid Security at the Biggest US Electric Utility and Cyber Security Conferences coming up in February

In the last post of 2010 (HERE), I listed 3 conferences in 2011 that would focus exclusively on Smart Grid security topics. One thing I omitted, though, was that Smart Grid security is becoming an increasingly big draw at much larger conferences and expo's. Two of the biggest - one for electric utilities and the other for cyber security professionals - are coming up in February, both are in California (thank goodness), and both feature panels comprised of experts you (should) already know.

Here are the details for each:

Distributech 2011 in San Diego (Electricity)

Date/Time/Venue/Session: 2/2/2011, 9:30AM, Room 1B, Session #3A
Speakers and topics:
  • IBM's Jeff Katz on "Dealing with Smart Grid Insecurities"
  • Enernex's Sandy Bacik on "Developing Application Security Test Plans"
  • Umesh Singh of GE Digital Energy on "Smart Grid Software Security"

RSA 2011 in San Francisco (Security)

Date/TimeVenue/Session: 2/16/2011, 10:00 AM, Orange room 309, Session PNG-202
Session Title: Securing the Smart Grid

Moderator: Sam Curry, CTO, RSA (EMC)
  • Gib Sorebo, SAIC
  • Mike Echols, Salt River Project
  • Heath Thompson, Landis & Gyr

If you'd like to do both, it's a (relatively) quick 500-mile drive on Route 5 North,  though 101 along the coast would have much better scenery.

Recent Q&A on Smart Grid Security and Life Continuing Nicely through 2011

In case you don't come across it via other means, HERE's a recent Q&A session I just did on the past, present and near-term future of the Smart Grid from a cyber security perspective.

Here's the part that led to the title of the piece:
2010 saw a very single-minded Stuxnet penetrate, but not disrupt, many enterprises with industrial equipment, including the military and utilities. More broadly aimed variants of Stuxnet may in the works, or in the wild already. But I don't necessary forecast extraordinary trouble, as the promulgation of fear, uncertainty and doubt (FUD) doesn't help anyone. Some security professionals like to put folks into fetal positions with scare stories. But I prefer to remember what my broker tells his clients during downturns, "generally speaking, the world doesn't end."
Special thanks to Larry Karisny at Project

Alarming image credit: andrewsrj on

Tuesday, January 18, 2011

Smart Meter Health Fears Allayed ... thanks to Science !!!

In early December 2010 I wrote a piece on how groups were forming on both coasts to fight the deployment of Smart Meters in their regions titled Smart Meter Resistance Movements. As you  can probably tell, as a staunch anti-FUD spreader, I'm not a big fan of these hysteria spouting folks. Today, the verdict is in, and I offer you an antidote to one of their principle contentions.

The non profit California Council on Science and Technology, an organization "designed to offer expert advice to the state government and to recommend solutions to science and technology-related policy issues" has just released a report weighing in on the "Smart Meters give you brain cancer" debate.

And they did so rather decisively. As their just released study revealed:
Wireless smart meters, when installed and properly maintained, result in much smaller levels of radio frequency (RF) exposure than many existing common household electronic devices, particularly cell phones and microwave ovens.
I saw this first on SmartGridNews which covered it HERE.  Or you can go directly to the CCS&T report by clicking HERE.

You can still argue privacy. One can (and should) quite reasonably voice concerns over security. And maybe the economic advantages haven't proven themselves yet, at least from the individual home owner's perspective. But as regards the purported threat from RF emissions, I think we can all sleep well now. That claim's been put to bed.

Photo credit: Sam Howzit on

Friday, January 14, 2011

FERC Finalizes Agenda for Tech Conference on Smart Grid Interoperability Standards

As noted earlier this week on this blog, FERC has invited its commissioners to an immersive afternoon on Smart Grid interoperability and security standards development, past, present, and future. Now FERC has finalized its agenda and named the panelists who'll be attending.

Following an introduction by NIST's Smart Grid Interoperability Coordinator, George Arnold, will be 2 90-minute sessions:
  1. The Smart Grid Interoperability Standards Process for Reviewing and Selecting the First Five Families of Standards, and
  2. The Smart Grid Interoperability Standards Development and Identification Process Going Forward
Key logistical details are:
  • It's open to the public, so you can go if you want to, and if there's room, attend this event in person at FERC HQ in DC
  • If you can't make it or don't want to, a free live webcast will be available here
  • Lastly, they indicate that the conference will be archived for 3 months
Here's the latest dispatch from FERC with all the info.

Photo credit: hydroreform on

Wednesday, January 12, 2011

Webcast Alert: Smart Grid Security Blanket

This one looks like a good one, hosted by Jesse Berst's SmartGridNews and featuring experts from Duke Energy and Accenture. I'll be tuned in, and recommend you attend too if you can.

Date: 27 Jan 2011
Time: 4 pm ET
Click HERE for more details and HERE to register.

Image credit: Charles M. Schulz

Tuesday, January 11, 2011

NERC CIPs: Looking at Version 4 Red-lines and Headlines in early 2011

Back in December 2009, the CIP-002 version 4 draft was called "Cyber Security—BES Cyber System Categorization," and it and sought to break out T&D assets into High, Medium, and Low BES impact systems, as well as define violation levels built off of these categorizations.

Because of the increasingly interconnected and interdependent nature of grid assets in the emerging Smart Grid, regulated protection of the most important systems, while a good starting point, is far from mission complete. Hence, this draft included language that removed the bias towards the subset of systems deemed critical:
"Terms to be retired from the Reliability Standards Glossary of Terms once the standards that use those terms are replaced: Critical Assets, Critical Cyber Assets ..."
This was viewed as a relatively bold step forward at the time by advocates for more granular guidance across a broader range of systems, and as overwhelmingly too much work by asset owners who already felt CIP compliance activities were draining far too many cycles from their already maxed out employees.

A number of industry watchers and bloggers were pretty excited about version 4's new directions, with articles like "DRAFT NERC CIP-002-4 - A Turning Point for NERC CIPs?" and another "Big NERC CIP Changes Looming" foresaw:
"Every requirement will be auditable and not just addressable," and "there are no 'out of scope' bulk electric system assets."
Well, as you can imagine, debates ensued among the members of the standards development team and the language, one year later, is much less ambitious. As this December 2010 red-line copy reveals, CIP-002 version 4 retains its original name: "Cyber Security—Critical Cyber Asset Identification" and only a few things are set to change: 
  • The biggest change is that utilities are no longer responsible for identifying critical assets via their own risk based assessments. A new attachment takes care of that for them and brings badly needed uniformity to the process
  • A clear call-out that nuclear assets, regulated by the NRC, are definitely not in scope
  • A reworking of violation levels is now "to be developed later"
For folks who've followed the process, this seems like a lot of time consumed without very much to show for it, unless regulators and the regulated feel that preserving the grid security standards status quo is in everyone's best interests.

Also, just in from the grapevine, comes word that more is set to change than is revealed in the red-lines. Here's a few unconfirmed but likely items:
  • The terms "Electronic Security Perimeter" and "Physical Security Perimeter" are being retired
  • High, Medium and Low impacts, based on the total output of each registered facility, will return to CIP-002
  • All material black start facilities will be considered High impacts regardless of their generation capabilities
I want to keep the information on the SGSB as accurate and helpful as possible, but as an outsider to the standards development process, my view of what's coming next is far from perfect. So if any readers who've made it this far know more, or know different than what you've read here, please let me know and I'll update the post pronto.

Monday, January 10, 2011

Conference Alert: FERC Technical Conference - Taking a Measured Breath Before Resuming Smart Grid Standards March

As a standards development project, NIST and crew have moved with breathtaking speed. The time has come for the community to weigh in, and for FERC to see if "sufficient consensus" exists to begin to formalize these standards. Here are some of the details for you:

Title: Technical Conference on Smart Grid Interoperability Standards

To refresh: the five "foundational" standards and their functions are:
  • IEC 61970 and IEC 61968: Providing a Common Information Model (CIM) necessary for exchanges of data between devices and networks, primarily in the transmission (IEC 61970) and distribution (IEC 61968) domains
  • IEC 61850: Facilitating substation automation and communication as well as interoperability through a common data format
  • IEC 60870-6: Facilitating exchanges of information between control centers
  • IEC 62351: Addressing the cyber security of the communication protocols defined by the preceding IEC standards

Click HERE for the original NIST press release on "the five."

Conference Description: The purpose of the technical conference is to obtain further information to aid the Commission’s determination of whether there is “sufficient consensus” that the five families of standards posted by the National Institute of Standards and Technology and included in this proceeding are ready for Commission consideration in a rule making proceeding, as directed by section 1305(d) of the Energy Independence and Security Act of 2007.

Day/Time: Jan 31, 1-5 pm ET

Additional details, including live link: HERE. You're also free to attend in person in DC.

Wednesday, January 5, 2011

Zen and the Art of Smart Grid Security

I'm not sure how to say his last name, but there's a lot to like in  John Traenkenschuh's metaphor:
We bikers know that risk is something that can be mitigated, to a point. Risk remains, and it's our job as safety pro's to limit impact and help the organization, the rider, steer a reasonably secure, er, safe course. 
... and also this:
Nothing I can do can wash away all the security risks with all the IT systems we're paid to protect; in much the same way that no amount of training I might provide you will remove all risk from riding a motorcycle. Instead, let's focus on forcing a quick alert if, maybe WHEN the attack occurs? 
This short article is not specific to our industry, and is actually written more from a vendor's point of view than a technology user's, but because survivability is a crucial backstop to good security, and certainly adds to peace of mind, there's more HERE that applies.

Photo credit: Don DeBold on

Monday, January 3, 2011

Teaching the Old Grid New Tricks ...

... will require students versed in the art and science of engineering, including (but not limited to) electrical engineering. We used to say that in the future we'd need these folks. Well, with the recent passing of 2010, the future is beginning to look more and more like the present.

A present in which ...
A great deal depends on whether power companies can find and attract a sufficient number of engineers capable of designing, managing and maintaining the new systems the smart grid demands. And that’s by no means certain. The Center for Energy Workforce Development estimates that by 2015, 51 percent of the power-engineering workforce will need to be replaced because of retirement or attrition. And that’s just to maintain current levels. To drag our aging grid into the 21st century will require power engineers trained in the most sophisticated communications and control concepts.
Seems like the old immovable object about to be whacked by an irresistible force. In a tough job market, this much need can't and won't go unfulfilled for long.

This article quotes a manager at AEP as saying these vacant engineering roles will be filled by new personnel from one of three sources: re-trained internal folks, university programs and vendors. University investment in new teachers and courses has been constrained to say the least. Though the last word may belong to the DOE, which just slapped down a cool $100 million on the counter for Smart Grid training programs.

At the bottom of the article you may notice one reader asks "Just engineers?" The answer, of course, is of course not. Increasingly, folks with training in business and economics are called for as the old business models are poised for a most thorough revision.

And as for cyber security pro's to watch over the systems designed and built by the new crop of inspired engineers and business folks, they're going to likely come from vendors for a while longer, until organizations like SANS and the new NBISE can get a bunch more out the door with the requisite energy sector chops ... like a firm grounding in SCADA/ICS, for instance.

Photo credit: USAFA (my alma mater) graduation by Beverly & Pack on