Wednesday, April 27, 2011

CNAS Focusing on Smart Grid Security

The DC-based Center for New American Security (CNAS), host of the excellent Natural Security blog that highlights the security interconnectedness of many different domains, is having a Smart Grid Security week. You'll note their particular interest in critical infrastructure in general, and DOD in particular.

And of course, I warm to this part of their non-alarmist opening statement:
Today, we’re beginning to get a better sense of the ground truth, ever-moving as it is. About a month ago we held a workshop on smart grid tech and cyber security, with a great cross-section of experts. My main takeaways were that there are real cyber threats in considering smart grid deployment, but that there are many USG efforts underway to mitigate and manage the risks. The holes that exist seem to be things like improving coordination within DOD on grid security, ensuring interagency communication, and setting consistent standards for DOD contracts that include smart grid and electric infrastructure work (and hopefully standards more rigorous than for anywhere else).
See announcement HERE. And stay tuned for their follow-on posts ... there are already some new ones today.

Tuesday, April 26, 2011

Getting Very Tired of Smart Grid (and other) Security Whiners

I think I still have a little hangover from yesterday's post where I linked to a piece that had senior people worrying very publicly about the potential security shortcomings of the increasingly smart grid. Then this morning it hit me: I'm sick and tired of wimps, Chicken Littles, Eeyores, Glums (see TV show: The Adventures of Gulliver), etc., who spend all their time covering up and encouraging the rest of us to do the same.

I don't want to associate with those who live their lives in fear. I don't want that rubbing off on me. I'm focused on learning, helping and building, as are most of the people I am closest to, in work and in private life.

And here's an antidote to fear mongering if you want one: a short paper just penned by a US Navy Captain and a Marine Colonel that attempts to set a strategic course for the USA. You'll get the gist of this 15 page document from a short excerpt from the preface:
Porter and Mykleby give us a non-partisan blueprint for understanding and reacting to the changes of the 21st century world. In one sentence, the strategic narrative of the United States in the 21st century is that we want to become the strongest competitor and most influential player in a deeply inter-connected global system, which requires that we invest less in defense and more in sustainable prosperity and the tools of effective global engagement.   
Investing less in defense will certainly trigger some Pavlovian alarms. But I get from it that the focus is less on money, and more that we would seek a less defensive posture, a less defensive mindset. Instead, we would arm ourselves to the teeth with technological innovation, improved education, and accomplish force projection through getting our economic house decidedly in order. Think about the global shock and awe produced when our books are balanced and our economy roars back into life aided by neither smoke nor mirrors.

Here's a new National Strategic Narrative when you're ready to lose the fear and stride confidently into the remainder of the 21st century. And no, I'm not in la la land. A big part of this is securing the grid and ensuring our future energy needs are adequately, if not abundantly, met.

Monday, April 25, 2011

Smart Grid: Good or Bad Idea?

With a hat tip to Ollie Fritz of OSD, here's the fundamental question we security folk caught up in grid modernization activities can't help but ponder:
Are we helping or hurting our nation's overall security posture?
If you persist and continue on to this recent post on Aviation Week's Ares blog, you'll find more smart folks in high places questioning the wisdom of building this thing. That's something you'll sometimes find me doing (though with neither brilliance nor from a lofty perch) over cocktails in semi-private settings, but never directly under the hungry gaze of the press.

You see, whether we think it's net-net a good idea at any one particular point in time, in any one particular geography, it's a moot (some say mute) point to question the value of the Smart Grid. The fact is, notwithstanding Smart Meter resistance movements in California, Maine and Ohio (thanks Andres), we're right now in the construction phase at varying degrees of speed all around the world. And the Smart Grid being built is much much more than those headline grabbing Smart Meters.

The attendant security challenges it brings are monumental. The risks, we hear, are growing daily. But overall, it's all the more worth pondering and tackling because of the central role awaiting a modernized energy grid in our future.

So question though we must (some more than others), the momentum towards a Smarter Grid is inescapable. As Tom Paine said, "Lead, follow, or get out of the way." I'm with him.

Image credit: Stefan Baudy on

Thursday, April 21, 2011

A Spring Deluge of Smart Grid-Related Security Incidents

Last week I posted happy news. (Click HERE to recapture the moment.)

Now I don't want to give you the idea that this is a bi-polar blog or anything, but this week I was going to post on THIS, related to an insider attack at a big utility in the US south east (still awaiting confirmation), but then thought better of it.

Have you noticed lately that the occasional drip or splash of security incident news related to the grid and Smart Grid has become a steady downpour?  It's too much for me to comment on each new event or revelation. And I'm not going to list them here and weigh you down with concern. Besides, you're probably seen this stuff elsewhere already.

But what to make of the up-tick in publicly disclosed incidents? One question to ask is whether there are more (and more successful attacks) happening lately, or whether utilities have improved their ability to detect incidents which have likely been happening all along. I'd put money on it being a combination of both, and the addition of Smart Grid technologies like AMI and distribution automation will only continue to facilitate both trends.

What ramifications can we expect from this? One is that mainstream awareness of grid security risks cannot help but rise from all of this, and that means that there's little chance the fuel that's been stoking the new security legislation fires in Congress is going to run out anytime soon.

A second effect is that many of us, including utility executives, could grow numb as the incidents continue to happen to "the other guy" and their own quarterly reports are unscathed. After all, despite the cold and wet we get in Boston in mid April, the lights are still on, the Red Sox have started to awaken, and my new iPad 2 is fully charged, so life is good, right? ... Right?

Photo credit: K. Kendall on

Wednesday, April 13, 2011

Warning: SCADA/ICS Security Good News Alert

Hope you're sitting down cause I've got (good) news for you. If you were expecting yet another predictable dose of downer news re: the state of cyber security in the electric sector, this post may be a bit of a disappointment for you. If that's the case, just grit your teeth and get through it.

You remember Stuxnet?  You remember Siemens Step 7?  Been wondering whether anyone's been doing anything to make control systems more resistant to Advanced Persistent Threat (APT) attacks? Here's a snippet from a press release this morning:
Against a backdrop of global threats such as Operation Aurora, Stuxnet and Night Dragon, enterprises need a way to protect their critical systems. After intensive testing, Siemens-Division Industry Automation has proven compatible with McAfee® Application Control solution to defend against such attacks.
When you're ready to click, both McAfee and Siemens have a little more detail for you. It's an application white listing approach to security, and for you skeptics, you're right, it's probably not the solution to all known problems. But from where I sit, it is certainly a move in a potentially very helpful direction.

But wait, the good news isn't over yet (sorry); there's more. Security vendor Tenable has just released new plugins which specifically test SCADA devices, which came out of months of collaboration with ICS security consultancy Digital Bond.

Obviously I'm not endorsing the work or products of any of these companies. That's not my job and I'm not really even qualified to do so. But in a media world where the bad guys (and the events they cause) dominate the headlines and fill our minds with all manner of anxieties, it's nice to see the the good guys strike back. Let's see some more of this re: GE, ABB, etc. and from other security vendors who you'd expect should be able to help.

Pessimists stay tuned; I'm sure we'll have something for you soon enough.

Photo credit: Lachlan Hardy on

Tuesday, April 12, 2011

Conference Alert: GTM's Networked Grid 2011

Greentech Media (GTM) is a company and a site to which you want to be paying regular attention, whether you're a cyber security wonk or a solar powered baseball cap-wearing, wind turbine hugging, bio-fuel brewing, HAN programming, Leaf driving cleantech acolyte  ... or something in between.

Sorry to put you through all that, but it just came out that way.  Anyway, let's get on with (details of) the conference I'm trying to announce:

Conference link: HERE
Venue: Mission Bay Conference Ctr at UC San Francisco
Dates: May 3 and 4, 2011

Security track info:
  • Title: The Current and Future State of Smart Grid Security
  • Day/time: May 4, 1:15 pm- 2:15 pm
  • Description: The nature of smart grid technology advancement (two-way communications networks, vastly increased number of intelligent endpoints, distributed intelligence throughout the grid infrastructure, etc.) lends itself to potential security risk and network-wide proliferation. With that said, extremely high-speed, distributed, complex networks have been built, scaled and are highly secure, so there is little technical reason these techniques won't apply to smarter grids. Smart grid security remains a top priority and along with that comes a plethora of concerns, sometimes slowing down the necessary security standards to move deployments forward. This session will cover the various physical and cyber security issues that threaten large-scale smart grid deployments and the solutions that are being developed to address them.
  • I'll be the moderator, but here are the bios of the 3 panelists:
Last year's event was great. This one should only be bigger/better. Hope you can make it.

Monday, April 11, 2011

Apparently, Many Utility Execs Continue to Use the Snooze Button on Security

Just 5 more minutes ... please ... zzzzzzz.

Actually, these chaotic days, I'm glad to hear some folks can still sleep soundly.

You must be familiar with power numbers have to persuade, right? Well, I'm shocked (Shocked!) to report that what we thought was true is now, in fact, empirically, demonstrably, numerically true. Thanks to the keen eyes of many colleagues and community members, I've received 50+ emails forwarding news of a just-released study by the respected Ponemon Institute.

Here are most provocative/telling numbers IMHO:
67 percent of information-technology professionals surveyed said their organizations had not deployed the best-available security to guard against hackers and Internet viruses, according to a report released today by Ponemon Institute LLC, an information-security research group.
Not sure the "best available" is good enough based on issues we know to be true with how the "supply chain" does and does not market secure products to utilities. But I think you/we get the point.
More than 75 percent of global energy organizations surveyed admit to having suffered at least one data breach over the last 12 months .... Furthermore, 69 percent of organizations feel a data breach is very likely or likely to occur over the next 12 months
Hmmm, those are pretty big numbers. What kind of data and how much was revealed on how many I wonder.
71 percent said their companies’ top executives don’t understand or appreciate the value of information-technology security, according to the report ...
This finding is what drives everything else. Low executive understanding of the business case for improving security = perpetually constrained funding and legacy organizational approaches for security. And it's our fault that there are no practical means for demonstrating, or witnessing, said desired improvement.
One of the big surprises in this survey was that despite increasing cyber attacks on networks, the strategic importance of IT security among C-level executives hasn’t increased,” said Tom Turner, SVP at Q1 Labs.
    Why do you think that is? Are utility executives as cold and uncaring about protecting their business operations and their customers' sensitive data as this study seems to suggest? Do utility execs walk away clean when their organizations are breached and targeted cyber attacks cause loss of reliability, money or life?  I sincerely doubt it.

    And what about operational technology (OT) security ... keeping the generators, control centers, substations and all safe from malicious attack? Though not mentioned in the report, this has got to be at least as big a challenge at securing the IT side of the house.

    One more thing: Larry Ponemon says utility execs “are more concerned about preventing downtime than stopping a cyber attack.” I posit reliability and security are much more tightly coupled than many in positions of power think. And as long as we remain inarticulate, incapable of demonstrating that relationship in a manner comprehensible to all, then only real-world cyber incidents causing major outages will compel a change of attitude and changes in executive behavior. I'd really rather it didn't come to that, though.

    OK, back to numbers. I'm 100% sure we've got a lot of great folks working on the tech parts of the problem. Maybe we should spend 50% our time thinking this through ... and articulating our answers ... in language senior business folks can understand more than they do now. Much more.

    For a great counterpoint/companion piece, see Dale Peterson's response to the same Ponemon study on the Digital Bond blog, HERE. With a comment from German Stuxnet wrangler Ralph Langner, no less.

    Darn, there's that alarm again. Alright, I'm getting up!

    Photo credit: Sean McGrath on

    Wednesday, April 6, 2011

    Conference Alert: ICS Joint Working Group Spring Conference

    Here you go, in the usual "Just the facts, M'am" format:
    • What: An opportunity to network and engage in discussions related to securing control systems
    • Where: Dallas/Addison Marriott Quorum
    • When: May 2-5, 2011
    • Why: You know why
    • Who: Control systems stakeholders from industry, government, academia, international, vendor, and research and development communities 
    • How: Here's the registration link for the conference. Registration will be accepted online until April 25, 2011. After that date, you may register onsite on the day of the conference. Advanced registration, however, is encouraged.
    • How much: There is no cost to attend the conference and/or training; however, all travel, meals, accommodations, and incidental expenses are the responsibility of the participants.
    More helpful details ensue:

    There will be subgroup working sessions on Monday, May 2nd for subgroup members who would like to participate. The main conference is from May 3-4th with individual and panel presentations related to securing control systems. There will be an optional 8-hour Intermediate Industrial Control Systems Cybersecurity Training (Lecture only) on May 5th. A draft agenda is attached.

    Questions: please email

    Tuesday, April 5, 2011

    No Jive: it's 5 (Version 5 of the NERC CIPs, that is)

    You know, there's only so much you can do to enliven a discussion on the development of industry standards. Here at the SGSB we do our best to keep it interesting, but when you get right down to it, you've really got to have a major stake in this matter to give a ... hoot.

    So if you're still reading, you must have a searing need to know more. Whether you're an outside observer or a utility employee or contractor on the inside, you must really care about the rules intended to help move utilities to become more secure. Else, you're a lost ESL student who happened upon this page and are even now trying to figure out what these words mean. In any case, let's proceed.

    A few weeks ago I got the first few dispatches from the most recent NERC Standards Development Team (SDT) meetings and posted a few observations HERE.

    Since then, some more info has become available that confirms, corrects, clarifies and/or expands upon the initial stuff. Here are a few of the more important updates focusing entirely on the emerging Version 5 (V5):
    • Re impact level classifications, practically speaking, there are only two levels: baseline and high-impact. The high-impact assets are divided into those at control centers and those at generation plants or substations. At any particular facility, there will be only two types of assets
    • As the effective date for V4 will be in 2013, it’s a good bet that V5 compliance won't be required until 2014
    • While bright-line criteria for risk methodology are a V4 addition, in V5 the criteria determine which cyber assets are high vs. baseline (see first bullet)
    A more detailed account called "Version 5: The Fog Starts to Lift" is available at the Matrikon site. You'll have to register if you haven't already, but I think you'll find it's worth a few extra keystrokes.

    Photo credit: J/K_lolz on