Tuesday, June 28, 2011

Good Smart Grid Security News from the Land of Nowitzki

You know, as a staunch anti Smart Grid FUDdite, it's not easy for me to praise the article that contains this quote:
If I’m a burglar, for example, all I’ve got to do is hack into the smart grid, and I know when you’re home and when you’re not home.
Ha, it's clear that hacking meters is easy as pie !!!

I think of burglars and immediately wonder what's this person thinking (I almost wrote smoking)? Unless you view what the MIT students famously pulled off in Vegas (as depicted in the film Numbers) as burglary, I just don't see the average, or even the above average burglar investing in Smart Meter hacking school tuition. Heck, they probably don't even have the SATs to get in.

It may be important to note that said quote is from an attorney (and likely a good one) whose helps run his firm's Cloud Computing and Cyber-Security practice team. Certainly that type of statement could drive some revenue.

Nevertheless, the reason for this post isn't the quote and commentary above, it's the title and tone of the larger article that caught my eye. Goes against the grain of 99% of media reports warning of the impending Smart Meter led apocalypse.

Especially good, I think, is this bit near the end:
“It’s impossible to design an impenetrable security system, but we have a multi-layered approach that’s overseen by several offices.” Oncor has a full-time security team that is constantly monitoring and addressing each security alert ... If there are irregularities, the team investigates them. If a problem were to arise, the team would take measures to lock it out of the system.
You don't have to be bullet proof to be secure (enough). And being able to see what's happening, and ready to respond, is key. Got to like it.

How like Texas to be so unlike the rest. You'll find the full article HERE.

Oh yeah, and way to go Mavs !!!

Monday, June 27, 2011

Trailer for Smart Grid Security No FUD Zone

I had a really great time recording my first hour-long solo webcast recently, but sixty minutes of yours truly might be more than you can tolerate. If you're game, though, click on the image above for the webinar boiled down to a relatively spare 3 minutes.

Also recommend you register yourself HERE for the Virtual Energy Forum (VEF). These folks host a ton of extremely good energy speakers (if you'll allow for one recent exception, that is).

Wednesday, June 22, 2011

The Best Talk Ever on NERC CIPs and Grid Security ... Period

I've read some good stuff over the years, though never at work. In the classics department my favorites are The Heart of Darkness, Moby Dick and The Invisible Man. For somewhat shorter, if not lighter fare, I like Haruki Murakami and the Raymonds: Chandler and Carver.

But the line between pleasure reading and work reading has been big, bright and until recently, very, very bold. That is, until I found Stephen Flanagan's mature (by his own reckoning) perspective on the Critical Infrastructure Protection standards (CIPs), the culture of utilities, and the difference between compliance and commitment:
I have a problem with this term “compliance.”  In fact I think it’s bad terminology for the CIP program and gets us into the entire wrong mindset from the get-go. And why do I think this? Well although the term “compliance” has a more or less precise legal definition, its use among the uninitiated does not have the same connotations.  I fear that when many hear the term they look more to Webster than Black as the dictionary of choice.  And in Webster one is likely to find the word defined as: Compliance: –noun, 1. the act of conforming, acquiescing, or yielding. 2. a tendency to yield readily to others, especially in a weak and subservient way.
He asks "How does that grab you?" and continues:
... in my opinion, for reliability, and I stick CIP into the reliability program as a whole in this discussion, I think the better term would be “commitment” rather than “compliance.” Why “commitment” you may ask. Well again Mr. Webster provides some helpful insights: Commitment: –noun, 1. the act of committing, pledging, or engaging oneself. 2. a pledge or promise; obligation. 3. engagement; involvement. 
Flanagan concludes with "Now doesn’t that sound a whole lot better?" Yes, it sure does.

I've never heard the compliance vs. security conundrum more eloquently and simply put. Compliance mentality is an organizational, cultural disease that undermines real proactive security attitude and action. I'll take engagement and involvement every time.

There's a whole lot more to savor and appreciate in this learned, witty, irreverent article. You may find the occasional typo, and maybe the title's a bit alarmist, but that's likely because this isn't actually a work of great literature. However, in my experience, and in our space, Stephen Flanagan's keynote address is one for the ages ... a grid and Smart Grid security masterpiece.

You can read the whole thing HERE.

Tuesday, June 21, 2011

Electric Sector Supply Chain Responsibilities re: Security

I found a recent post "Fix the Problem, Stop Bailing out Vendors" on the Digital Bond blog quite compelling.
Author Dale Peterson begins thusly:
We, the SCADA Security community, need to put all our efforts and emphasis in the PLC, RTU, controller space on getting vendors to add basic security features to their models available for sale today. Beginning with authenticating the source and data sent and received from the PLC and continuing with other Security 101 features. We should not say or pretend that any other solution besides this is acceptable.
... and what follows is some interesting back and forth between Peterson and SCADAhacker Joel Langill, as well as a number of pretty well informed commenters, on how to best approach these challenges, and with whom the ultimate irresponsibility lies.

While Siemens is mentioned because its equipment was targeted by Stuxnet, all makers of intelligent, connected grid systems (and I'd certainly include grid and Smart Grid software and application vendors here as well) should have their feet held to the fire re: the security functionality of their products.

We can try to do that via regulation, or we can start asking, and then demanding it in RFPs and other sourcing docs. One way or another, solid security functionality is becoming a real requirement. Let's not pretend otherwise. And let's not let others pretend otherwise. Click HERE for the full post.

Photo credit: manpages on Flickr.com

Thursday, June 16, 2011

How much Smart Grid has been deployed so far?

Not all questions can be answered on the fly.  In fact, not all questions can be answered, period:
  • What, for instance, is black matter?
  • What is my cat thinking?
  • Is there intelligent life on Earth?
  • How does Tim Thomas stop so many shots?
Heck, 99% of us can't even agree on what the Smart Grid is, let alone have a clue about when it's going to be here. Nevertheless, after being asked the question in the title above, I pledged to do some digging and post a response here on the SGSB as soon as I thought I had something. This came at the tail end of the recent Virtual Energy Forum (VEF) session called: "Lessons from the Smart Grid Security No FUD Zone." You can try getting to it by clicking HERE, but good luck.

Now without further delay, procrastination or obfuscation, here we go. If you look at this SmartGridNews write-up of a recent IDC Smart Grid market report, the picture may begin to come into view for you. Sometimes you can infer the past by getting a glimpse of the future (a nifty reversal of common wisdom that you can better imagine the future by studying the past).

Around the world, Smart Meters are being deployed in ever increasing rates. Home energy management systems are expected to go through the roof (so to speak). And grid automation is coming on strong. So, question: how much is deployed today vs. what will be ultimately deployed in 5, 10, or 20 years?

Answer: Some of it, not all of it. We're still in the early days. Given the pace of technology change, probably the very early days. It's a good question to keep asking, though, and for some of us to try to keep answering. But I reckon it ain't ever going to be fully answered, because the Smart Grid (if it's still called that in the future) won't ever be fully here.

Photo credit: Radar Communication on Flickr.com

Monday, June 13, 2011

NRECA's Great New Guide for Coop Cyber Security

We can thank the DOE, NRECA, and DC-based software security firm Cigital (and in particular, Cigital's Evgeny Lebanidz) for the impressive and thorough: Guide to Developing a Cyber Security and Risk Mitigation Plan, released recently.

What's NRECA?  Hmm, if you don't know that acronym, you must be some kind of big urban utility city slicker. So for your information, it's the National Rural Electric Cooperative Association, about smaller 900 utilities that makes sure that electricity gets not just from point A to point B, but all the way to points X, Y, and Z.

What I like best about this guide is that it has almost nothing to do with compliance, and therefore helps orgs focus on the policies and practices outlined in NISTIR 7628. Speaking of which, at almost 600 pages, it is just too big a beast for most utility security practioners (or anyone else for that matter) to digest. While the community is waiting for implementation guides from NIST that should make 7628 more practical, the just-released NRECA Guide does it break it down into actionable, prioritized parts, beginning with a quick start guide.

Actually, even before that, it reveals its scope and intent:
This document is intended to help cooperatives develop a cyber-security plan for general business purposes, not to address any specific current or potential regulations. Its foundation is the ... NISTIR 7628, which is a survey of standards and related security considerations for the smart grid ....  real security requires more than simply compliance with rules – the organization must embrace security as a basic requirement of business operations and develop a broad understanding of security. 
Often hungry if not starved for resources and guidance, coops need all the help they can get. With the arrival of the NRECA guide, they can begin down a well marked path towards better cyber security and risk mitigation planning in the age of the Smart Grid.

Photo credit: Gloucester on Flickr.com

Saturday, June 11, 2011

What's Going On? - US Outage Reporting from DHS

Hat tip to IBM physical security pro Clayton Hollister for pointing out this great resource: the DHS Daily Open Source Infrastructure Report ... pronounceable acronym: DOSsIeR.

Simply click the day you want to check out, select "fast jump" to energy and you'll get DHS' account of some of the most significant (not too sensitive) electricity outages in the USA. Or pick another sector like nuclear, chemical or water to see how they're faring.

I think you'll agree this is pretty interesting if you haven't seen it before. Sure is a heck of a lot info and incidents to manage. Good thing DHS has 200,000 employees. Holy cow, that's huge. They're almost half the size of IBM!

Friday, June 10, 2011

Looking Professorial while Sounding Pedestrian on Smart Grid Security

At least that's how I come across to myself in this recent Q&A with EnerNOC.

Here's a snippet from the brief Q&A:
Q: How do you define “security” for the smart grid?
A: (Excerpted) For many years, grid elements used to be largely disconnected, and isolation was one of the main security strategies. Now, by introducing standards-based protocols like IP (internet protocol) to the grid, we’re making these systems more modern, but also more accessible to would-be cyber attackers. So, for every smart grid benefit we get, there’s a corresponding risk. Smart grid security is about fully acknowledging and understanding those risks.
I would hasten to add that the introduction of Internet Protocol (IP) in itself doesn't make it easier for attackers to reach isolated networks and systems. Should say that if and when IP networks are accessed, they are more understandable to attackers versus the dozens of archaic comm and network protocols which have often proven unintelligible to modern cyber attackers. And speaking of "understanding", the last line should end with taking action once risks are acknowledged and understood. Otherwise, it's just an academic exercise, and utility executives don't invest (and rate cases can't support) academics.

That said, the EnergySMART conference, coming up in September promises to be a good one. I'll be treading in the domain of DOD Energy Blog-ger Dan Nolan, describing what's motivating the Defense Department to become much more proactive in its energy strategy, what it's been doing to move the ball forward in energy management/efficiency/renewables, and the related cyber and energy security aspects of all that.

Click HERE for more info on the conference.

Wednesday, June 8, 2011

Energy Storage Tech Oozes Ahead

Sometimes I like to take a breather and set pure Smart Grid security to the side for a moment, and look at some of the new technologies being developed that may have a significant impact on what the grid of the future looks like.

Living just across the Charles River from the MIT campus, I've been lucky to have great access to lots of early energy tech breakthroughs and announcements. While this most recent one, a radical revision to the flow battery concept, is still too early in its development to know whether it can ultimately prove commercial viability, it sure is thought provoking.

For me, electric vehicle adoption and grid-scale energy storage are two of the biggest drivers of the future Smart Grid that supports a higher percentage of renewables (centralized and distributed) in its generation portfolio. And of course, as we always say, the more we build it, the more 2-way comms, intelligent devices and sensors we add, the more we come to enjoy its many new capabilities, the more we've got to make sure it's secure.

Here's a nice light intro to the goo-based battery from Discovery Tech that focuses on the EV potential, while CNET gives you a bit more technical detail and points to grid applications as well.

Photo credit: Lunchbox Photography on Flickr.com

Monday, June 6, 2011

Electric Utility Leadership calls for more Industry Attention to Security

I'm always campaigning for more utilities to hire or otherwise install more senior level security personnel (e.g., CSOs, CISOs) to elevate the security and privacy requirements using business language more accessible to C-level executives, the Board of Directors, and other senior stakeholders.

Well, one big company, namely Atlanta-based Southern Company, has leapfrogged that goal and has a vocal CEO articulating the essential need for the industry to do better on security. THIS POST by fellow energy sector security blogger (and very active leader and member of cyber security working groups) Mike Ahmadi gives you more perspective on this.

And alerts you to a key initiative re: certification of systems and products where Southern is leading the way. One thing I can say for sure: you'll be hearing more about the proposal on this known as IEC 62443 2-4, so stay tuned.

Wednesday, June 1, 2011

Sony's Lessons for Electric Utilties

Have been thinking about the continued cyber bludgeoning Sony's been getting and how the utility sector would handle such a long-running, targeted attack. In terms of cybersecurity and privacy protection policies and technical controls, I can't say whether Sony was any better or any worse than its sector peers when all this started.

As far as motivation, certainly, individual utilities can easily incur the enmity of some of their customer base ... it's happened plenty of times before for a number of reasons, and it's happening again in some regions with Smart Meter deployments.

In CSO Online a couple of days ago, CSC's Mark Rasch offered this advice:
All companies have to make accurate risk assessments and carry out their responsibilities to protect personal information they store. "They have to realize they are fiduciaries of customer data and have a moral and legal obligation to protect that data. They need to do everything reasonable," he says. "The cost of repairing after the fact is 10 to 100 times higher than preventing it in the first place."
It's hard not to think of how the Sony saga playing out before our eyes, on top of the daily drumbeat of security attacks and breaches at large enterprises, is spurring some utilities into action, updating their risk calculus, and their controls. And very likely, many others don't see a connection, or a need to change their current defenses.

You can read the full article HERE.