Sunday, July 31, 2011

Grid Free & Gone ...

... backpacking, that is. This annual trek with a few trusted comrades never fails to reset all my clocks.

There's something about places like this that really settles you, no matter what's going on in the your personal life or the larger world (yes, even including Washington DC).

Hope you have a great week and I'll be back on the job the 2nd week of August. That's a promise. Andy

Friday, July 29, 2011

From the Left Coast comes Big News on Smart Meter Data Privacy Regs

No time to pontificate on this now, but wanted to make sure you saw the news. CPUC's formerly proposed decision has just become a decision. One, the implications of which, could ripple across the US and impact future Smart Meter and Smart Grid deployments. See the Jesse Berst quick take on it HERE.

Weatherford speaks out on Compliance vs. Security

There's a lot to like in NERC CSO Mark Weatherford's new GovTech column on compliance vs. security in the energy sector, but my favorite part was the final paragraph:
Achieving a high level of security maturity and being compliant within a regulatory environment requires one fundamental component — a strategic vision for security. A strategic plan for achieving both your compliance mission and the overall corporate security goals should be complementary. But that’s a topic for a future column.
"Strategic plan" that melds security and compliance - absolutely yes. Make one or get one if you don't already have one. But "security maturity"? Let's have more on that. Definitely will be keeping an eye open for Mark's future piece.

The full article is HERE. And BTW, if you didn't catch it last month, a much longer and yet brilliant talk was given on this topic by a gentleman from FERC. Go HERE for a link to the SGSB post on it, as well as for the full transcript.

Thursday, July 28, 2011

Generating Leaders

For regular readers of the SGSB, this piece may seem a little bit off topic at first. But recall for a minute how many of the posts on this and other Smart Grid related sites are concerned with people and cultural issues vs. technology. While tech issues like inter-operability and security are hard to grasp for executives who lack a grounding in those disciplines, it's often the "soft" cultural challenges that end up being the real obstacles to change and progress.

And how does one come to master these? Well, the answer is simple: leadership and clear communications. The ability to analyze tough problems, formulate possible outcomes, settle on the best (or least worst) option and execute across a distributed, often stove piped organization.

So where do these capabilities come from, anyway? I want to tell you why I send my kids to summer camp every year. It's because, in no particular order, I know that they're going to get:
  • A change of scenery - A change of tempo, rhythm and pitch from their normal school year activities, albeit with a lot more structure than "hanging out with friends" during summer break
  • New experiences - New skills development. Team building and team work. Camaraderie. Stamina and toughness. Some failures and losses. Some successes and triumphs. All are additive to character development
  • Connections with the past - The transference of cross generational lessons outside the confines of school and family. The counselors are some of the most amazing people I've ever met. While my time with them is relatively brief each year, I crave exposure to their dedication to the kids and the responsible, curatorial way they maintain and pass on enduring values
  • Dis-connection with the techno present - No iPads/Pods/Phones. No TV/Tivo/Nintendo. Replace these distracting cognitive noisemakers with silence, laughter, loon cries, rain on tent flaps, screaming, yelling and cheering during competitions of all kinds, quiet talks and less quiet songs around the campfire at night
  • Time alone and time together - You're alive here in ways you haven't had a chance to be anywhere else and you know it. You're at once totally on you own, and a blood brother/sister of inseparable tribe too
  • Encountering and connecting with other kids from other cultures - At my kids' camps in Maine, they share tents, cabins and athletic fields with peers from other states, countries, cultures. And yes, some stereotypes are affirmed: the campers from Europe and South America run circles around the US kids on the soccer fields. But, as they do, they teach the Americans some new tricks. The World Cup will be ours I'm sure ... eventually
  • ... and lastly, and not necessarily leastly, they have tons of just plain old summer FUN
One couple we met this year was from southern France. They had heard about this camp from American friends who had moved to France a while ago, and learned enough to know they wanted their son to have this experience. I met them on the sidelines of a really kinetic open field game called Speed Ball, a crazy mash-up of soccer and rugby with about 8 balls in play at the same time (pretty challenging for goalies, as you can imagine).

They said was they found their son transformed by his month at camp. A whole new type of self confidence was evident. Self confidence, they reported, was squashed down for kids like theirs back in France. And they gave highest praise to the counselors, whose love of the kids was clearly apparent to them, and to the kids as well. Discipline here, you see, doesn't require threats or raised voices. Everyone is on the same page, trying to grow, and learn, and play, as individuals but also as teams.

The nice French folks said the US often gets a bad rap in Europe, but that what they saw in Maine this year was the best of American values ... and something sorely lacking in much of Europe and the rest of the world for that matter.

So why tell you all this? How's this relate to the well being of the Smart Grid and other critical infrastructure that runs our nations and the world? My answer: Good kids become good adults, and the camp experience fosters and helps generate character earlier than it might otherwise appear. It's not the only proven character forming pathway (see: the military), but it's a damn good one, and it's been doing it for over a century. If your kid or kids haven't had a chance to try it yet, maybe you can get them here (or somewhere like it) sometime soon.

Photo credits: Camp Winona (boys) and Camp Wyonegonic (girls), in Bridgton and Denmark, Maine respectively

Monday, July 25, 2011

Attacking Trends

Thanks to an energy infrastructure-focused former Navy officer (but not Mike Assante) for distributing a link to this article over the weekend. That's the way security folks are btw. The weeks often blend seamlessly into and through the weekends. And it's neither good nor bad that they do. It's just the way it is. And it's the way they are.

You'll find this piece to be part history review, part current situation update, and finally prognostication about where cyber attacks trend lines are pointing. Overall, there's a lot to like in this Freakonomics article, but here are the two para's that stood out the most for me.

The first comes from cyber security pundit and blogger Bruce Schneier. To the question of whether things are actually getting rougher out there or do they just seem that way, he concludes:
It’s not that things are getting worse; it’s that things were always this bad. To a lot of security professionals, the value of some of these groups is to graphically illustrate what we’ve been saying for years: organizations need to beef up their security against a wide variety of threats. But the recent news epidemic also illustrates how safe the Internet is. Because news articles are the only contact most of us have had with any of these attacks.
I like that last line of course. And then there's this from security researcher Tal Be’ery of security product company Imperva, who paces us quickly through the evolution of cyberspace and the increasing value of what we (and the bad ones) can find there:
Here’s where we reach a critical problem: companies are poised for the old cyber security model which was designed to keep the bad guys out. However, the same convenience that allowed individuals to access data from their living rooms meant hackers could too, say from a Starbucks, or a dorm room or Timbuktu. The old paradigm—keep them out—stopped working. Protecting the network, while still important, became secondary to protecting data. Few have recognized this evolution—except hackers. Today, of the $16 billion spent on security [cross sector], less than 10% goes to data protection.
I'd add application security to data security to cover not just the target, but the new primary attack vector. Network and system security, as the saying goes, are necessary, but these days, far from sufficient. 

You can read the full article HERE, and I recommend you do. There's a lot more to it.

Thursday, July 21, 2011

Why I am no Fan of SciAm's recent "Hacking the Lights Out"

For three reasons, primarily:

1. Misuse of the term "Hacking." The man on the street may have trouble using words correctly from time to time, but Scientific American is supposed to know better. Especially with terms, like hacker, that are clearly loaded. Hacking, by the way, used the proper way, doesn't constitute a bad thing. To the hacking and security conscious community, it's more like a creative (and often good) thing. This headline is not helping.

2. Can't read whole article and it costs $7.95 to buy the whole issue. And I don't see an option to buy just the article for less. IMHO that's way too much mula for one article by today's standards.

3. OK, the first two are really small potatoes compared to this one. How many times do I/we have to say it? Enough with the FUD mongering. Tabloids and other lower forms of journalistic life: from them I expect anything. But SCIAM, for me, anyway, is something greater ... better. Or at least I thought it was.

The "In Brief" section on page 1 lets me know up front they're going to discuss problems and threats, but it also says it's going to end with how security is being "ramped up". Fair enough.  I definitely want to hear about what the good guys are doing so our lights don't get "hacked out". But if you get a chance to read the whole article, you'll be surprised by how little time it spends on proactive, defensive measures being taken. My non-scientific estimate of FUD-to-what we're doing is about 9 to 1.

I want more balance. I want less alarmism. That's all I want. You can read the first page HERE.

Monday, July 18, 2011

Dear Utility CEO: Would your Company's Services Providers withstand these Attacks?

Which attacks? The ones that recently (and very successfully) targeted the Department of Defense extracting what is admitted to be tens of thousands of files worth of sensitive data.

No this isn't Wikileaks. Bradley Manning is safely behind bars and the stolen info wasn't secreted away on CDs. You might want to think that Defense contractor systems are protected by super-strength security technologies, much more than you can afford, but in many cases you'd be wrong.

The strategies described in this FastCompany article from a couple days ago are relatively pedestrian (by today's standards), and they worked against the DoD by targeting some of its services and integration companies. To defend against attacks of this type, you would want to ensure that your providers had good corporate security policies established, kept current, enforced, and regularly audited. You would want to make sure that your own policies and controls were solid, and that your sourcing documents required your suppliers' policies were as good or better if they wanted your business.

Dark Reading has a story this month on supply chain threats that goes much deeper than what I have room for here. Here are five recommended questions you're recommended to ask your suppliers:
  1. What processes and technology do you have in place to detect security breaches and rogue employees? 
  2. Do you regularly validate your security measures and can you demonstrate your compliance?
  3. What contractual obligation do you have to protect my company’s data?
  4. What’s the minimum amount of access to my network and data that you need to do your job?
  5. For cloud service providers, what measures can my company take, such as encryption, to protect my data?
Another thing you'd want to do: make sure database security controls are deployed  (in your utility as well as in your suppliers) so that while a few documents might be lost in a successful attack, it wouldn't quickly escalate to hundreds or thousands.

Oh yeah, and one final change you can make to help: make sure everyone has their first cup of coffee NLT 6:30 am local. (If you read the FastCompany piece you'll see what I mean).

Photo credit: modomatic on

Monday, July 11, 2011

Smart Grid Security Manifesto

No sooner do I find and post on what I think is the definitive statement on Grid security-related compliance (a couple of weeks ago, HERE), then I immediately find its companion piece, related not to compliance but to critical infrastructure security.

Of this one, (most) hyperbole aside, I'm saying this is our call to arms, a manifesto for how not to be overwhelmed and wimp out in the face of big complexity, evolving risks, and the hysteria of the press.

You'll have to wade through a few prefatory remarks about the NESCOR workshop and some other stuff, but soon you'll be hitting the good stuff, like:
Watching the various engines of civil society warm up and set to addressing the daunting task of critical infrastructure cybersecurity is very interesting, like an episode of Build it Bigger. Some would say it is also very depressing or even very frightening. I would disagree with those folks. We have managed to rise to the challenge of securing the Internet so far; I think we will rise to the challenge of securing our physical infrastructure as well.
In addition to our first talk at NESCOR, I got to spend some time on the phone with author Chris Blask today and we covered some of this ground. It's clear the man has spent a lot of time thinking through issues that still have many of us in the community perplexed. To whit:
The cognitive and physical efforts of many people are being applied to industrial control system security today, and the workforce is expanding. The process will be flawed and the recommendations revised and the standards complained about. Public criticism of all or parts of the process will wax and wane. It will go on forever and incidents will occur and, yes, due to unforeseen or unaddressed issues these will almost definitely include incidents that cost human lives.
Even if things go well, there will be blood. And that might get some folks worked up and anxious, except for this wrap-up:
But the work will get done.
This is the clear anti-Smart Grid Security fear, uncertainty and doubt (FUD) voice I've been seeking. Titled "Winning the Critical Infrastructure War," you can read the whole piece by following THIS LINK to InfoSec Island. I recommend you do.

2nd Smart Grid Security TwitterStorm Spotted

Social media storm chasers have identified this Wednesday afternoon (330 pm ET to be precise) as the likely time the next security related Smart Grid twitter discussion is likely to hit. The previous one, that I was involved in anyway, was last fall, and it was a pretty interesting and educational affair. See announcement HERE.

Subject this time will be the deployment of security controls at a US utility for two primary objectives:
  1. To protect itself from potential attacks coming from outside, particularly the Smart Meters and AMI network it's been standing up for customers recently
  2. To protect Smart Meter-enabled residential and commercial customers from potential attacks (or accidental, incorrect instructions) originating inside the utility or its systems
Please note, this will be an IBM-centric discussion so I'll be speaking/tweeting from the perspective of my day job using the Twitter ID: @IBMSmartrEnergy and to follow or participate in the conversation folks should use the Twitter hashtag: #IBMSG.

Looking forward to this event: please join in if your schedule allows. BTW I'll be using the TweetDeck app for this event and recommend you give it a try if you haven't already.

Thursday, July 7, 2011

Energy Sector Control Systems Security for the Masses

So maybe you're a migrant from the IT world and you feel down cause you still can't wrap your head around the mystic world of operational technology (OT) security. Well, fret no longer; I have good news for you.

Chris Blask, who I had the pleasure of meeting at the NESCOR meeting in DC last week, is about to take you by the hand for a few minutes, and when you're done reading his piece, you'll know what it's all about.

Yes, that's right: YOU WILL KNOW.

And not just the usual parts about "here's what's wrong with the current picture" and "why you need to be concerned," but you'll also get a direct dose of "what you need to do to fix this."

I have to give you a few choice snippets to whet your whistle before I invite you to jump to the full article on Infosec Island:
If you operate a control system network today the security of your ICS is almost definitely in a Rumsfeldian "Known Unknown" state: you know that you do not know if your ICS is under attack right now.
and ...
The solution to industrial cyber security is to do your best to build a reliable cyber system - just as you do with the physical assets in the industrial process - then monitor it like a convicted criminal in solitary confinement.
OK, you got the general idea? Good, then you're ready to proceed by clicking HERE.

BTW, Chris is now serving as VP of Industrial Control Systems at the somewhat frightening sounding AlienVault, and earlier in his career was founder of the well respected ICS security firm Lofty Perch.

Wednesday, July 6, 2011

NERC set to Excercise Grid Cyber Security

We all know exercise is good for us, but not all of us regularly act on that knowledge. Well, NERC has seen our flab and is recommending we hit the gym.

NERC is sponsoring GridEx 2011, a cybersecurity exercise dedicated to incident response in the electricity sector in North America. The event will be held mid November 2011, and hundreds of utility companies are participating in various capacities.

You can see the press release HERE and if you work for a North American utility that's not involved yet, you can write NERC's Brian Harrell and he'll get you up to speed fast.

But remember this before you go getting all giddy: no pain - no gain.

Photo credit: Lululemon Athletic on

Tuesday, July 5, 2011

NBISE is Building a Better Smart Grid Security Professional

And the good news is, you can help. Click HERE to read a little more about this project, brainchild of erstwhile NERC CSO and overall grid security wunderkind Mike Assante.

If you're like me, you know how hard it is to find experts with solid grounding in IT security, control systems security and electric utility culture. There are, like, a dozen of them in the wild. And well, they're all a bit too busy to help with your problems. So Mike and his National Bureau of Information Security Examiners (NBISErs) colleagues have decided to grow them.

The SGSB has mentioned NBISE before (like HERE for instance). But now with a new website and a more mature plan, it's time the larger community gave them a real look. Another interesting new development you might want to start with is their ADAPTS program. Want it spelled out for you? That's Advanced Defender Aptitude and Performance Testing and Simulation. Good organization; great acronym.