Thursday, August 25, 2011

Conference Alert: 2011 ICS Security

It's that time of year again. Time to get up to speed on recent attacks on industrial control systems and update your knowledge re: potential solutions. In other words, it's the (11th annual) Joe Weiss show.

If you want to see what Joe's been thinking and doing since the 2010 version, you can track him here on his "Unfettered Blog".

Some folks of note who are going to be presenting this year include:
  • Mike Assante
  • Ralph Langner
  • Dillon Beresford
  • Gary McGraw
Now for the logistics:

Dates: 20-22 September 2011
Venue: Washington Hilton, Washington DC
Conf URL
Draft Agenda

Hope you or someone from your org can make it.

Friday, August 19, 2011

Silly Smart Grid Security Headline Winner

Here it is: "Survey: 77% of IT Security Professionals Concerned about Smart Grid Cyber Security"

Question: What's going on with the other 23%?

In my experience (and probably yours as well), "IT Security Professionals" are nothing if not concerned ... about almost everything. Maybe the relaxed 23% taking the survey didn't understand the question. Or maybe they didn't bring a #2 pencil.

Well, at least the writers didn't invoke the usual FUD hysterics:
  • Cyber Pearl Harbor
  • Armageddon
  • Apocalypse
  • Alarmed, Alarming, etc.
  • amd of course ... Cyber 9/11
Compelling (not) full article HERE.

Wednesday, August 17, 2011

California Shows the Way with Customer Electricity Usage Data Security & Privacy Ruling

Show me another state (or country for that matter) that's doing this much. The California Public Utilities Commission (CPUC)'s proposed decision became a decided decision while I was away, so if you haven't had time to check it out yet, here's a good short summary from IDC's Usman Sindhu.

In play are:
  • HAN networks (for real)
  • Real-time pricing signals for consumers
  • 3rd party access to usage data with customer consent
  • New security and privacy rules for the big 3 CA IOU utilities with CPUC oversight
But if you insist on reading the entire ruling, then by all means, click HERE for it. I won't try to stop you.


Monday, August 15, 2011

International Smart Grid Security - East meets West and West meets East

My job just keeps getting better and better. A few weeks ago, just prior to the backpacking vacation from which I recently returned, I had the great honor of meeting a sharp senior security analyst and energy sector researcher from South Korea.

Along with a stellar IBM colleague who not only possesses substantial cyber security and pen testing chops, but also knows how to say hello and more in Korean, we reviewed approaches and exchanged ideas on to best protect important grid and Smart Grid equipment and data.

It seemed like we accomplished some important, if early, work together, and had a few good laughs along the way. And then our friend was off to Black Hat. Depending on which sessions he attended, there were certainly several good grid security-related lessons to take back across the Pacific (as posted previously HERE).

I don't know if Dunkin Donuts coffee is powering Korea yet, but as shown above, it certainly fueled our conversation towards the end of our great afternoon together in Boston.

Thursday, August 11, 2011

The Value of Black Hat for Smart Grid Security

When it comes to spotting flies in the energy sector security ointment, perhaps regulators are too polite to utilities, and utilities too polite to their suppliers. No such problem with the security hackers who jump up on Black Hat's global soap box every year and show the world what they've found.

The conference wrapped up last week, and I've got two completely different types of finding for you. One has to do with huge vulnerabilities in the systems related to home networks at the edge of the Smart Grid. The other is targeted at the heart of the legacy grid itself: SCADA systems and the programmable logic controllers (PLCs) that run important transmission and distribution equipment.

  • Click HERE for the home network piece
  • And HERE for the grid equipment vulnerability demo

Two years ago it was Smart Meter vendors who found themselves embarrassed, in the cross hairs of security pro's, who showed how easy it was to exploit weaknesses in their products. Now attention has shifted to other grid elements. And the beatings continue!

Suppliers thinking they'll save money by moving slowing on improving the security characteristics of their products are playing with fire. The lesson of Black Hat is that they'll be found out. It may not be by NERC. And their utility customers may be focusing on other pressing challenges. But man, sooner or later, the Black Hat crew will be on your case and when they do it'll take more than tons of money to get your troubles behind you.

For this, we should be grateful. Keep it up guys!

Wednesday, August 10, 2011

Smart Grid Security Blogger: Unplugged, Rebooted and Recharged

If the post from a few weeks ago called Generating Leaders was about why we send kids to camp (and how society benefits), then this one is about why I/we send ourselves away sometimes. I don't want to waste your time with extraneous personal details, but will share a few takeaways re: the purpose and benefits of taking these periodic time outs.

And in my case at least, as with the traditional summer camp experience in the US, my best time away involves deep, cell-phone-free immersion in nature with a few close friends, and pushing myself physically in ways I can't during everyday life.

In the aforementioned post on kids and camp, I called out the following ingredients:
  • A change of scenery
  • New experiences & new skills development
  • Connections with the past
  • Dis-connection with the techno present
  • Time alone and time together
  • Encountering and connecting with other kids from other cultures
  • Big fun
Not all these line up perfectly with my recent experience (unless you count what happens when Bostonians meet Texans as a cross-cultural encounter). But even for a near grown-up like myself, the similarities are many.

First of all, in the chaos of what constitutes a normal day and night as a full time IBMer + blogger + parent, I'm not sure the static and cross-talk going on in my grey matter could really be called thinking. It's certainly not deep thinking in any sense. But several things happen on these hikes that seem to help. The first is sleeping and waking in near total silence. Related, but on the visual front, is the complete lack of illuminated screens in the mountains. There's nothing to catch your gaze outside scenes of the most natural beauty, lit by only ambient light (see: Sun, Moon, Stars). Lastly, there's pushing my body hard enough that things start to quiet down between my ears, which creates a space for really thinking.

For construction workers, miners, linemen, and anyone else who does hard physical work for a living, trips like these may be redundant. Though likely not in the most serene surroundings, they already do hard work with their bodies day-to-day and that brings a certain stillness. But for sedentary folks like me and probably you (aka knowledge workers), tuning in to the world from a chair surrounded by LCD monitors and more than 1 phone makes concentration a scarce and precious commodity. Disconnected on remote trails, humping heavy backpacks up switchbacks and over passes above 12,000 feet, the mind quiets down and then turns on in a different and better way. Back at home in Boston now, I can still feel the difference.

There are other ways to achieve a similar effect, of course. And some are much simpler, logistically speaking. But for me, at least once a year, nothing beats a trip to the mountains. It's been Colorado lately, but I can hear the Alps calling.

So, since you made it this far, here's an aerial shot of the Four Pass Loop ... we did the 30+ miles in about 3 days. Some go slower, some go faster:

Four Pass Loop - click to enlarge

Here's a picture taken last week after crossing and coming down from the fourth pass in the Snowmass/Maroon Bells region:


And speaking of Snowmass (Old Snowmass, that is), look who my son Dylan and my friend Chris and I ran into the day after we re-entered civilization:


If you know energy efficiency and renewable energy, then you know that's Amory Lovins, founder of the Rocky Mountain Institute (RMI). We had the great fortune of spending time with him at his private residence and energy efficiency test bed, which you can read more about HERE.

All in all, a smashing success on many levels. I'm going to use the clarity I gained in my day job and on the blogs for as long as I can keep it. And as to the last item on the camper list ... you bet it was fun.

Monday, August 8, 2011

Town Hall Announcement: Measurable Security in the Electric Sector

We've trumpeted alerts for previous editions of this town hall series before, and here's another one on a topic that's near and dear to my heart.

Here's the deets:
  • Date: August 17, 2011
  • Time: 8 am - 12 pm PT
  • Host: Puget Sound Energy (PSE)
  • Town: Bellevue, Washington
  • Address: 320 108th Avenue NE, Bellevue, WA 98004
  • Fee: Free
  • More info and to register:  http://nescotownhall.eventbrite.com/
Hope you can make it.