Monday, October 31, 2011

Conference Alert: Wise up at GridWise Global Forum

This is a big one, and though it's not security focused, security topics will certainly be in the air, and yours truly will be on a privacy panel on Wednesday.

From what I heard of last year's event, this is one of the most high powered Smart Grid conferences on the planet. Note the presence of some senior and very senior international leadership from government and multiple industrial sectors (not just energy).

  • What: GridWise Global Forum
  • Where: Washington DC, Ronald Reagan Federal Building
  • When: 8-10 November 2011
For more info on speakers, agenda and to register, click HERE

Conference Alert: European Smart Grid Security & Privacy

Lately, my work has included significant amounts of privacy, data security and information governance, so that makes this conference coming up in two weeks, with its mix of security and privacy, seem particularly helpful and timely. 

In energy sector, privacy has been primarily associated with Europe and Canada in the past, but now that the California PUC has ruled on customer usage data privacy, we're expecting to see it come to the fore in the US as well.

Here are the details if you want to check it out:
  • What: European Smart Grid Security and Privacy
  • When: Nov 14 and 15
  • Where: Amsterdam
For more info on the conference and to register, click HERE
For more info on the venue, click HERE

BTW - if you have a chance to walk around Amsterdam and crave food that's fast, good for you, inexpensive and extremely fresh and tasty, I found Wok to Walk my last time there and loved it.

Photo credit: Leo-seta on

Tuesday, October 25, 2011

DOE doing Little to Demonstrate or Inspire Cyber Security Confidence in the Sector it Regulates

I don't want to sound harsh or ungenerous, but the timing of this audit report, paired with its sad contents, is not great.

Long story short: known vulnerabilities in DOE systems are up; successful attacks endured by DOE systems are up, and DOE spokespersons are trying to cover it up / play it down:
We are concerned that a casual reader of this report might not fully understand that the findings, while important, do not represent demonstrated risks.
This from the agency's associate administrator for management and budget, in a letter to the DOE Inspector General.

As I said in a recent post, I'm now beating the bushes in search of energy sector exemplar organizations and am starting to find some ... two large Investor Owned Utilities (IOUs) so far. Would like to find similarly forward leaning examples of other types, including muni's, co-ops and Federal. 

IMHO DOE should be the model Federal organization when it comes to implementing and managing cyber security policy and controls and leading by example. That it's apparently another basement dweller, according to multiple recent audit results, only invites more scrutiny and more attacks.

Would love to see an energetic turnaround expert / change agent get in there, work on the culture and get them far better results next time. Sure you would too.

Here's the article in Reuters.

Monday, October 24, 2011

McAfee signals "All Clear" following its Duqu Alarm

Was able to attend most of the webinar today, where Peter Szor, senior director of research at McAfee Labs, laid out his and his company's latest thinking on the Stuxnet variant to a largely electric sector audience.

Here's the essentials, according to Szor:
  • There's been no control system involvement
  • Duqu is not targeting energy or utility assets
  • Attacks have been observed in the UK, US and Iran
  • Also maybe in Austria, Hungary and Indonesia
  • The command and control server is/was based somewhere in India
That's it. I hadn't posted on Duqu yet because I was trying to gauge its potential impact on our industry before making an alarmingly sound myself.

So far it looks like you can go back to security business as usual, which means you're paranoid, anxious and jumpy, and that a note like this telling you Duqu is harmless only makes you more certain that it's anything but.

Such is life in this happy profession.

Welcoming Weatherford to his new DHS Cyber Security Post

I've got a note here this morning from National Bureau of Information Security Examiners (NBISE) founder and former NERC CSO Michael Assante. Perhaps there's no one who understands the challenges Weatherford faced at FERC more than Mike. As a frequent advisor to FERC and Congress on critical national infrastructure security issues, few are better placed to know the obstacles and opportunities that await the new DHS Cybersecurity leader:
I would like to extend my congratulations to Mark Weatherford on his appointment as the new Deputy Under Secretary for Cybersecurity for the National Protection and Programs Directorate (NPPD) and am very pleased to see such a capable and experienced leader take the helm. 
Mark has always carried a deep sense of mission into his assignments and in doing so has been able to motivate people, build teams, and mobilize entire communities. His background makes him an ideal choice for the Deputy Under Secretary position as he has experience working across large government enterprises and his most recent post, as the NERC CSO, has prepared him to appreciate the unique challenges involved with cybersecurity and industrial control systems.
At NERC, Mark helped broaden our thinking about cybersecurity and our digitally reliant infrastructures. His vision has pushed organizations to look beyond compliance to develop a comprehensive approach by including system engineering, planning, operations, risk management and security into efforts to secure our infrastructures. Mark’s leadership will help ensure national efforts align with front line reality as our nation continues to modernize our grid to increase productivity and efficiency.
We should look for opportunities to support Mark and the department in the months ahead to achieve greater cyber-resilience in our nation’s critical infrastructure.
Hear hear. Mark Weatherford has now seen how the cyber security policy sausage is made at the state level twice and Federal level once, in a large company, and in the DoD for the US Navy at the beginning of his career.

Sausage making is never pretty. But if you know how it's done, how it can go wrong and what ingredients are required to produce the best stuff, you can do a lot of good. Let's wish him well, and, seconding Mike's call to assist, pitch in wherever and whenever we can. Even with a strong leader, this type of sausage making is, after all, a team sport.

Photo credit:

Tuesday, October 18, 2011

Do it for Mom: Knocking out Smart Grid Vulnerabilities Early this Holiday Season

Unless you're in Texas where until recently roofs where melting and tires exploding, you've noticed the new autumnal smells in the air, right? So right about now who wouldn't want Smart Grid security, motherhood and/or apple pie? That's what this new Oak Ridge National Labs (ORNL) project promises:
Rather than wait for signs of a security problem to crop up in smart-grid technologies, wouldn’t it be better to automatically analyze software and hardware to uncover vulnerabilities, whether accidental or malicious?
I think this must be a trick question; the answer seems so obvious:

Add one part DOE lab, another part respected energy sector security service provider Enernex, and a generous dollop of AMI vendor Sensus, and it appears you've got a formula for something that's been missing in Smart Grid supply chain security ... until now.

Let's see how this goes.

Click HERE to read more on this.

Photo credit: cotaroba at

Tuesday, October 11, 2011

Electric sector security evolution: forward leaning exemplars vs compliance-focused knuckle draggers

This is the last of my posts from last week's Smart Grid Security Summit West, held in an unusually damp San Diego.

OK, knuckle draggers may be a little harsh. I apologize. But there may be a whole new approach emerging, to meeting security, privacy and compliance demands in the electric sector, and, depending on where you work when you read this, it's one I think you'll like a lot.

The outlines of a new approach appeared during the security metrics panel on day 1 and continued to resonate till the end of the conference on day 2, and basically it came across like this:

While the vast majority of utilities today seek to achieve an acceptable level of security and risk reduction via compliance with version 3 of the NERC CIPS, and preparation for what looks likely to come from NERC in subsequent versions, a couple of utilities, supported by their CEOs and/or empowered by recent crises, intend to set and implement higher-level security baselines for themselves.

I won't say who they are; it's probably best if you hear that directly from them or infer it yourself. But if these 2 can get the process started, and perhaps coax another 1 or 2 to join them, then they may be able to carve a wide path that many of the precedent-following rest can follow.

Imagine an industry where mere compliance with the lowest government enforced controls is no longer considered a best, or even a good business practice. Wait, this is starting to turn into a John Lennon song. Probably a good idea to stop here, but stay tuned for more on this.

Monday, October 10, 2011

Recipe for better teaming on outages

Three parts to this exciting new recipe. Mix together:
  1. A large electric utility
  2. A DOD service (or other large consumers)
  3. Social network service

In this case, a major power outage became an opportunity for teaming, and here the local Navy base gets kudos for lowering demand, something that helped San Diego Gas & Electric restore power to all its customers in very short order.

Twitter facilitated comms in the early phases of the outage, and here, it enabled a high profile attaboy from the utility before an audience of over 18,000 (SDG&E Twitter followers). Hard not to like this.

Thursday, October 6, 2011

Electric Utility Silo Busting Strategies Emerge from Smart Grid Security Summit West

One theme kept surfacing across panels at the conference this year. It was that as Smart Grid projects increasingly lead utilities' cybersecurity professionals, most often reared in the IT world, to wade into non-IT business divisions, there are better and worse ways for making connections across organizational silos or stovepipes.

In one case, a senior security professional cited the responsiveness he gets from being a direct report to the COO. Some said top-down power can spur instant movement, though it's likely not helpful for creating and maintaining sustainable good will over time.

Another, less senior guy said that at first he used to try to impress folks in operational organizations with his technical and security credentials up front.  And man, did that approach bomb.

He reported quickly learning that a more humble approach was far more effective. These days, this same guy simply begins with something like, "Hi, I'm John from IT, and I'd like to learn more about your business" and gets better cooperation every time.

Remember the embedded journalists in Iraq? They lived/slept/ate/worried/celebrated and sometimes were wounded or killed alongside the soldiers they were closest to. I think one approach a large utility might employ to infuse more security awareness and capability into its different business units might employ something like this approach.

I suggest that trust is the industrial-strength, organizational-stovepipe-dissolving solvent of first choice. And that  other forms of soft power will go much further in bridging the cultural divides required to foster a most security conscious climate, enterprise-wide. OK, I'll leave it at that for now.

Image credit: CStreet360 on

Tuesday, October 4, 2011

Asset Owners Speak Out/Up at Smart Grid Security Summit West

What a great start. Five guys charged with improving the security posture of their large utilities all on stage, and fielding questions from conference organizer Mike Amadhi and an audience full of security minded folks from all walks of life.

In no particular order, here are a few notes I took organized by speaker:

Jeff Gooding - Southern California Edison
  • Very interested in standards
  • Vendor certification would be desirable, though preferably nothing as heavy as the Common Criteria
  • Finds it takes approx 2 years for an IT security generalist to get up to speed and be competent in the operational technology (OT) arena
Ward Pyles - Southern Company
  • (Partly tongue in cheek, partly not) said Southern Co. doesn't talk security anymore. Rather, it's all about reliability ... doing what's required to keep systems operational and available.
  • To do this, he/they use a different, more business oriented vocabulary
  • Also, working with vendors towards certification
James Sample - Pacific Gas & Electric
  • Security is much more a people than an technology issue
  • Would like to see more standards baked into products at time of manufacture
  • Like Ward, increasingly uses reliability versus pure security in conversations across the business lines
  • Spends significant amount of time pushing vendors to deliver secure solutions
  • Wishes he could spend less time on vendors (above) and more time working with his people
Christopher Peters - Entergy
  • Security pro's must be good communicators and tailor language to fit their audiences
  • Bridging silos is one of his main jobs
  • Having a CXO as a boss is very helpful in accomplishing the above
Stephen Mikovits - San Diego Gas & Electric
  • Very thankful for CPUC's order that CA IOUs generate 10-year forward looking Smart Grid deployment plans, including a major emphasis on security
  • This really helped SDG&E as well as the other utilities by giving them a platform to communicate security  requirements and recommended actions
So there you have it. Several themes emerge: security as reliability, language and communications, silo busting, supplier security and certification, importance of security standards. Seems like most in the audience felt like these were the right notes. I sure did.

BTW - I was working pretty fast. If you spot any typos or inaccuracies here, please let me know and I'll update the post asap.

Covering the 3rd Smart Grid Security Summit

Have iPad with Twitter app loaded: will travel. When I'm not tripping over words as a moderator or panelist over the next two days, I'll try to give you a feel for who's saying what here in San Diego.

I came in late today and caught the tail end of the privacy workshop. Then onto a social gathering sponsored by the Canadian Consulate in a so-called Tiki room (see reference image above - conference attendees, you decide), where we got a little more privacy, courtesy of the Ontario Information and Privacy Commission. Other workshops today covered advanced AMI security and security testing.

All good stuff, and ready to dig into security topics tomorrow. For Twitter followers, will use #smartgrid #security and #sgssummit. And once again, here's the conference site.

Photo credit: