Saturday, December 22, 2012

Smart Grid Security Seasons Greetings


Shutting down the SGSB this week for Christmas and some Winter-oriented R&R. As you look back on 2012 hope you can see some real progress. I sure can, and am looking forward to doing much more in the year ahead.

Good health and happiness to you and your family and friends, dear reader.

Monday, December 17, 2012

EEI on Electric Sector Cybersecurity, late 2012

David Batz (rhymes with yachts, not cats) is in a good position to know what he's talking about when he says:
Utilities are taking actions to mitigate and manage cybersecurity threats.
As Cybersecurity Director for the Edison Electric Institute (EEI), a DC-based industry advocacy firm that represents the interests of the vast majority of investor owned utilities in the US, Batz is emminently credible as he spends just about every waking hour working with utilities, various Federal and state regulators, and the companies that serve the sector.

At a recent conference in Arlington, VA Batz shared some observations on the state of electric sector cybersecurity preparedness that I liked.  Here's one:
In today’s world, cyber attacks and cyber hacking have become monetized and different ventures are using cyber attacks as a ways to generate income .... This poses a problem for law-abiding citizenry and creates a problem for the electric sector.

Thursday, December 13, 2012

Smart Grid Security 2012 Highlights and 2013 Look Forward


As a chronic complainer re: the lack of grid security metrics (see post from nearly 2 years ago: "Smart Grid Security Truth: You Can't Do What You Don't Measure"), this has been the most amazing and surprising year for me.

By far the most important development this year was that it began with only a few specific guidance documents from NIST and NRECA) and is now ending with a comparative landslide of guidance, including some directly aimed at helping utilities assess their current security posture and plot future courses for improvement.

I documented most of these in an October post but for those who missed, forgot or avoided it, here are the new ones for North America published in 2012:

Friday, December 7, 2012

So Much New SCADA Goodness ... So Few Words on Security


Hat tip to EnergySec's Patrick Miller for finding and tweeting this article so I could find it. Please note before you read this post that it's not intended to be critical of the article it cites. I think it's great and if I didn't have to think about security it would feel like pure, unadulterated progress to me.

The article, "Web-based SCADA Gathers More Fans" which appeared recently in Automation World, describes many excellent new capabilities that are arriving in the SCADA world, many of which are related to new higher bandwidth communications between substations and other remote assets, often based on web technologies. As Honeywell engineer Gerry Browne says:
A few years ago, field equipment would have only a serial port. Today, the same equipment might have its own Web server and methods that expose all its operating parameters. Remote data is now available immediately, allowing users to make better decisions.

Wednesday, December 5, 2012

So Far, it Seems WAMPAC Systems are Insecure by (Lack of) Design


Thanks to colleague Jeff K for pointer to recent NESCOR reports.

First things first: in IBM and elsewhere the phrase "secure by design" is used to describe a project or a system where security requirements are considered at the earliest stages, right along with all the functional requirements.

Now for new initiates, WAMPAC = Wide Area Monitoring, Protection and Control, and the term refers to a group of new technologies and capabilities that will put the Smart in Smart Grid much more than the more attention grabbing Smart Meter.


Monday, November 26, 2012

Thoughts on the Explosive MI6 OT Breach in Skyfall


Have you seen the new 007 movie yet, the third of the series that features Daniel Craig as Bond? Called Skyfall, one of its key plot drivers occurs when the evil mastermind blows up part of British spy headquarters, MI6, in London, with a handful of deft key strokes. By the way, OT in the title of this post = Operational Technology, as differentiated from business information technology or IT.

Stuxnet this is not, but it is clearly depicted as a cyber attack on physical assets, and others who have weighed in on the plausibility/authenticity of this depiction (see HERE and HERE) cannot help but point to Stuxnet as the real world proof of concept.

To free up more time for mayhem, Javier Bardem's well played psychopath might have started with Shodan, the online search engine that helps both good guys and charismatic bad guys quickly locate internet-connected control systems.

Monday, November 19, 2012

Is the Smart Grid a Homeland Security Problem?

Last week I had the privilege of being on a IEEE/Department of Homeland Security (DHS) panel discussing the topic: Smart Grid: A Homeland Security Problem or Not? Talk about a title that begs the question.

My sharp co-panelists hailed from DHS, the Utilities Telecom Council (UTC), MIT, the University of Vermont and MITRE, and we were masterfully moderated by Emily Frye, also of MITRE.

Anyway, all I want to say here is that we got a great question from an audience member (and it was a very interactive audience!) that we were hard pressed to answer. It went basically like this:
If each utility was somehow given an infusion of $1 million (Dr. Evil's preferred amount) what would be the best, most security impacting way for them to spend it?

Friday, November 16, 2012

Great Video: Latest Utility CEO on Cybersecurity


Another CEO joins the emerging chorus of senior energy sector executives not just tuned in to the strategic nature of cybersecurity and privacy challenges in the Smart Grid era, but willing to speak out about it. Also hits some good notes re: supply chain issues as well.

Thanks to Jessie Knight, Chairman and CEO of San Diego Gas & Electric (SDG&E). And hat tip to IBM colleague Tracy A and SmartGridNews.com for sending me this.

Wednesday, November 14, 2012

The Evolving Role of State Regulation in Grid Cybersecurity


Led by Elizaveta Malashenko, the grid cybersecurity team at California's Public Utility Commission, makes a good case for increased PUC involvement in cybersecurity matters, particularly those affecting distribution elements:
State regulators have not traditionally played a large role in cybersecurity. However, this is beginning to change with the recognition that Federal compliance-based models may not be sufficient to ensure grid resiliency, reliability and safety, as well as customer data privacy. With grid modernization on the way, there is an important role that State regulators need to step into, as much of this new infrastructure will be located on the distribution grid, which is currently outside of NERC authority. There is also a possibility that the Federal government could preemptively move to regulate in this area if there is no action at the State level.
You can (and should) read this grid planning and reliability policy paper here: Cybersecurity and the Evolving Role of State Regulation: How it Impacts the California Public Utilities Commission.

Tuesday, November 6, 2012

Conference Alert: Smart Grid & Control Systems Security for Europe


Sometimes I don't give enough lead time, here's a case where maybe I'm giving you too much lead time. Anyway, you know how time flies when you're having fun, so 5 short months from now, you might want to be here:

  • What: 3rd European Smart Grid and SCADA Security Forum
  • Where: The Copthorne Tara Hotel, London
  • When: 11-12 March 2013
  • Web: For more info and to register, click HERE

Thursday, November 1, 2012

Joe Weiss' 2012 ICS Security Conference Highlights

The twelfth ICS Security has come and gone, and it sounds from the tone of Joe's write-up that whatever progress there's been to date in awareness and/or improved capabilities has been frustratingly slow and incremental.

After twelve years, I guess we can call that a trend.  Nevertheless, the best parts often seem to involve drama related to actual events in the field. Here are Joe's notes on two of them:

Nuclear
An international utility was prepared to share information dealing with a recent cyber security assessment of their nuclear plant control-systems performed by third parties. However, because of a threat by their vendor, they did not present. This decision also affected Ralph Langner's decision not to present. This international utility's assessment and analysis program is more comprehensive than existing US Nuclear Regulatory

Wednesday, October 31, 2012

Computer Security Giant Speaks Out on Current Sub-Optimal State of Affairs

Cybersecurity-oriented readers,

In case you didn't see it in the flurry of all the Sandy related news (or because you didn't have power for related reasons), wanted to make sure to acquaint you with one of the living legends in our field, Peter Neumann, who with DARPA's help, is still going strong.

In short, Dr. Neumann has been:
... a voice in the wilderness, tirelessly pointing out that the computer industry has a penchant for repeating the mistakes of the past. He has long been one of the nation’s leading specialists in computer security, and early on he predicted that the security flaws that have accompanied the pell-mell explosion of the computer and Internet industries would have disastrous consequences.
There's much more to say, but believe the NY Times' John Markoff will say it better than I would, so click HERE to go straight to the article.

Tuesday, October 30, 2012

For Energy and other Critical Infrastructure Companies, Supply Chain Security Trap Door Remains Wide Open

Another week, another awful revelation related to security weaknesses in widely (and I do mean WIDELY) installed control system products. Last week we THIS and that was revealed, now this week we pile on with an issue that impacts seems well nigh insolvable.

From Ars Technica:
"The CoDeSys software tool, which is used in industrial control systems sold by 261 different manufacturers, contains functionality that allows people to remotely issue powerful system commands," Reid Wightman, a researcher with security firm ioActive, told Ars .... "There is absolutely no authentication needed to perform this privileged command," Wightman said.  Of the two specific programmable logic controllers (PLCs) Wightman has tested, both allowed him to issue commands that halted the devices' process control. He estimated there are thousands of other models that also ship with CoDeSys installed, and he said most of them are probably vulnerable to the same types of attacks.
Perhaps we'll learn something in coming weeks that will reveal the scope isn't as big as it seems. But until then, I'll leave you with a comment from one of the Ars readers that get's to the heart of the supply chain security challenge:
If it sounds too stupid for words BUT it would make life easier for the developers or admin, then it's sure to have happened. 
Sad, but I'm afraid, true. HERE's the whole article for you.

Tuesday, October 23, 2012

Good ICS-CERT Guidance for You, Electric Utility Security Pro

Hat tip to Jeff M aka Mr. NISTIR. Surely you've seen reports in the press and, depending who you are, maybe through more official channels, that companies in every sector are under persistent cyber assault these days. The DHS and other US Federal agencies are working overtime (sometimes literally, sometimes figuratively) to keep up.

With our own sector in mind, DHS recently published ICS-CERT Technical Information Paper ICS-TIP-12-146-01A: Targeted Cyber Intrusion Detection and Mitigation Strategies. I think you'll find this material very helpful, no matter what level of technical depth you possess.

Friday, October 19, 2012

Supply Chain Security Awareness on Upswing for Energy and Comm Sectors

10/25/12 Update: Huawei just said it is ready to have all its source code tested for security. Would other vendors be so bold?

------------------

If you don't subscribe to the online version of the Wall Street Journal, you probably don't get its daily CIO feed, which provides a nice topical tapas-sized taste of what's on folk's minds every morning.

One of those folks is me, and I've been stirred up lately by all the press (The Economist, 60 Minutes, etc.) and Capitol Hill attention Chinese communications equipment maker Huawei has been getting. Personally, I haven't have any direct contact with Huawei or its products, but I have a gut-level response when a company gets pilloried solely on where it's headquartered or the nationality of the owner(s).

Wednesday, October 17, 2012

Electric Sector Security Metrics Mother Load

Not all are technical metrics, nor are they all technically, metrics.

But in the space of just a few months this summer, North American electric utility executives and their security leadership have seen a spate of new guidance documents published that intend to help them manage, monitor, and measure the effectiveness of their cyber risk mitigation strategies and controls.

Where once there was just the cross-sector ISO 27000 series to steer your security course by (or for Federal folks, FISMA), there are suddenly a near handful of freshly minted how-to manuals at their disposal:
DOE's Electricity Subsector Cybersecurity Maturity Model (June 2012)
Metrics for utilities to use to baseline and gauge effectiveness
DOE’s Electricity Subsector Risk Management Process (May 2012)
Helpful translating cybersecurity into risk management framework 
NARUC's Cybersecurity for State Regulators (June 2012)
Questions utilities will be asked by their state public utility commissions
NIST’s NISTIR 7628 Assessment Guide (Aug 2012)
And if you live in or keep an eye on California, then there’s the metrics work and data privacy rules of the California Public Utilities Commission (CPUC) to consider. It’s working collaboratively with the three big investor owned utilities (IOUs) to bring Smart Grid metrics to fruition, and despite some initial skirmishing, seems resolute in adding security metrics to the mix.

So now maybe the guidance utilities need most is: with limited resources already maxed out on NERC CIP related activities, how to select and implement the best and most helpful pieces from the list above.

Ironic, is it not, to hear the SGSB describe a flood of security metrics in our industry?

Tuesday, October 9, 2012

Conference Alert: A Risk Management-Focused GridSec

Things have been changing over the course of half a dozen or so GridSec conferences the last 3 years:
  • Increasingly, a risk management vs. pure compliance approach to security is in evidence at utilities
  • Practical, business-oriented metrics and measurement mechanisms are being developed and used to increase visibility and understanding of current state and challenges, and to facilitate prioritization
  • Describing security requirements and incidents in language more accessible to management and more aligned with core utility values and business drivers, including safety and reliability
  • More attention to Operational-side issues
What attendees will experience at the upcoming summit will be an update on the evolution of grid security, privacy and compliance issues that reflects the evolution of the bullet-ed points of the above.

The details you need to get/be there:

  • When: 22-24 Oct 2012
  • Where: PG&E head office, 77 Beale Street, San Franciso, CA
  • Web page for more info and reg: HERE

Lots of great speakers are lined up and the hallway talk is always interesting too. Hope you can make it.

Tuesday, October 2, 2012

Electric Sector Vulnerability & Breach Round-Up


Thanks to Jeff St. John at Greentech Media for doing all the legwork required to put together this comprehensive yet readable account summarizing most/all of the recent activity.

As a non-alarmist, there are a few lines I'd write differently, I'd use a different image, and the term Smart Grid is used loosely, as a number of these events and vulnerabilities are not related in any way to Smart Grid technologies.

But overall, I like that all of these things are in one article. And I think Jeff does a good job, as a non-security expert, of capturing the scope of this problem set:
That makes securing today’s grid a matter of upgrading the ability of millions of endpoints like smart meters and grid controls, along with the chain of networking and software that binds them to the utility enterprise, to protect themselves from attack, as well as warn the system when that attack is occurring, which can trigger a series of security responses to detect, prevent or minimize it -- a so-called “defense in depth” approach.
So, have a look HERE, when you're ready to get stirred up by all the recent reports.

Oh, and don't forget, the White House just acknowledged a significant attack (thanks Al Jazeera and others) and big US Banks have been getting hammered by large denial of services attacks the past few weeks as well. More on those HERE.

Looks like we all  better be working harder and smarter going forward.

Photo credit: Boston.com

Monday, October 1, 2012

Utilities to Commerce Chairman Rockefeller: Let's Talk and Team on Cybersecurity

We've been watching the back and forth for several years now.  2010's GRID Act didn't make it across the legislative finish line, and a similar fate just befell the Cybersecurity Act of 2012.

In response to a recent letter (read THIS first if you can) from Senate Commerce Committee Chair Jay Rockefeller, the four most significant electric utility groups banded together to craft a response.  And what a great response it is!

Thursday, September 27, 2012

Attacks on Energy Equipment Vendor like Attacks on Defense Contractor


In 2009 reports emerged that attackers had breached defense contractor systems and stolen data related to the F-35 Joint Strike Fighter. Not knowing what was seen and what was stolen, it means we may always have some uncertainty about how much adversaries know about this plane's combat capabilities and other secrets.

In 2011 we got news that the same contractor was attacked again, albeit this time, perhaps, with less success.

Now comes a network breach of a major critical infrastructure telemetry and control systems manufacturer and it sounds like they may have lost some of the design specs and software at the heart of one of their most important and widely deployed systems.

Wednesday, September 26, 2012

Workshop alert: NIST's Information and Communication Technology Supply Chain Risk Management Workshop

Hat tip to my friend and colleague Alfred at IBM Deutschland.

What: (Let the acronym party begin!) the National Institute of Standards and Technology (NIST) is hosting a two-day workshop to engage multiple stakeholders to help establish a foundation for NIST’s future work on ICT SCRM

When: October 15 and 16, 2012

Where: NIST's Gaithersburg, Maryland HQ
More: An agenda will be posted soon. In addition to keynote addresses and panel sessions, the majority of the workshop will consist of four interactive breakout sessions focused on:
  • the fundamental underpinnings of ICT supply chain risk management
  • current and needed practices and related standards
  • current and needed tools, technology and techniques, and
  • current and needed research and resources
Click HERE for (much) more info, and if you need a more personal form of assistance, please contact Jon Boyens at boyens@nist.gov or +1 240-477-3449

Thursday, September 20, 2012

China's (Apparently) Looming Grid Security Spending Spree

China Electric Power Research Institute (CEPRI) test center 
There are a few lines in the press release to which Jesse Berst links that give me agita (about the quality of the report he references), but it is worth pondering how much money China is spending to protect government orgs, businesses and citizens from cyber threats to its mostly brand new grid architecture.

$50 billion vs. $16 billion for North America and Europe combined, says research firm GlobalData.

Jesse calls China "nervous," but depending on where you stand, others might call them prudent. Of course we at the SGSB see things a little differently. I'm more interested in what people (in China and elsewhere) think are the most effective things to spend cybersecurity money on vs. just looking at the total amounts budgeted or spent.

Wonder if the Chinese will have better luck with cybersecurity metrics, measurement and information sharing than their North American and European counterparts have so far?

Here's the LINK to SmartGridNews.com.

Photo credit: Perspektive Mittelstand

Tuesday, September 18, 2012

The Quest to Better Understand the NERC CIP Bright Lines

Tom Aldrich and Rick Kaun have written some of the best material we've seen on the topic of the evolution of the CIPs, and Tom has new piece clarifying the lack of clarity of the Bright Lines language.

This is something of interest to all utilities currently busy achieving and demonstrating compliance with version 3, and grappling with what they should do to best prepare for versions 4 and/or 5 coming at them sooner than they would probably like.

Here's Rick's intro followed by a link to Tom's article. Note: you may not like what Tom has to say, but it's better to get this news now than to go ostrich ....

Wednesday, September 12, 2012

Conference Alert: For Operational Technology (OT) Security, Accept No Substitute: Joe Weiss' is Only Game in Town

Sep 13 update:

Where would I be without reader feedback? If your interest in (or requirements for) securing operational systems are more urgent, and/or if you live in Idaho, then please waste no time in turning your attention here:

Asset owners and operators have a number of classes and courses available to them from DHS. Not the least of these is the one week: a hands on workshop held at Idaho National Labs. For more info, click HERE NOW.

---------------------

As previously announced, while there are other electric sector conferences going on the same week, if SCADA and control system security is your primary focus, then this is the one for you.

Here's where you'll want to be and some of the details you need to make it happen:
  • Name: 12th ICS Cyber Security Conference
  • Location (general): 200 miles south of DC
  • Location (specific): VMASC Main Building, 1030 University Boulevard, Suffolk, VA 23435
  • Dates: 22-25 Oct 2012
  • Link for more info and registration: http://www.icscybersecurityconference.com/
In the meantime, while Joe's formula for OT Security success is not easy to replicate, you can see how you and your organization might make some adjustments to get there, HERE.


Tuesday, September 4, 2012

Evaluating Electric Sector Cybersecurity Measure for Measure


(Allowing for gross, bordering on reckless, misappropriation) as Shakespeare once said, if you don't take time to measure, you might end up making some big mistakes, like marrying the wrong person, or verily, killing the wrong enemy, and worse.

If you must, see previous SGSB posts on Measurement and Metrics HERE and HERE and HERE and HERE and HERE and HERE and HERE and HERE ... you starting to get the picture?

Now introducing: four significant tools in four months designed to help utilities and those who help them develop a better understanding of their cybersecurity posture and preparedness:
  1. NIST’s NISTIR 7628 Assessment Guide (Aug 2012) - Utilities and their partners can now begin to gauge alignment with this uber-guide to Smart Grid security & privacy. Bonus: Plus, if you order now, you'll also get: Companion Spreadsheet tool!
  2. DOE's Electricity Subsector Cybersecurity Maturity Model (June 2012) - Metrics for utilities to use to baseline and gauge effectiveness of their cybersecurity program and controls
  3. NARUC's Cybersecurity for State Regulators (June 2012) - Questions utilities will be asked by their state public utility commissions, who will be all the smarter for having read this doc
  4. DOE’s Electricity Subsector Risk Management Process (May 2012)  - Helps translate cybersecurity into risk management framework  

Friday, August 31, 2012

Conference(s) Alert: EnergySec and GridSec coming up

These are the two longest running energy + cybersecurity conference tracks in North America and both have  summits coming up this Fall:

http://www.energysec.org/summit
Sep 25-18, 2012
Portland, OR

http://www.gridsec.com/2012/summit/
Oct 22-24, 2012
San Francisco, CA

Click through and you'll see that both agendas are forming and speaker rosters are still being firmed up, but utility participation is on the rise and these are the real deal.

Also there's much more focus now on the security of operational systems, not just IT/Business.

Recommend you attend one of these, and if you can't, then at least pay attention to the articles, blogs and videos that come out of them ... some, hopefully, right here.

Tuesday, August 28, 2012

ENISA Again: 3rd Time's the Charm re European Grid and Smart Grid Security Policy

8/29 Update:

You still have a few days to register and get your plane or train tickets to Amsterdam. In one fell swoop, the existence of this 10/15 workshop, in itself, fully refutes charges of lack of US-European cooperation, as well as claims that control system security is ignored. Go HERE to learn more and register.

---------------------------------------

While of monologues many great political speech or play are constructed, it's through dialogue we reach understanding and consensus. Wait, who said that?

This blog first posted on the European Network and Information Security Agency (ENISA) and its recent recommendations for EU energy sector security earlier this month.


Friday, August 24, 2012

Weekend Wind Watch

Click on image for ridiculously large version

No, this isn't about Tropical Storm Isaac and next week's Republican convention, nor a reference to one of the funniest (or grossest) movie scenes of all time: the bean feast round the campfire in Blazing Saddles.

Rather, it's a great big photo my friend Chris took coming back through Texas while dropping one of his kids at college in Arizona.

Looks like one of those "postcards from the future" features at the back of science magazines many years ago.

Hope the grid is getting smart enough to handle all this wind ... cause these big babies appear to stretch out as far as the eye can see!

Wednesday, August 22, 2012

Smart Grid Security Blog Late Summer 2012 Navel Gazing


8/24 update: Realized the list of top 20 countries doesn't begin to convey the amount of international interest in Smart Grid Security, at least from what I can tell through visitor logs. In the last year there have been multiple visits each from over 100 countries ... what you you think of that?

------------------

First, let me welcome to new SGSB subscriber HH, who pushes the number of folks who now read this blog primarily through an email feed well over 1,100. Thought I'd give readers, new and long suffering, who arrive via email, Twitter, Google, LinkedIn or trails of breadcrumbs, a feel for this community via a sanitized picture of fellow readers.

So without further adieu or drama, here are a few stats for you:

Blog start date: April 2009
Number of published posts: 410
Twitter subscribers (@sgsblog): 770

Thursday, August 16, 2012

Keep an Eye on This: Saudi Aramco Cyber Attack

31 Aug 2012 update:

Now another one: Qatar-based RasGas seems to have been hit by the same type of attack as Saudi Aramco last week.  No operational impact, but IT systems likely took a pounding.  Link HERE

-------------------------------

16 Aug 2012 10:30 am ET update:

This just in - good news as it seems Saudi Aramco is reporting no operational impact.

------------------------------

Hat tip to my friend, north-of-the-border cyber guru Darth Thanos for his tweet on this. I don't usually post breaking news because that's not my job, and a fuller, more helpful picture usually emerges after a few days or weeks. But this one merits your early attention I believe.

The largest oil and gas company in the world has been attacked, has had its networks disrupted, and may have lost significant data too. Don't know about impact on operations, and don't wont to say more until we learn more.

Wednesday, August 15, 2012

Mid 2012 GAO Update on Grid Security ... and a Mea Culpa

Before teeing up the most recent GAO report on electric sector cybersecurity, I'd like to use this pixelated platform to speak back to a quote attributed to me last week that raised the hackles of some utility professionals (and it should have).

First, I'm neither a security-focused PR flack for the electricity industry, nor a gotcha journalist trying to capture eyeballs by vilifying utilities and scaring readers. Rather, I'm a member, supporter, advocate, and hopefully, sometimes, a constructive critic of the enterprise of keeping the grid safe and secure while updating it for the 21st century.

So here's the thing: a recent interviewer quoted me as saying senior management doesn't have a very good understanding of their security posture. While I'm sure I've said something like this a hundred different ways on the blog, it's never been intended as an insult or attack, but rather as observation of the current state of affairs at many but not all utilities. The way  this was captured and framed in the article, however, losing nuance and a few other qualifying words along the way, it definitely came off as a blunt attack ... and I'm not the only one who noticed. Sorry about that ... wasn't my intent.

However, support for this type of generic observation comes from things everyone in the industry already knows, and that the GAO lists on the highlights page of its July 2012 report. Here are the last 4 challenges, partially addressing utilities, partially the larger industry ecosystem:
  • A focus by utilities on regulatory compliance instead of comprehensive security
  • A lack of security features consistently built into smart grid systems
  • The electricity industry did not have an effective mechanism for sharing information on cybersecurity and other issues
  • The electricity industry did not have metrics for evaluating cybersecurity (AB: of course I'll come back to this one before the post is over!)
All of these things make sense to folks who've either been in a utility or have worked with utilities and/or regulators for some time. There's a logical history to each of them that explains where they came from and why they remain challenges to be solved. 

And you'll note (and it angers some of the more concerned security pundits when I say this), that whatever US utilities have done so far has apparently been enough to keep cyber attackers from having major successes to date.

As this post is now getting too long and trying to do too many things, let's end with another invocation on the benefits of business-oriented metrics, this time courtesy of the GAO itself:
... Having metrics would help utilities develop a business case for cybersecurity by helping to show the return on a particular investment. Until such metrics are developed, there is increased risk that utilities will not invest in security in a cost-effective manner, or have the information needed to make informed decisions on their cybersecurity investments.
The GAO, I think, comes from a similar position, in some ways anyway, as this blog. The cited report mentions not just shortcomings but positive actions taken so far. The GAO, the SGSB (this blog) and plenty of other groups and individuals simply want to see utilities and the industry be safe and successful while they modernize to meet the demands of our times. Neither are interested in criticism for criticism's sake, but only to suggest better possible methods. I'll leave it at that for now.

Saturday, August 11, 2012

Perhaps Better Fettered: 2nd Thoughts on ENISA's Cybersecurity Report from this Side of the Pond

Had a number of reader responses to this week's post on the European information security organization's proclamation of intent and recommendations for the electric sector and Smart Grid. 

My post welcomed the attention to the issue by the EU, but expressed, hopefully in a mainly professional way, that this feels, to invoke a common American idiom, a day late and a dollar short.

Here are two additional observations I got:
1. One US respondent says "It contains no call for cooperation with US-CERT, FERC or equivalent body on problems that are clearly of interest to both sides. Compare with various DHS initiatives (such as DHS ICSJWG) which have included foreign participants."
Concur. References to SANS, NIST and DHS in the bibliography notwithstanding, it does appear that explicit calls for trans Atlantic, interagency cooperation are missing, and that this should be rectified in a next version.
2. Another true blue American notes "ENISA reports do not adequately address control systems."
While the bibliography is littered with entries for SCADA and Control Systems-related texts, it doesn't seem like much of that research made it into the final document. Still, while most of the 10 recommendations involve getting ready to get ready to do something, and control system security seems to be largely glossed over, there is, in requirement 6, language that might point to operational systems at some point:
Recommendation 6. Both the EC and the MS competent authorities should promote the development of security certification schemes for components, products and organisational security.
So I'll leave it at that for now. Would welcome an ENISA response. I always try to not be too hard on 1.0 documents because there's always the chance, if not the likelihood, that we'll see them improve in subsequent versions.

I know it doesn't want to be a fetterer, but my sense is that Europe will come to see the wisdom of getting a bit more explicit and comprehensive in these matters.  I know from experience that some of its utilities are looking for more guidance. OK? Back to the Olympics!

Wednesday, August 8, 2012

Unfettered: ENISA Announces European Smart Grid Security Intentions


Here's how the European Network and Information Security Agency put it a few weeks ago:
We are happy to inform you that ENISA has recently published a new study on smart grids’ security. This study makes 10 recommendations to the public and private sector involved in the definition and implementation of smart grids. These recommendations intend to provide useful and practical advice aimed at improving current initiatives, enhancing co-operation, raising awareness, developing new measures and good practices, and reducing barriers to information sharing. This guidance is based on the results of a thorough analysis of the opinions of the experts who participated in the study.
Couldn't possibly be softer, gentler, or less threatening, I'd say. Sort of like what some of the North America utilities wish they had to deal with instead of the teethy and time consuming NERC CIPs. Certainly this ENISA stuff is much higher level, earlier stage guidance than the NISTIR 7628 which has now been available in some form for over 2 years.

But I note that we're hearing of no more significant cybersecurity breaches in the European electric sector than we are at utilities in the US. Maybe what some say, that expensive and time consuming compliance burdens and activities cut into the utilities' own cybersecurity efforts. The argument goes that if it weren't for the NERC CIPs, utilities might be able to better secure themselves.

At this point, it's hard to discern a difference in effectiveness between the European laissez faire approach to setting electric sector security rules and the more prescriptive North American one. Maybe the pluses and minuses of each roughly cancel out and for the moment, both are in reasonably good shape.

Although I bet that's a message you're not going to hear at the ICS CyberSecurity Conference coming up in October.

You can download the ENISA document HERE.

Europa Image credit: Wikipedia Commons

Wednesday, August 1, 2012

Michael Assante Holds Forth on Cybersecurity Leadership


You've seen him here before, but for those not familar, his quals, in reverse chronological order:
Great background, right? Though he lives in the Northwest, he's pretty visible in DC as a frequent testifier on national security issues related to cybersecurity and critical infrastructure.

Here's an excerpt from a just published Q&A session I was lucky enough to engage him in. When asked:

 "... What can the energy & utilities industry learn and leverage from these other critical infrastructure industries?" Mike responded:
It is more the norm than the exception to find executive-level cybersecurity leadership in banking and telecommunications today. Years ago, both industries realized that protecting their networks, systems and data from attackers was a strategic imperative. And some industries have even gone so far as to police themselves with their own security standards. Now it’s time for electric utilities and other energy companies to elevate cyber resilience in their business planning and investment decisions.
You bet it is.

The interview is not too long ... only 4 questions, but I highly recommend you view his well-informed responses to all of them, which you can see RIGHT HERE.

Image credit: NewsMilitary.com

Thursday, July 26, 2012

The State of the States and Smart Grid Security

Readers, working your way through this comprehensive yet non alarmist EPIC PIECE of Smart Grid security journalism will take some time, because author and former NH PUC commissioner Nancy Brockway has done her homework and then some.

And unlike some unschooled energy security bloggers I know, she knows all the business angles. To whit:
Utilities might argue that they need pre-approval and current recovery of cybersecurity costs. Utilities and their smart grid industry partners sometimes claim that without such cost recovery, a utility will lack the ability and resources to pursue cybersecurity with vigor, presumably because in and of themselves, cybersecurity investments don’t generate revenue. However, the industry has it backwards.
See what I mean? OK, here's the cybersecurity funding smackdown:
If a utility executive says the firm won’t vigorously pursue cybersecurity absent a tracker to recover its costs outside the normal ratemaking treatment, the utility is signalling that it might not have fully embraced the goal of such security. And a utility that tries to reassure the commission that such guaranteed revenues can be clawed back on a later finding of imprudence might be hoping the commissioners are naive about how prudence reviews work.
Hold on; one more volley and it's over:
There’s a huge difference between pre-approving and providing extra-rate-case recovery of utility investments in cybersecurity, and making it clear that the commission understands the need to change out obsolete equipment and technology, beef up staff, and make investments to protect the grid. But if a utility cares so little about cybersecurity that it won’t pursue the smart grid or the cybersecurity component of the smart grid absent guaranteed, dollar-for-dollar, few-questions-asked revenues awarded outside of normal cost recovery, this should be a red flag to the commission about letting that utility install the connectivity inherent in the smart grid.
About the only point Ms. Brockway seems to have missed re: State actions is the recent publication of a pretty decent and helpful guide by NARUC, which we posted on earlier and you can view HERE. Didn't seem like you could comment on the article, but I'll be very interested to hear what folks make of her positions on these matters, particularly the funding aspects.

Tuesday, July 24, 2012

2 Control Systems Metrics Movers/Shakers: Jim Brenton and Joe Weiss

The more metrics the merrier, I say. After yesterday's post on IDC's take on energy sector cybersecurity metrics, let's pivot to control systems, where the three most important things are:
  1. reliability
  2. reliability, and
  3. reliability
... and where what passes for cybersecurity in IT realms just doesn't cut the mustard.

First see this NEW POST from Joe Weiss on how to begin wrapping your head around what control systems metrics could look like.

Then I'd recommend Jim Brenton's PRESENTATION at GridSec earlier this year on a new group that's formed to look at developing security (or should I say reliability and resiliency) metrics for the Bulk Electric System (BES).

OK, that's it, this is a short one. You can go back to what you should have been doing all along.

Monday, July 23, 2012

New IDC Report Takes Measure of Energy Security Metrics


They had me with the title: "Methods and Practices: Creating a Metrics-Based Security Culture".  It seems IDC must have used a key word optimizer app designed to discover the best title based on the complete works at the Smart Grid Security Blog.

I can't vouch for the utility of this report because I haven't read it.  But I do know lead IDC energy and security analyst Usman Sindhu because we've been discussing grid security topics since we met back when he was still at Forrester Research.

Jesse Berst and the SmartGridNewsers did a nice little intro to it HERE.

The price may not be right for you, though maybe your company already has a subscription with IDC that will let you see it for free. Or maybe you can negotiate a "friends price" with Usman, the economy being somewhat iffy at the moment.

Photo credit: Steven Harris on Flickr.com


Sunday, July 15, 2012

No Day at the Beach: The Rationale for Breach Practice


Here in the Northern hemisphere, where approximately 90% of SGSB readers reside, it's summer.  In Europe (pre financial crisis Europe, anyway), it's time to throttle back and head for the beach. In the US and other parts of the world where long breaks are less common, beach time remains, for most, a scarce commodity.

Certainly with record heat waves driving air conditioning use way up, energy workers need to be on their toes, not dipping their toes in ponds, lakes or oceans.

Because I subscribe to Mckinsey & Company's Quarterly cybersecurity newsletter, I had the good fortune to come across this article yesterday: "Playing war games to prepare for a cyberattack".

We've talked on this blog before about the need for resilience, as in THIS POST from earliest 2012 citing statements on the subject from PJM CEO Terry Boston.

To me, awareness and acknowledgement that you have endured successful attacks, are being attacked or at least scrutinized right now, and will come under increasingly heavy and varied fire in the future, is a key indictor of whether your organization is reality based ... or not.

If your company is reality based, and you've haven't been running practice breaches yet, now's a good time to start, and the Mckinsey piece gives you a framework for getting started.

I won't pull any citations from it, though it's full of goodness. But rather, leave you with this sharp comment from UK-based reader:
In this still-nascent area of corporate risk and reputational vulnerability, the understanding of precisely who has responsibility for what should the worst happen isn’t good enough. We need new governance structures to provide more robust ownership, and in the interest of all stakeholders (customers, staff, shareholders, suppliers etc), we need a better reporting framework to ensure rhat public confidence in our most important IT and network-reliant brands is maintained.
Ah yes, the need for better security governance and better structures. Nothing like an actual impactful data or systems breach, or the realistic trial of dealing with one, to show you you're not organized to deal with it the way you'd want to be. 

Practice might not make perfect, but it can only serve to improve your understanding of the challenges, and may give you the fodder you've got to have to drive the changes you need.

Now, where's the suntan lotion?

Tilted Photo credit: ToddonFlickr 

Sunday, July 8, 2012

Massoud and Mother Nature Remind us (again) Why We're Modernizing the Grid



This post is more about energy security than cybersecurity, but what the heck.

The great 2003 outage that spurred the US grid modernization movement is almost ten years in the rear view mirror, and to many it seems like the lessons learned have yet to translate into sufficient action.

In a July 3rd interview, the University of Minnesota's esteemed energy grid guru Dr. Massoud Amin, noting the disproportionate and prolonged (depending on your address) damage caused by recent mid-Atlantic storms, reminds of what needs to be done ... and why.

Speaking of the national grid he says:
This is the kind of system that needs long term, patient investments in research in development, in innovation, and in upgrading the system.
The interviewer continues:
One of the main components in a "smart grid", a term coined by the professor, is the idea of two-way power movement. Conventionally, power has moved in one direction — from the local power plant directly to the consumer. In a smart grid, however, unused electricity would flow out of homes and back into the grid. This system would also allow homes or businesses that are equipped with wind turbines or solar panels to contribute their own power to the grid, which would provide extra security in the case of a blackout.
In some regions this vision still seems like distant science fiction; in others, it's beginning to come to fruition.

You'll find much to like in the 7 minute, 40 second audio segment that includes a little bit of history, a good amount of the present, and a few slices of a possibly better future ... if we take the right actions.

Photo credit: Washington Post (from a few days ago)

Tuesday, July 3, 2012

Happy 4th of July from the Energy Blogs: SGSB and DEB


On behalf of Dan Nolan and myself, wish all the great US readers of our two energy and security related blogs (the DOD Energy Blog and the Smart Grid Security Blog) a most fabulous Independence Day. And for the very many readers in other countries and on other continents, please note, if not celebrate, your own independence to the extent you have a little or a lot.

Progress in energy matters seems to move so slowly sometimes it often doesn't look or feel like progress at all. But trust me, from the special vantage points Dan and I have, we can tell you things are moving and quite definitely in the good directions.

Photo is of my friend Kirk S from Wisconsin yesterday on the Boston waterfront, where 120 tall ships are in town for the bicentennial of the War of 1812. We had a few beers at a local bar and saw sailors from all over, including many fine young men and women from the US Navy.

So once again, enjoy the 4th and be well.  Andy Bochman


Thursday, June 28, 2012

DOE's Prescription for Electric Sector Cybersecurity Uncertainties


I've had a link to this document in the blog's "Relevant Docs" section since it appeared, but with today's press release, I think it's time to shine a spotlight DOE's latest and greatest electric sector cybersecurity resource.

The campaign for measurement has just been given a big shot in the arm. By definition, in a weird permutation of Newton's Third Law, the minute a metric or measurement is proposed it creates its own opposition. Often vocal opposition, I might add.

Nevertheless, neither Newton nor opposition should cause us to accept stasis and the uncertainties that attend the status quo. "What uncertainties?" you might well ask.

And my answer is that the majority of C-Suiters and BoDs at medium-to-large electric utilities likely do not have a decent understanding of the cyber-related reliability and safety risks confronting their IT and OT operations. Nor do they understand well how sound (or unsound) are the defensive measures (people, policy, processes) their cybersecurity folks have deployed.

If I were to now transition to a tirade about the crying need for business-oriented security metrics and measurement, while linking to previous tirades, few would be surprised. But in a moment uncommon self restraint, I won't do that.

Instead, I invite you to consume a few tapas-sized sound bites from DOE's press release earlier today announcing its new, unpronounceable acronymed tool, the ES-C2M2.

Dig in:
  • Energy Department Develops Tool with Industry to Help Utilities Strengthen Their Cybersecurity Capabilities
  • New Tool Available to Enable Electric Utilities to Better Assess their Cybersecurity Needs and Assets 
  • Maturity models, which rely on best practices to identify an organization’s strengths and weaknesses, are widely used by other sectors to improve performance, efficiency and quality. 
  • More than a dozen utilities nationwide participated in pilot evaluations to help refine the model
  • The Cybersecurity Self-Evaluation Tool itself helps electric utilities and grid operators identify opportunities to further develop their own cybersecurity capabilities by posing a series of questions that focus on areas including situational awareness and threat and vulnerability management
  • Utilities that choose to provide their anonymous self-assessment results to the Energy Department will receive reports with anonymous benchmarking results of all utilities participating in the “opt-in” program.
Here's a LINK to the model. Utilities can request the Cybersecurity Self Evaluation Survey Tool by contacting the Energy Department at ES-C2M2@hq.doe.govNote: The Energy Department is also offering facilitated self-evaluations on request.

Please keep in mind that this is a 1.0 version developed at break-neck speed. The more feedback DOE gets from its earliest users, the more we can expect from future versions. And they do seek your feedback.

I think what's been started here is good, very good in fact. Now let's seek to use it, make it great, and substantially improve the industry's understanding of itself along the way.

Image credit: DiaVoLo Group on Flickr.com

Sunday, June 24, 2012

Security Checklists, Compliance Cultures, and Finding a Better Way

Fixating on responding to a compliance regime is in a sense, like agreeing to not learn. You know how when you're in the passenger seat and even if you go to the same destination a hundred times, if you weren't driving you don't remember how to get there cause you never learned in the first place? Fortunately, the GPS came long just in time to save your butt.

Before I go any further, please note this is not intended as invective against the NERC CIPs. I know why they were made and why we still have to have them. Most of us wish it were otherwise, but if and until the majority of utilities are observed performing the activities the CIPs require (and more) on their own initiative, this is the way it's going to be.

Have to tip the figurative hat again to Ernie H, who once again can be counted on for spotting and forwarding the good stuff. THIS recent Dark Reading article lays bare the downside of a checkbox compliance mindset. In it, I like this analogy from security researcher Lamar Bailey:
[Security] standards are like training missions in video games: They can help you acclimate, but they in no way represent the real game. If you can't pass them with two hands tied behind your back, your need to quit and find another game.
I could see how that might make some folks say Ouch!  Anyway, it prompted me do a search to see if
utilities were embracing or resisting some of the downsides of this mindset. Well, didn't take long before I happened upon this. Imagine you pay the salaries of dozens of folks, as many utilities do, engaged in activities described by one CIP compliance manual this way.

It begins, "Evidence is more than just documentation" and continues:
Demonstrating compliance usually means “corroborating” evidence. In other words, compliance programs should be designed to produce an output of several auditable records for each requirement to demonstrate performance. A documented process is the first part of demonstrating compliance. Additional examples include a log file, a change request form, a visitor log, or an incident response drill attendance sheet. For each requirement, a documented process and at least one other additional record should be available to demonstrate compliance.
There have got to be better ways to run and secure a utility, no? And of course, reading to this point is worth it if it means you get to a gem of an article I posted a link to almost exactly one year ago. Once again, HERE's Stephen Flanagan of FERC, giving a keynote on what he terms compliance cultures vs. cultures of commitment, who even as an auditor, keeps this in mind: "Security, not violations, is the primary focus." Like that.

Tuesday, June 19, 2012

NARUC Releases a Timely Cybersecurity Guide

I didn't like the tone of my original piece on this so have made a few mods. Content is essentially the same.

Here's a LINK to the National Association of Regulatory Utility Commissioners (NARUC)'s new Cybersecurity for State Regulators

Before I begin to comment on and critique some of the contents, I just want to say I have no ax to grind against NARUC. From my interaction with its members, including several of the folks named as authors of this document, these folks do a fantastic job, state by state by state, keeping the gigantic and sprawling US grid, reliably and economically up and running.

And let's continue with a little more praise. Very few state regulators have hands-on experience with cybersecurity. Giving them a guide that both teaches them, at an intro level, and arms them with good starting-point questions, is a wonderful and necessary thing. Major kudos for that.

However, this paraphrase from an article introducing the guide gave me initial pause:
NARUC advised state commissioners to work with utilities to increase their investment in cybersecurity protections for the smart grid.
This statement makes it sound like someone knows what the right amount of spending is. And that would suggest that that same someone knows a lot about the evolving threats, as well as the requirements for the right types of correctly deployed and configured technical and human protections, and has converted them to USDs (money). These are all things the energy sector security community is working on, but quantifying down to the right level of dollars spent is beyond us still, I think.

Now here's a direct quote from the guide:
Regulators have to determine whether the amount being invested is insufficient or excessive and whether it is allocated appropriately.
I know it's their job in general, but also think that specific to cybersecurity, this is a burden (on the regulators themselves) too far. Determining appropriate allocation is definitely a worthy pursuit, and the matter has great import for all stakeholder including customers. But man, without some commonly agreed frameworks or metrics to measure against, it's a tough one.

Now I'll do a quick pass at a couple of the proposed questions in the appendix.The first one is about budget:
Q26. Is cybersecurity budgeted for? What is the current budget for cybersecurity activities relative to the overall security spending?
Good stuff generally, and really core when it comes time to rate case justification. But I'd also want to know how is the budget arrived at? Like an elementary school teacher, I want you to step up to the board and show me the math. And not sure the second question is all that relevant ... is there a correct or helpful answer to that one?
Q27. Are individuals specifically assigned cybersecurity responsibility? Do you have a Chief Security Officer and do they have explicit cybersecurity responsibilities?
I hope that in even the smallest utilities (and some are mighty small) the answer to the first question is yes. And I know that in even the largest utilities, the answer to the second question is almost always no.

Now here are a couple of other questions I might have suggested." In addition to Q27, I would have liked to see questions that poke into other governance issues, like:
  • QAB1: Related to applications: How many applications do you have? What are the top 10 most important ones? Who owns them? Who developed them? Who patches them? How are they secured? When was the last time they were tested and how did they do? Who tested them?
  • QAB2: Related to data: Have you inventoried your data assets? Developed a classification scheme? Identified data owners? Developed data lifecycle and protection policies? Practiced responding to a data breach? Who owns Privacy?
  • QAB3: Related to money (again): Beyond pen testing, how do you evaluate the effectiveness of your cybersecurity policies and programs? Related to Q26, what methods do you use for prioritizing your cybersecurity expenditures?
OK, I'll leave off there. This is simply going too long. But would like to end by saying that this was a document that could never fully please everyone, and if we remember it's a 1.0 version, then in that context it's an ambitious and excellent start. Let's start providing feedback now so that 2.0 can be even better.

Tuesday, June 12, 2012

Talking Back to the CMU/Cylab Report's Energy Sector Findings

The report in question is the CyLab 2012 Report - Governance of Enterprise Security: How Boards & Senior Executives Are Managing Cyber Risks. Posted on this report recently, HERE, which includes links to it.

Have gotten some less-than-happy feedback from a number of readers, so in the interest of giving you access to additional points of view, here's a bulletized critique from a concerned utility industry professional:
  • Survey size is too small to produce meaningful results/findings (e.g. 108 respondents, with only 14 or so in the "utility/energy" category)
  • Not sure what types of companies fell in the “Energy and utility companies” bucket. It's unclear if many or any are electric power
  • In addition, the survey was global, with a minority of respondents (40%) based in North America and it's unclear whether there were any energy/utility co's from North America
  • The survey states opinion (vs. evidence) concerning the adequacy of corporate board and senior executive review of risk
  • The survey makes erroneous judgments about an organization’s ability to manage cyber security and privacy risks regarding the presence or absence of corporate officers with particular titles or the composition of corporate audit/risk committee structure
I found many of these points well founded and worthy of airing here. In order to provide valuable insights for our sector, and particularly for the US and North America, one would want hundreds if not thousands of data points. That, I'm afraid, was beyond the budget, scope and/or timeline of the team doing this research.

Shodan Again: the Search Engine You Need to Know About

http://www.shodanhq.com/

First mentioned on the SGSB HERE late last year re: a water pump hacking story, Shodan has an interesting origin story and its current use is even more interesting.

You know how you use Google or Bing to find links, apps, music, movies, photos, people, etc.? Well, you use Shodan to find connected physical objects: servers, routers, printers, sensors, water pumps .... And sometimes, electric power generation assets and other control systems. In the era of the "Internet of Things" connections are going to happen, sometimes by intention and often by accident.

Most of us would agree that some things simply should not be connected to the Internet. And if they need to be, security protections are a must. But Shodan reveals not just what's connected, but that those connected systems are often completely lacking standard cybersecurity protections.

Described by Robert O'Harrow, Jr., here's how it works:
The Shodan software runs 24 hours a day. It automatically reaches out to the world wide Web and identifies digital locators, known as internet protocol addresses, for computers and other devices. The program then attempts to connect to the machines. If a connection is made, Shodan "fingerprints" the machine, recording its software, geographic location and other data contained in the identification "banner" displayed by devices on the internet .... Shodan compiles the information in [its] servers - about 10 million devices every month - and makes it almost as easy to query online as a Google search.
There's a tremendous account of Shodan and it's impact on critical infrastructure protection community published in the Washington Post HERE ... it's good read indeed.

And if you've read all the way to this point in the post, then you're probably a good candidate to get value from this year's biggest and best control systems security conference. It runs 22-25 October and you can learn more about it, and register, HERE.

Tuesday, June 5, 2012

More Datapoints on the Current State of Electric Sector Cybersecurity Governance


In March we covered the preliminary CyLab report on the state of cross sector Security governance and one of the things it taught me was that electric sector cybersecurity professionals are not alone in their quest to improve/increase the level of interaction and communication with senior executives in their companies, including the CEO and Board of Directors (BoD).

Other than financial services sector companies, whose reputation for being in the lead on security and privacy governance matters is corroborated, none of the other sectors covered (IT/Telecom, Energy/Utilities, Industrial) fares particularly well.

Well, the final Carnegie Mellon/CyLab report is out now, and it provides a lot more detail into which to sink one's teeth. You can begin with the press release HERE, or move straight into the 28-page full report HERE.

But with your limited time in mind, electric sector reader, I've cherry picked a few salient nuggets for your more rapid consumption. First, an opening statement:
Interestingly, none of the energy/utilities sector respondents indicated that they have a Chief Risk Officer (CRO) even though their risks are high. The energy/utilities sector also places a much lower value on board member IT though their risks are high. The energy/utilities sector also places a much lower value on board member IT experience than the other sectors, which is puzzling since their operations are so dependent upon complex experience than the other sectors, which is puzzling since their operations are so dependent upon complex supervisory control and data acquisition (SCADA) systems.
Interesting: connecting IT experience with a foundation for grasping control systems security fundamentals. Certainly better than having no information systems background. And I didn't know CRO's where rare in large utilities. Maybe the utilities that participated in this survey are not representative of the larger population for some reason. But I would have thought CROs were commonplace, even if their attention wasn't trained on cybersecurity risks.

Now lets go straightaway to electric sector conclusions:
  • The energy/utilities and IT/telecom respondents indicated that their organizations never rely upon insurance brokers to provide outside risk expertise, while the industrials sector relies upon them 100%
  • Energy/utilities and IT/telecom sector boards are not adequately reviewing cyber insurance coverage
  • The energy/utilities sector places a much lower value on board member IT experience than financial, IT/telecom, and industrials industry sectors
And let's conclude with this recommendation, since it squares so nicely with one of the oft-repeated themes of this blog:
Review existing top-level policies to create a culture of security and respect for privacy
This CyLab report is an interesting complement to the recently release IBM CISO Survey, the results of which were discussed HERE last month. I'm always glad to add others' takes on how our sector is faring, even if the findingss are less than glowing. The truth, as they say, and presuming it's present to some degree in these reports, will set you free. Hopefully free to make things better.

Image credit: Magnetbox at Flickr.com

Thursday, May 31, 2012

Security FUD Alert: Flame On. Flame Off. Flame Out.


Here we go again, and this one is not (energy) sector specific. It's more geo-specific ... see: Middle East and North Africa, at least for now. This is a clear-cut case of marketing security through fear, uncertainty and doubt (FUD), and using the press's predictably Pavlovian response to maximize impact.

Depending on where you fit in the cyber food chain, maybe you like it, but I'm sick of it. Sick of it, I say. And I'm not going to take it anymore! (Yeah, right)

Here's the opening salvo fired on March 29 by InformationWeek (and many others), giving you the fever-pitch, straight up horror story, no chaser:
Step aside, Stuxnet: Newly discovered espionage and information-gathering malware known as Flame ... appears to be even more sophisticated than the Stuxnet.
And with that we were off to the races. Just about every IT, cybersecurity and even mainstream media outlet picked up and broadcast the story in the first 24 hours. No questions asked it seemed.

Then along comes CSIS Senior Fellow James Lewis, two days later, with something quite a bit more tempered:
Flame is not a weapon, it's not the most sophisticated, it's not really that new, but it might be part of a large battle shaping up over the future of the Internet. Cyberespionage happens every day. This should not be news.
With that, Lewis definitely helped bring the hysteria down a notch or two. Much appreciated, Jim.

Finally we've got what I hope becomes the final word on this event, in the form of a post from my colleague and friend, cybersecurity expert Chris Poulin of new IBM company Q1 Labs. Chris begins:
I’m not so impressed: I believe we’re seeing the beginning of a long line of copycats, and Flame is a klunky primate of the next stage in the evolution of advanced malware; it’s just another generation in the APT ontogeny.
And then Chris turns the mike over to IBM X-Force's statement on the subject:
At this time, Flame appears to be limited to a very small geography, primarily certain countries in the Middle East, and does not appear to autopropagate. This malware appears to be highly targeted and designed to infect a minimal number of specifically targeted individuals. Consequently, the immediate threat from this malware, in the general network population, remains very very low despite its high profile in the press.
Like the way that piece finishes: very very low threat vs. high profile in the press. Succinctly said, and to me, what should be the nail in the coffin of this ridiculous escapade.

Security professionals in the electric sector and elsewhere: how are we going to be taken seriously by senior business leaders if some of us, even a small percentage, keep using misleading, inaccurate and gratuitously sensationalist methods to try and drum up more business? It's embarrassing.

I don't need to tell you there's plenty of business out there for vendors who play fair and square. Don't cry wolf unless there's a wolf. Don't say the sky is falling unless it is. Be good: important businesses and other organizations need your help, but they won't let you help if they don't trust you.

Image credit: Wikipedia

Wednesday, May 30, 2012

Workshop Alert: ENISA Flexing Grid Security Muscles in Brussels

This announcement, from the European Network and Information Security Agency (ENISA) hit my inbox earlier today and you might like to see it, especially if you are based in Europe (or would like a reason to visit). I reduced it down for your more rapid consumption:
  • Title: Workshop on “Security Certification of Smart Grid Components”
  • When: June 27, 2012
  • Where: Rue de la Loi, 130-1040 - Bruxelles (that's Brussels, Belgium, for you non Euro types)
  • Who (should attend): Participants and speakers of the workshop would be national certification authorities, EU officials, hardware and software manufacturers, energy service providers and certification laboratories from EU and US
  • Organizers: ENISA in cooperation with the European Commission
  • For details and to register, click HERE
The stated objectives of the workshop are to:
  • Support the Member States in better understanding the challenges of the Smart Grid component certification process 
  • Contribute in the harmonization of different certification policies followed by the Member States 
  • Invite Member States to present their national certification schemes and private sector to present their views on the matter 
  • Debate about the possible steps to take, at national and EU level, to speed up the secure introduction of Smart Grids
Sounds somewhat akin to IEC 62443 2-4. Perhaps there's some overlap or potential to leverage existing work. Anyway, if you've got something to contribute, or a desire to learn, go if you can ... and don't skip the mussels.