Thursday, July 26, 2012

The State of the States and Smart Grid Security

Readers, working your way through this comprehensive yet non alarmist EPIC PIECE of Smart Grid security journalism will take some time, because author and former NH PUC commissioner Nancy Brockway has done her homework and then some.

And unlike some unschooled energy security bloggers I know, she knows all the business angles. To whit:
Utilities might argue that they need pre-approval and current recovery of cybersecurity costs. Utilities and their smart grid industry partners sometimes claim that without such cost recovery, a utility will lack the ability and resources to pursue cybersecurity with vigor, presumably because in and of themselves, cybersecurity investments don’t generate revenue. However, the industry has it backwards.
See what I mean? OK, here's the cybersecurity funding smackdown:
If a utility executive says the firm won’t vigorously pursue cybersecurity absent a tracker to recover its costs outside the normal ratemaking treatment, the utility is signalling that it might not have fully embraced the goal of such security. And a utility that tries to reassure the commission that such guaranteed revenues can be clawed back on a later finding of imprudence might be hoping the commissioners are naive about how prudence reviews work.
Hold on; one more volley and it's over:
There’s a huge difference between pre-approving and providing extra-rate-case recovery of utility investments in cybersecurity, and making it clear that the commission understands the need to change out obsolete equipment and technology, beef up staff, and make investments to protect the grid. But if a utility cares so little about cybersecurity that it won’t pursue the smart grid or the cybersecurity component of the smart grid absent guaranteed, dollar-for-dollar, few-questions-asked revenues awarded outside of normal cost recovery, this should be a red flag to the commission about letting that utility install the connectivity inherent in the smart grid.
About the only point Ms. Brockway seems to have missed re: State actions is the recent publication of a pretty decent and helpful guide by NARUC, which we posted on earlier and you can view HERE. Didn't seem like you could comment on the article, but I'll be very interested to hear what folks make of her positions on these matters, particularly the funding aspects.

Tuesday, July 24, 2012

2 Control Systems Metrics Movers/Shakers: Jim Brenton and Joe Weiss

The more metrics the merrier, I say. After yesterday's post on IDC's take on energy sector cybersecurity metrics, let's pivot to control systems, where the three most important things are:
  1. reliability
  2. reliability, and
  3. reliability
... and where what passes for cybersecurity in IT realms just doesn't cut the mustard.

First see this NEW POST from Joe Weiss on how to begin wrapping your head around what control systems metrics could look like.

Then I'd recommend Jim Brenton's PRESENTATION at GridSec earlier this year on a new group that's formed to look at developing security (or should I say reliability and resiliency) metrics for the Bulk Electric System (BES).

OK, that's it, this is a short one. You can go back to what you should have been doing all along.

Monday, July 23, 2012

New IDC Report Takes Measure of Energy Security Metrics

They had me with the title: "Methods and Practices: Creating a Metrics-Based Security Culture".  It seems IDC must have used a key word optimizer app designed to discover the best title based on the complete works at the Smart Grid Security Blog.

I can't vouch for the utility of this report because I haven't read it.  But I do know lead IDC energy and security analyst Usman Sindhu because we've been discussing grid security topics since we met back when he was still at Forrester Research.

Jesse Berst and the SmartGridNewsers did a nice little intro to it HERE.

The price may not be right for you, though maybe your company already has a subscription with IDC that will let you see it for free. Or maybe you can negotiate a "friends price" with Usman, the economy being somewhat iffy at the moment.

Photo credit: Steven Harris on

Sunday, July 15, 2012

No Day at the Beach: The Rationale for Breach Practice

Here in the Northern hemisphere, where approximately 90% of SGSB readers reside, it's summer.  In Europe (pre financial crisis Europe, anyway), it's time to throttle back and head for the beach. In the US and other parts of the world where long breaks are less common, beach time remains, for most, a scarce commodity.

Certainly with record heat waves driving air conditioning use way up, energy workers need to be on their toes, not dipping their toes in ponds, lakes or oceans.

Because I subscribe to Mckinsey & Company's Quarterly cybersecurity newsletter, I had the good fortune to come across this article yesterday: "Playing war games to prepare for a cyberattack".

We've talked on this blog before about the need for resilience, as in THIS POST from earliest 2012 citing statements on the subject from PJM CEO Terry Boston.

To me, awareness and acknowledgement that you have endured successful attacks, are being attacked or at least scrutinized right now, and will come under increasingly heavy and varied fire in the future, is a key indictor of whether your organization is reality based ... or not.

If your company is reality based, and you've haven't been running practice breaches yet, now's a good time to start, and the Mckinsey piece gives you a framework for getting started.

I won't pull any citations from it, though it's full of goodness. But rather, leave you with this sharp comment from UK-based reader:
In this still-nascent area of corporate risk and reputational vulnerability, the understanding of precisely who has responsibility for what should the worst happen isn’t good enough. We need new governance structures to provide more robust ownership, and in the interest of all stakeholders (customers, staff, shareholders, suppliers etc), we need a better reporting framework to ensure rhat public confidence in our most important IT and network-reliant brands is maintained.
Ah yes, the need for better security governance and better structures. Nothing like an actual impactful data or systems breach, or the realistic trial of dealing with one, to show you you're not organized to deal with it the way you'd want to be. 

Practice might not make perfect, but it can only serve to improve your understanding of the challenges, and may give you the fodder you've got to have to drive the changes you need.

Now, where's the suntan lotion?

Tilted Photo credit: ToddonFlickr 

Sunday, July 8, 2012

Massoud and Mother Nature Remind us (again) Why We're Modernizing the Grid

This post is more about energy security than cybersecurity, but what the heck.

The great 2003 outage that spurred the US grid modernization movement is almost ten years in the rear view mirror, and to many it seems like the lessons learned have yet to translate into sufficient action.

In a July 3rd interview, the University of Minnesota's esteemed energy grid guru Dr. Massoud Amin, noting the disproportionate and prolonged (depending on your address) damage caused by recent mid-Atlantic storms, reminds of what needs to be done ... and why.

Speaking of the national grid he says:
This is the kind of system that needs long term, patient investments in research in development, in innovation, and in upgrading the system.
The interviewer continues:
One of the main components in a "smart grid", a term coined by the professor, is the idea of two-way power movement. Conventionally, power has moved in one direction — from the local power plant directly to the consumer. In a smart grid, however, unused electricity would flow out of homes and back into the grid. This system would also allow homes or businesses that are equipped with wind turbines or solar panels to contribute their own power to the grid, which would provide extra security in the case of a blackout.
In some regions this vision still seems like distant science fiction; in others, it's beginning to come to fruition.

You'll find much to like in the 7 minute, 40 second audio segment that includes a little bit of history, a good amount of the present, and a few slices of a possibly better future ... if we take the right actions.

Photo credit: Washington Post (from a few days ago)

Tuesday, July 3, 2012

Happy 4th of July from the Energy Blogs: SGSB and DEB

On behalf of Dan Nolan and myself, wish all the great US readers of our two energy and security related blogs (the DOD Energy Blog and the Smart Grid Security Blog) a most fabulous Independence Day. And for the very many readers in other countries and on other continents, please note, if not celebrate, your own independence to the extent you have a little or a lot.

Progress in energy matters seems to move so slowly sometimes it often doesn't look or feel like progress at all. But trust me, from the special vantage points Dan and I have, we can tell you things are moving and quite definitely in the good directions.

Photo is of my friend Kirk S from Wisconsin yesterday on the Boston waterfront, where 120 tall ships are in town for the bicentennial of the War of 1812. We had a few beers at a local bar and saw sailors from all over, including many fine young men and women from the US Navy.

So once again, enjoy the 4th and be well.  Andy Bochman