Friday, August 31, 2012

Conference(s) Alert: EnergySec and GridSec coming up

These are the two longest running energy + cybersecurity conference tracks in North America and both have  summits coming up this Fall:
Sep 25-18, 2012
Portland, OR
Oct 22-24, 2012
San Francisco, CA

Click through and you'll see that both agendas are forming and speaker rosters are still being firmed up, but utility participation is on the rise and these are the real deal.

Also there's much more focus now on the security of operational systems, not just IT/Business.

Recommend you attend one of these, and if you can't, then at least pay attention to the articles, blogs and videos that come out of them ... some, hopefully, right here.

Tuesday, August 28, 2012

ENISA Again: 3rd Time's the Charm re European Grid and Smart Grid Security Policy

8/29 Update:

You still have a few days to register and get your plane or train tickets to Amsterdam. In one fell swoop, the existence of this 10/15 workshop, in itself, fully refutes charges of lack of US-European cooperation, as well as claims that control system security is ignored. Go HERE to learn more and register.


While of monologues many great political speech or play are constructed, it's through dialogue we reach understanding and consensus. Wait, who said that?

This blog first posted on the European Network and Information Security Agency (ENISA) and its recent recommendations for EU energy sector security earlier this month.

Friday, August 24, 2012

Weekend Wind Watch

Click on image for ridiculously large version

No, this isn't about Tropical Storm Isaac and next week's Republican convention, nor a reference to one of the funniest (or grossest) movie scenes of all time: the bean feast round the campfire in Blazing Saddles.

Rather, it's a great big photo my friend Chris took coming back through Texas while dropping one of his kids at college in Arizona.

Looks like one of those "postcards from the future" features at the back of science magazines many years ago.

Hope the grid is getting smart enough to handle all this wind ... cause these big babies appear to stretch out as far as the eye can see!

Wednesday, August 22, 2012

Smart Grid Security Blog Late Summer 2012 Navel Gazing

8/24 update: Realized the list of top 20 countries doesn't begin to convey the amount of international interest in Smart Grid Security, at least from what I can tell through visitor logs. In the last year there have been multiple visits each from over 100 countries ... what you you think of that?


First, let me welcome to new SGSB subscriber HH, who pushes the number of folks who now read this blog primarily through an email feed well over 1,100. Thought I'd give readers, new and long suffering, who arrive via email, Twitter, Google, LinkedIn or trails of breadcrumbs, a feel for this community via a sanitized picture of fellow readers.

So without further adieu or drama, here are a few stats for you:

Blog start date: April 2009
Number of published posts: 410
Twitter subscribers (@sgsblog): 770

Thursday, August 16, 2012

Keep an Eye on This: Saudi Aramco Cyber Attack

31 Aug 2012 update:

Now another one: Qatar-based RasGas seems to have been hit by the same type of attack as Saudi Aramco last week.  No operational impact, but IT systems likely took a pounding.  Link HERE


16 Aug 2012 10:30 am ET update:

This just in - good news as it seems Saudi Aramco is reporting no operational impact.


Hat tip to my friend, north-of-the-border cyber guru Darth Thanos for his tweet on this. I don't usually post breaking news because that's not my job, and a fuller, more helpful picture usually emerges after a few days or weeks. But this one merits your early attention I believe.

The largest oil and gas company in the world has been attacked, has had its networks disrupted, and may have lost significant data too. Don't know about impact on operations, and don't wont to say more until we learn more.

Wednesday, August 15, 2012

Mid 2012 GAO Update on Grid Security ... and a Mea Culpa

Before teeing up the most recent GAO report on electric sector cybersecurity, I'd like to use this pixelated platform to speak back to a quote attributed to me last week that raised the hackles of some utility professionals (and it should have).

First, I'm neither a security-focused PR flack for the electricity industry, nor a gotcha journalist trying to capture eyeballs by vilifying utilities and scaring readers. Rather, I'm a member, supporter, advocate, and hopefully, sometimes, a constructive critic of the enterprise of keeping the grid safe and secure while updating it for the 21st century.

So here's the thing: a recent interviewer quoted me as saying senior management doesn't have a very good understanding of their security posture. While I'm sure I've said something like this a hundred different ways on the blog, it's never been intended as an insult or attack, but rather as observation of the current state of affairs at many but not all utilities. The way  this was captured and framed in the article, however, losing nuance and a few other qualifying words along the way, it definitely came off as a blunt attack ... and I'm not the only one who noticed. Sorry about that ... wasn't my intent.

However, support for this type of generic observation comes from things everyone in the industry already knows, and that the GAO lists on the highlights page of its July 2012 report. Here are the last 4 challenges, partially addressing utilities, partially the larger industry ecosystem:
  • A focus by utilities on regulatory compliance instead of comprehensive security
  • A lack of security features consistently built into smart grid systems
  • The electricity industry did not have an effective mechanism for sharing information on cybersecurity and other issues
  • The electricity industry did not have metrics for evaluating cybersecurity (AB: of course I'll come back to this one before the post is over!)
All of these things make sense to folks who've either been in a utility or have worked with utilities and/or regulators for some time. There's a logical history to each of them that explains where they came from and why they remain challenges to be solved. 

And you'll note (and it angers some of the more concerned security pundits when I say this), that whatever US utilities have done so far has apparently been enough to keep cyber attackers from having major successes to date.

As this post is now getting too long and trying to do too many things, let's end with another invocation on the benefits of business-oriented metrics, this time courtesy of the GAO itself:
... Having metrics would help utilities develop a business case for cybersecurity by helping to show the return on a particular investment. Until such metrics are developed, there is increased risk that utilities will not invest in security in a cost-effective manner, or have the information needed to make informed decisions on their cybersecurity investments.
The GAO, I think, comes from a similar position, in some ways anyway, as this blog. The cited report mentions not just shortcomings but positive actions taken so far. The GAO, the SGSB (this blog) and plenty of other groups and individuals simply want to see utilities and the industry be safe and successful while they modernize to meet the demands of our times. Neither are interested in criticism for criticism's sake, but only to suggest better possible methods. I'll leave it at that for now.

Saturday, August 11, 2012

Perhaps Better Fettered: 2nd Thoughts on ENISA's Cybersecurity Report from this Side of the Pond

Had a number of reader responses to this week's post on the European information security organization's proclamation of intent and recommendations for the electric sector and Smart Grid. 

My post welcomed the attention to the issue by the EU, but expressed, hopefully in a mainly professional way, that this feels, to invoke a common American idiom, a day late and a dollar short.

Here are two additional observations I got:
1. One US respondent says "It contains no call for cooperation with US-CERT, FERC or equivalent body on problems that are clearly of interest to both sides. Compare with various DHS initiatives (such as DHS ICSJWG) which have included foreign participants."
Concur. References to SANS, NIST and DHS in the bibliography notwithstanding, it does appear that explicit calls for trans Atlantic, interagency cooperation are missing, and that this should be rectified in a next version.
2. Another true blue American notes "ENISA reports do not adequately address control systems."
While the bibliography is littered with entries for SCADA and Control Systems-related texts, it doesn't seem like much of that research made it into the final document. Still, while most of the 10 recommendations involve getting ready to get ready to do something, and control system security seems to be largely glossed over, there is, in requirement 6, language that might point to operational systems at some point:
Recommendation 6. Both the EC and the MS competent authorities should promote the development of security certification schemes for components, products and organisational security.
So I'll leave it at that for now. Would welcome an ENISA response. I always try to not be too hard on 1.0 documents because there's always the chance, if not the likelihood, that we'll see them improve in subsequent versions.

I know it doesn't want to be a fetterer, but my sense is that Europe will come to see the wisdom of getting a bit more explicit and comprehensive in these matters.  I know from experience that some of its utilities are looking for more guidance. OK? Back to the Olympics!

Wednesday, August 8, 2012

Unfettered: ENISA Announces European Smart Grid Security Intentions

Here's how the European Network and Information Security Agency put it a few weeks ago:
We are happy to inform you that ENISA has recently published a new study on smart grids’ security. This study makes 10 recommendations to the public and private sector involved in the definition and implementation of smart grids. These recommendations intend to provide useful and practical advice aimed at improving current initiatives, enhancing co-operation, raising awareness, developing new measures and good practices, and reducing barriers to information sharing. This guidance is based on the results of a thorough analysis of the opinions of the experts who participated in the study.
Couldn't possibly be softer, gentler, or less threatening, I'd say. Sort of like what some of the North America utilities wish they had to deal with instead of the teethy and time consuming NERC CIPs. Certainly this ENISA stuff is much higher level, earlier stage guidance than the NISTIR 7628 which has now been available in some form for over 2 years.

But I note that we're hearing of no more significant cybersecurity breaches in the European electric sector than we are at utilities in the US. Maybe what some say, that expensive and time consuming compliance burdens and activities cut into the utilities' own cybersecurity efforts. The argument goes that if it weren't for the NERC CIPs, utilities might be able to better secure themselves.

At this point, it's hard to discern a difference in effectiveness between the European laissez faire approach to setting electric sector security rules and the more prescriptive North American one. Maybe the pluses and minuses of each roughly cancel out and for the moment, both are in reasonably good shape.

Although I bet that's a message you're not going to hear at the ICS CyberSecurity Conference coming up in October.

You can download the ENISA document HERE.

Europa Image credit: Wikipedia Commons

Wednesday, August 1, 2012

Michael Assante Holds Forth on Cybersecurity Leadership

You've seen him here before, but for those not familar, his quals, in reverse chronological order:
Great background, right? Though he lives in the Northwest, he's pretty visible in DC as a frequent testifier on national security issues related to cybersecurity and critical infrastructure.

Here's an excerpt from a just published Q&A session I was lucky enough to engage him in. When asked:

 "... What can the energy & utilities industry learn and leverage from these other critical infrastructure industries?" Mike responded:
It is more the norm than the exception to find executive-level cybersecurity leadership in banking and telecommunications today. Years ago, both industries realized that protecting their networks, systems and data from attackers was a strategic imperative. And some industries have even gone so far as to police themselves with their own security standards. Now it’s time for electric utilities and other energy companies to elevate cyber resilience in their business planning and investment decisions.
You bet it is.

The interview is not too long ... only 4 questions, but I highly recommend you view his well-informed responses to all of them, which you can see RIGHT HERE.

Image credit: