Thursday, September 27, 2012

Attacks on Energy Equipment Vendor like Attacks on Defense Contractor

In 2009 reports emerged that attackers had breached defense contractor systems and stolen data related to the F-35 Joint Strike Fighter. Not knowing what was seen and what was stolen, it means we may always have some uncertainty about how much adversaries know about this plane's combat capabilities and other secrets.

In 2011 we got news that the same contractor was attacked again, albeit this time, perhaps, with less success.

Now comes a network breach of a major critical infrastructure telemetry and control systems manufacturer and it sounds like they may have lost some of the design specs and software at the heart of one of their most important and widely deployed systems.

Wednesday, September 26, 2012

Workshop alert: NIST's Information and Communication Technology Supply Chain Risk Management Workshop

Hat tip to my friend and colleague Alfred at IBM Deutschland.

What: (Let the acronym party begin!) the National Institute of Standards and Technology (NIST) is hosting a two-day workshop to engage multiple stakeholders to help establish a foundation for NIST’s future work on ICT SCRM

When: October 15 and 16, 2012

Where: NIST's Gaithersburg, Maryland HQ
More: An agenda will be posted soon. In addition to keynote addresses and panel sessions, the majority of the workshop will consist of four interactive breakout sessions focused on:
  • the fundamental underpinnings of ICT supply chain risk management
  • current and needed practices and related standards
  • current and needed tools, technology and techniques, and
  • current and needed research and resources
Click HERE for (much) more info, and if you need a more personal form of assistance, please contact Jon Boyens at or +1 240-477-3449

Thursday, September 20, 2012

China's (Apparently) Looming Grid Security Spending Spree

China Electric Power Research Institute (CEPRI) test center 
There are a few lines in the press release to which Jesse Berst links that give me agita (about the quality of the report he references), but it is worth pondering how much money China is spending to protect government orgs, businesses and citizens from cyber threats to its mostly brand new grid architecture.

$50 billion vs. $16 billion for North America and Europe combined, says research firm GlobalData.

Jesse calls China "nervous," but depending on where you stand, others might call them prudent. Of course we at the SGSB see things a little differently. I'm more interested in what people (in China and elsewhere) think are the most effective things to spend cybersecurity money on vs. just looking at the total amounts budgeted or spent.

Wonder if the Chinese will have better luck with cybersecurity metrics, measurement and information sharing than their North American and European counterparts have so far?

Here's the LINK to

Photo credit: Perspektive Mittelstand

Tuesday, September 18, 2012

The Quest to Better Understand the NERC CIP Bright Lines

Tom Aldrich and Rick Kaun have written some of the best material we've seen on the topic of the evolution of the CIPs, and Tom has new piece clarifying the lack of clarity of the Bright Lines language.

This is something of interest to all utilities currently busy achieving and demonstrating compliance with version 3, and grappling with what they should do to best prepare for versions 4 and/or 5 coming at them sooner than they would probably like.

Here's Rick's intro followed by a link to Tom's article. Note: you may not like what Tom has to say, but it's better to get this news now than to go ostrich ....

Wednesday, September 12, 2012

Conference Alert: For Operational Technology (OT) Security, Accept No Substitute: Joe Weiss' is Only Game in Town

Sep 13 update:

Where would I be without reader feedback? If your interest in (or requirements for) securing operational systems are more urgent, and/or if you live in Idaho, then please waste no time in turning your attention here:

Asset owners and operators have a number of classes and courses available to them from DHS. Not the least of these is the one week: a hands on workshop held at Idaho National Labs. For more info, click HERE NOW.


As previously announced, while there are other electric sector conferences going on the same week, if SCADA and control system security is your primary focus, then this is the one for you.

Here's where you'll want to be and some of the details you need to make it happen:
  • Name: 12th ICS Cyber Security Conference
  • Location (general): 200 miles south of DC
  • Location (specific): VMASC Main Building, 1030 University Boulevard, Suffolk, VA 23435
  • Dates: 22-25 Oct 2012
  • Link for more info and registration:
In the meantime, while Joe's formula for OT Security success is not easy to replicate, you can see how you and your organization might make some adjustments to get there, HERE.

Tuesday, September 4, 2012

Evaluating Electric Sector Cybersecurity Measure for Measure

(Allowing for gross, bordering on reckless, misappropriation) as Shakespeare once said, if you don't take time to measure, you might end up making some big mistakes, like marrying the wrong person, or verily, killing the wrong enemy, and worse.

If you must, see previous SGSB posts on Measurement and Metrics HERE and HERE and HERE and HERE and HERE and HERE and HERE and HERE ... you starting to get the picture?

Now introducing: four significant tools in four months designed to help utilities and those who help them develop a better understanding of their cybersecurity posture and preparedness:
  1. NIST’s NISTIR 7628 Assessment Guide (Aug 2012) - Utilities and their partners can now begin to gauge alignment with this uber-guide to Smart Grid security & privacy. Bonus: Plus, if you order now, you'll also get: Companion Spreadsheet tool!
  2. DOE's Electricity Subsector Cybersecurity Maturity Model (June 2012) - Metrics for utilities to use to baseline and gauge effectiveness of their cybersecurity program and controls
  3. NARUC's Cybersecurity for State Regulators (June 2012) - Questions utilities will be asked by their state public utility commissions, who will be all the smarter for having read this doc
  4. DOE’s Electricity Subsector Risk Management Process (May 2012)  - Helps translate cybersecurity into risk management framework