Wednesday, November 27, 2013

A Means to a Measured Approach to Cybersecurity

Having posted innumerable times on the many benefits the energy and other critical infrastructure sectors would achieve if they would identify a few security metrics and start measuring them, it seems that a practical means to at least partially achieve this objective may be at hand.

Just came upon a new company that appears to be pursuing a good part of the SGSB playbook, though they appear to have found their way to these ideas by following their own path.

A few of the principles we seem to share include:

Monday, November 25, 2013

ICS Electric Utility Attack Video and Aegis to the Rescue

SANS Securing the Human - ICS Attacker
The excellent security-mined people at the SANS Institute have produced an 8 minute video that walks you through a control systems attack.  The money they saved by using animation instead of Matt Damon or Morgan Freeman was put to good use as you'll see. For such an esoteric subject, this is a first rate video. For more info please visit the Securing the Human site at

Meanwhile, to calm you down after the video gets your heart rate up, you should start learning about a new tool that's set for release at the upcoming SANS SCADA Summit. It's called Aegis and it's not an anti-ballistic missile system.  It's a testing tool to help ensure systems communicating with one of the most common SCADA and controls systems communications protocols, DNP3, are harder to attack.

You can ready more about Aegis here:

And more about the SANS ICS Summit here:

Saturday, November 23, 2013

Sandia and Hayden on Cybersecurity Strategies for Microgrids

First off, thanks to friend and colleague Ernie Hayden for writing a microgrid security post following his mini-immersion in the topic last week.  You can read his write-up HERE.

In particular, want you to see something he linked to: SNL's Microgrid Cybersecurity Reference Architecture.  That's Sandia National Labs, btw, not Saturday Night Live; talented though he is, Jimmy Fallon is not a contributor to this piece.

Thursday, November 21, 2013

SCADA Primers Now for Grades 1-8 and Even More Managers

Earlier this year, the US Air Force's Robert M. Lee brought us SCADA and Me, an intro level graphic novelette optimized for very young children and certain managers. Now comes Haley Wauson of industrial automation company Cimation with a blog post that should help SCADA and Me readers advance to the level of middle school literacy and educate an even more advanced cohort of managers.

In her succinct post "What is SCADA Anyway?" Ms. Wauson uses infographic style visuals and multi-syllabic words to take readers to a level of depth that goes well beyond Robert Lee's Goodnight Moon-esque masterpiece.

Sounds like I'm joking around but actually works like these are just the thing for de-mystifying technology that's foreign to IT-centric folks.  SCADA and control systems are of central importance to making good things happen in our increasingly interconnected "Internet of Things" world, or as my recent alma mater IBM has dubbed it, the Smarter Planet.

Securing these things, now that's another matter. But first you have to know what they are, and where they are, in the first place!

Thursday, November 14, 2013

Grid Attack Simulation Just Completed: “It was More Severe than Anything We’ve Drilled"

So said the President and COO of AEP subsidiary Southwestern Electric Power Company, of scenario she and her people faced during NERC's second GridEx exercise.

Sounds like NERC CEO Gerry Cauley and his team brewed up something pretty potent this time.  Heck, it even included 7 deaths and 150 casualties ... in quotes of course.

NERC will issue an "after action" report including objectives, what actually happened, lessons learned and recommendations as soon as they get some sleep.  In the meantime, this account from the NY Times Matthew Wald is pretty darn good.  You can check it out HERE.

Photo credit: The Guardian

Tuesday, November 5, 2013

Webinar Alert: UTC Cybersecurity Metrics Training

Never thought I'd see training on one of my favorite topics, but somehow the Utilities Telecom Council (UTC) is going to do it a week from now.  To some readers' pleasure and others chagrin, I've done a million posts on metrics, some absurdly long (see: HERE) and I for one, will be paying very close attention.

When: 12 November 2013, 2 - 3:30 pm ET

What: "This webinar provides an overview of metrics development and implementation approaches based on national and international standards and best practices. It describes how to develop and use metrics to gauge performance and facilitate improvement and gives examples from the utilities space."

How: Click HERE for more info and to register

Thanks again to tmorkemo on for this image ... my 2nd timing using it