Friday, December 27, 2013

Job Opportunity - Industrial Control System Security Lead

My good friend Dave Tyson -- CISO at SC Johnson -- has asked me to pass along his current opening for someone to help with his industrial control systems (ICS) security.  The job posting is below.

If you are interested or you are aware of another qualified candidate, feel free to contact Dave with a resume at dntyson@scj.com.

### - ###

Industrial Control System Security Lead 

Global Information Security Team


Reporting to the Leader, Global Information Security Business Advisory (GISBA) the lead for the Global Product Supply (GPS) Information Security program is responsible for developing and managing the GPS Information Security program. 
This leader will own and drive the global rollout of a more robust and formal approach to managing information security risk in the GPS environment. The structure of the program will be based on the goals, principles and strategy of the overall Global Information Security Enterprise Security Strategy at SCJ. At its core, this program will ensure appropriate security management while driving breakthrough performance in governing business appropriate risk to data and systems. The GPS security lead will optimize team processes to ensure efficient and effective delivery of services in a 24x7 ‘follow the sun’ operating model.
Position Overview:

We are seeking a professional with a deep background of Industrial Control Systems Cyber Security Engineering and Architecture. The candidate is expected to be a visionary technologist and demonstrate a combination of leadership, technical and program management skills. The successful candidate will lead both current security enhancement programs as well as the development of a sustainability effort to build a globally sustainable information security program.
Responsibilities:
·         Identify new technologies, processes and programs to enhance security, reliability and customer experience.
·         Identify operational issues and define design alternatives to address these issues.
·         Act as a technical advisor and subject matter expert to internal stakeholders and partners
·         Coordinate with the Global Information Security Operations team for malware analysis, and testing of remediation processes.
·         Perform detailed and technical analysis of ICS and help integrate cyber security solutions worldwide.
·         Maintain a superior knowledge of the cyber security capabilities of operating systems, networking devices, control systems, and vendor offerings.
·         Maintain a working knowledge of applicable cyber security standards involving critical infrastructure, including those relating to process networks
·         Understand technical issues and the implications to the business, and be able to communicate them to management and other business leaders.
 Capabilities:
   ·         Ability to effectively work in a matrix management environment
·         Strong communication and presentation skills
·         The ability to lead large groups and be a primary facilitator
·         Strong written skills
·         Comfortable working in a project based / client serving model
·         Ability to lead and shape client expectations
·         Help drive pursuits and engage in complex deals, matching outcomes to expectations
·         Ability to work easily with diverse and dynamic teams
·         Ability to work in a matrix management model
·         Readiness to travel 25-50% initially
·         Experience in working international organizations roles
Qualifications:
·         7-10+ years recent experience in large enterprise environment
·         Demonstrated experience with implementing and maintaining security in large, complex Industrial Control System environments, etc.)
·         Experience with securing SCADA, PLC, and HMI systems, etc.
·         Strong networking background with minimum 3 years of networking experience; and routing, switching, network security and packet analysis
·         Experience in the capabilities and/or configuration of cyber security controls, specifically those relating to firewalls, access control, authentication, anti-virus/anti-malware, patching and hotfix, logging and SIEM.
·         Ability to train, manage and assist co-workers on all aspects of security awareness, controls and compliance
·         Superior written, presentation, and verbal communication skills
·         Exceptional organizational, interpersonal and team skills
·         Ownership orientation to solving problems
·         Information security and data protection skills are desired
·         Experience managing and leading
·         Ability to pass a detailed security background screening
·         Education – Bachelor’s degree or equivalent education and experience
·         Professional Certification – CISSP, CPP or equivalent will be considered advantageous



Tuesday, December 17, 2013

Neuroscience, Risk and Security

For years I have been a student and practitioner of security – both cyber and physical.  My initial years focused on the “Security 101” elements with a “castle and moat” approach for both physical assets and cyber (i.e., the “walls” were “firewalls”).  Over time, however, I’ve realized that there is more to security than wondering about the bits and bytes or the sizes of chain link fence mesh.  Instead, I’ve begun to recognize more and more that the human element – that is the attacker and defender – needs to be studied and recognized as a key element.

(Artwork from Microsoft Open Source)

I’ve realized – with some considerable influence from Bruce Schneier in his seminal essay “The Psychology of Security,” and from other thought leaders in the security space such as Kirk Bailey at the University of Washington or Robert Coles at GlaxoSmithKlein -- that you need to understand what motivates the attacker and what helps the defender recognize new ways and means of defending against the wiley aggressor.

In other words, I came to realize that neuroscience should play a key role in helping security professionals understand the attacker’s “brain” so to speak and thus their motivations.

Samad Aidane PMP

Last night I had a fascinating discussion on this very subject with my friend and colleague Mr. Samad Aidane.  Samad and I first met in 2004 or so when I was the information security manager/CISO at the Port of Seattle.  Samad was a newly hired project manager.  Since then we have both expanded our horizons and Samad has evolved his expertise in the realm of neuroscience and project management as well as risk.

Anyway, our conversation tonight revolved around Samad’s new research and focus on the neuroscience behind effective project management and risk.  In fact, Samad has even begun a blog at Neurofrontier.com to expand his and his reader’s awareness of neuroscience and leadership.  I’d like to suggest you take a look at his blog and get a sense of his perspectives on this new science.

A key take-away from my conversation with Samad was that how the brain functions when analyzing risk may be excellent knowledge for security and risk professionals to leverage when dealing with risk analysis decisions.  Similarly, understanding how the brain functions when establishing attack and defense concepts may be very useful to the cyber and physical security defender.  And, of course, if you lean on the concept of “Assumption of Breach[1] for your enterprise cyber and physical defense, perhaps knowing how the brain functions and reacts could be very useful.

I am excited about the new ideas raised by Samad last evening and I look forward to our next meeting and discussions.  In the meantime, take a moment to look at Samad’s website and review some of his ideas.  You may see a sliver of some new concepts for the security profession to lean on as we try to stop the bad guys!




[1] For my past articles on this subject please go to my article in Asian Power at http://asian-power.com/node/11144 or my article in SearchSecurity at http://searchsecurity.techtarget.com/tip/Assumption-of-breach-How-a-new-mindset-can-help-protect-critical-data

Saturday, December 7, 2013

NIST CYBERSECURITY FRAMEWORK - COMMENTS DUE FRIDAY 12/13!

A few weeks ago I prepared a blog for Tofino Security summarizing the key aspects of the DRAFT NIST Cybersecurity Framework.  I guess I hit the target because the blog has been posted on a few other sites and referred to in some Tweets.

(From Cover of National Infrastructure Protection Plan - http://www.dhs.gov/xlibrary/assets/NIPP_Plan.pdf)

Anyway, as one of my readers, my original submittal for the Tofino blog is posted below.

But, don't forget, NIST has requested comments on the Cybersecurity Framework by Friday, December 13th.

Take care, have a great and safe week, and here is the blog.................Ernie

########################################


You may have heard a bit of buzz in the US national and even international press about the release of the Cybersecurity Framework Draft from the US National Institute of Standards and Technology (NIST).  However, you may not know about its background or what it may mean to you as a control systems manager.  As such, this is intended to give you a high level overview of the genesis of this document and give you some points of reference.

Background
As we realize more and more everyday our national infrastructure – in Canada, the US or any country for that matter – is very important to our economies as well as our own national defense.  Because of concerns over continued cyber attacks on US national infrastructure – such as the electric grid, water systems, transportation networks, banks/financial institutions, critical manufacturing, etc. – President Obama issued Executive Order 13636, “Improving Critical Infrastructure Cybersecurity,” on February 12, 2013. 
This document is fondly referred to as the “EO.”

The EO also called for development of a voluntary Cybersecurity Framework to provide a “…prioritized, flexible, repeatable, performance-based, and cost-effective approach” for assisting organizations responsible for critical infrastructure services to thus manage cybersecurity risk.

Critical infrastructure is defined in the EO as “…systems and assets – whether physical or virtual – so vital to the US that the incapacity or destruction of such systems and assets would have a debilitating impact on security, national economic security, national public health or safety, or any combination of those matters.”  Example industry sectors – and the corresponding Federal oversight agency -- considered as “critical infrastructure” include[1]



As a follow up to the EO and PPD, NIST was assigned responsibility for development of the Framework in collaboration with industry feedback.  The Framework is intended to provide guidance to an organization on managing cybersecurity risk.  A key objective of the Framework is to encourage organizations to consider cyber security risk as a priority similar to financial, safety and operational risk while factoring in larger systemic risks inherent to critical infrastructure.

In other words, cybersecurity risk and considerations need to be included in the day-to-day discussions at your company or organization as you expand your business, build new facilities, install new equipment and hire new people.

Let’s Talk About the Framework
First, the EO instructed NIST to be the lead in developing the Framework.  As such you can find the Framework DRAFT document and supporting information at www.nist.gov.

And, what does the Framework contain?  The Cybersecurity Framework shall:
  • include a set of standards, methodologies, procedures, and processes that align policy, business, and technological approaches to address cyber risks.
  • shall incorporate voluntary consensus standards and industry best practices to the fullest extent possible.
  • shall be consistent with voluntary international standards when such international standards will advance the objectives of this order.

And, what is the Framework supposed to do?  The Framework:
  • shall provide a prioritized, flexible, repeatable, performance-based, and cost-effective approach, including information security measures and controls, to help owners and operators of critical infrastructure identify, assess, and manage cyber risk.
  • shall focus on identifying cross-sector security standards and guidelines applicable to critical infrastructure.
  • will also identify areas for improvement that should be addressed through future collaboration with particular sectors and standards-developing organizations.
  • should provide guidance that is technology neutral and enables critical infrastructure sectors to benefit from a competitive market for products and services that meet the standards, methodologies, procedures and processed developed to address cyber risks.  And,
  • shall include guidance for measuring the performance of an entity in implementing the Cybersecurity Framework.

So, with the guidance above – and with input from industry – the draft of the Framework is intended to provide a common language and mechanism for organizations to:

  • Describe their current cybersecurity posture (and a semblance of maturity level)
  •  Describe their target state for cybersecurity
  •  Identify and prioritize opportunities for cybersecurity improvement within the context of risk management
  • Assess progress toward the target state, and
  •  Foster communications among internal and external stakeholders.

A key aspect of the Framework is that it is not intended to replace an organization’s existing business or cybersecurity risk management process and cybersecurity program.  Instead, the organization can use its current processes and leverage the Framework to identify areas to improve its cybersecurity risk management.  Also, the Framework can be helpful to a company that does not have a currently existing cybersecurity program so they can build in key elements raised by the Framework.

So, What Should You Do with the Framework?
First of all, take a look at the list of the critical infrastructures listed above.  Does your company fall into any of those categories?  If not, is your company substantially reliant on any of those key infrastructures for your success and even existence?  If the answer to either is YES then I’d suggest you take time to read the Framework as it stands and figure out how you can apply it to your current cybersecurity risk management.

Secondly, acquaint your Executive Management and Board Members with the Framework.  Give them a sense of how your company stands today relative to the Framework Implementation Tiers listed.  Use this as a means of highlighting your organization’s “…cybersecurity maturity level…” and if you aren’t at the top, use it to highlight the resources (i.e., people, time and money) you need to raise your game.

Thirdly, take a hard look at the Framework and even “test drive” it as it stands.  Be sure to provide comments back to NIST as described at their page “Request for Comments on the Preliminary Cybersecurity Framework.”  Comments are requested before December 13, 2013.

Final Thoughts
When you read the draft Framework, recognize that it is not a “checklist” or a simple “compliance” item to be fulfilled.  Instead it provides a set of performance objectives for your cybersecurity risk program to achieve for your prioritized list of key assets.  But also, it is not a “how-to” on building a security program.

So, even for our Canadian friends, be sure to take time to look the Framework over. 


[1] From the corresponding President Policy Directive (PPD) 21 “Critical Infrastructure Security and Resilience” that was issued at the same time as the EO. Link: http://www.whitehouse.gov/the-press-office/2013/02/12/presidential-policy-directive-critical-infrastructure-security-and-resil

Tuesday, November 26, 2013

White Paper Available - Introduction to Microgrids

As a follow-up to my presentations on Microgrid Security you may be interested in a white paper published at Securicon on Introduction to Microgrids.

You can view or download a copy of the paper HERE.




Cities Under Threat from Natural Disasters -- A Risk Assessment

In a report issued by the Swiss Reinsurance Company (cover and link below), an integrated view of the risks posed to cities around the world was offered.  The report notes that "...the growing concentration of people, assets and infrastructure also means that the loss potential in urban areas is high and rising."

http://media.swissre.com/documents/Swiss_Re_Mind_the_risk.pdf
The report summary also notes that "...physical prevention measures alone do not suffice to build a resilient city, since damage from the most severe catastrophes cannot be fully averted.  An important part of resilience is how well urban societies are able to cope with financial consequences of a disaster..."

One Tables 3 and 4 of the report (below) are a summary of their findings relative to the top 10 global cities affected by the five perils of river flood, earthquake, wind storm, storm surge and tsunami.


With the continued conversation about climate change affecting sea levels and the comments noted above regarding storm surge it appears that flooding catastrophes are risks cities need to plan and prepare for.

At a minimum you may want to at least read the Preface, Introduction, and glance at the tables prepared to gain a sense of the Swiss Re approach and conclusions.  The key conclusions are:


  • Asia's cities are the most at risk from natural disasters
  • Saving lives is and should be the highest priority in risk mitigation efforts
  • Investments to infrastructure are vital to strengthen the resilience of metropolitan areas
  • Investments in infrastructure would also help cities cope better with natural disasters and other shocks such as human pandemics and acts of terrorism. 

Anyway, as an "infrastructure geek" I found this review interesting and consistent with the other lessons learned from Super Storm Sandy, the 2011 Tohoku earthquake in Japan and the recent typhoon in the Philippines.




Friday, November 22, 2013

Microgrids and Security -- More News...

For the past three days I've been attending and speaking at the 3rd Military and Commercial Microgrids Summit in Del Mar, California -- just north of San Diego.  I was invited to speak on a panel entitled "The Role of Microgrids in Military and Commercial Cyber Security" as a result of my article in Jesse Berst's Smart Grid News about this subject back in May.



Overall, this was a very interesting conference organized by Infocast that included a pre-summit technology showcase reviewing microgrid technologies followed by a day and a half summit.  There were approximately eight case studies, seven panel discussions, 11 presentations and over 115 registered attendees.  The topics ranged from microgrid controls and inverters through to commercializing and financing microgrids.  The next microgrid summit is slated for the U.S. East Coast in May 2014 and I'd highly recommend you consider attending due to its content and how well this recent conference was organized.

Now regarding security of microgrids -- the conference dialogue was very refreshing.  Of note, the first three presentations by San Diego Gas & Electric, PriceWaterhouseCoopers and IPERC highlighted the need to include cyber and physical controls in the microgrid deployments.  The IPERC presentation was especially interesting from a controls security perspective in that the microgrid controller communications they have developed are intended to be secure.

The best discussion regarding efforts to overtly include cybersecurity into microgrid deployments was the session on SPIDERS -- an effort paid by the US Department of Defense and led by Sandia National Labs.  As you can see in the graphic below from Sandia Labs, the SPIDERS effort includes four phases and cybersecurity is an intended foundation for these deployments at Joint Base Hickam, Hawaii; Fort Carson, Colorado; Camp Smith, Hawaii; and future deployments.


So, the good news is that I am not the lone voice in the forest worrying about microgrid security; however, it still has a long ways to go -- in my opinion -- before the security elements are built into the microgrid designs and deployments as a standard operating process.

So, what needs to be done?  Here are some ideas:

1)  Build a cybersecurity standard for microgrids that weaves in physical, IT, and Industrial Controls/OT security elements.  Perhaps an extension of NISTIR-7628, Guidelines for Smart Grid Cybersecurity, may be a good start.

2)  Leverage the work done by Sandia Labs in their Microgrid Cyber Security Reference Architecture.

3)  Establish some training modules on microgrid security -- perhaps this could be done under sponsorship of the Electric Power Research Institute (EPRI) or other similar organization to assure vendor neutrality.

It was obvious from the conference that we will be hearing more about microgrids in the future -- let's hope the news is about their cybersecurity resilience rather than weaknesses.

PS -- Happy Thanksgiving to my US readers!  Have a safe week!








Sunday, November 17, 2013

Electric Grid Cyber Exercise - GridEx II

During the past month or so there has been a considerable emphasis on the resilience of the U.S. Electric Grid.  For instance the National Geographic Channel ran a program on a simulated cyber attack of the electric grid that resulted in a substantial national blackout (please see my blog comments HERE).

Secondly, the SANS Institute posted a well-produced video showing how a cyber attack could occur on a electric utility in the U.S.  You can view this very enlightening, eight-minute-long video HERE.



Thirdly, on Wednesday, November 13th, the North American Electric Reliability Corporation (NERC) began conducting a two-day national cyber war game to determine how resilient the electric grid and its many utility operators and supporters are to such an attack.  My friend Andy Bochman wrote about this exercise in his BLOG and Mr. Matthew Wald of the New York Times wrote an interesting article summarizing the drill.  NERC's very brief press release regarding the exercise is HERE.

Some key summary notes about the exercise include (Thanks to Mr. Wald's article for most of these "facts."):
  • The exercise was named "GridEx II" (the first Grid Exercise -- aka GridEx -- was held in 2011)
  • More than 200 industry and government organizations participated in the cyber and physical security exercise
  • The exercise was designed to enhance and improve cyber and physical security resources and practices within the industry. 
  • Each hour of drill time was meant to simulate four hours of actual activity -- the drill ran for eight hours on Wednesday and four hours on Thursday
  • The exercise gave participants the opportunity to check the readiness of their crisis action plans through simulated attacks/events to self-assess response and recovery capabilities, and to adjust actions and plans as needed, while communicating with industry and government organizations.
  • The simulated attacks included:
    • injected computer malware
    • cyber denial of service attacks
    • bombed transformers and substations
    • knocked out power lines
    • 150 simulated "casualties" including seven deaths of police officers, firefighters and utility workers investigating the attack scenes who were "shot" by attackers still at the damaged location
  • One main aspect of the drill was a log of all phone and email communications to determine whether the participants could promptly reach the appropriate people at power companies, police stations or distant cybersecurity centers, and whether they could communicate the appropriate information. 
  • According to Mr. Wald's article even the Royal Canadian Mounted Police (RCMP) participated in GridEx II. -- Don't forget that the electric grid we rely upon is the "North American" electric grid and Canadian electric companies are major providers of power to the U.S.

If done right exercises are an excellent way to really stress your policies, procedures and resources and to see how well prepared your company/state/region/country is for the "real thing."  My exposure to GridEx II -- albeit limited -- has certainly given me a sense that this was a good test and worthwhile for the electric grid operators, managers, regulators and policy makers.  

I'm looking forward to the formal after-action report.

And, just to show the value of such exercises, here is a quote from Mr. Wald's NYT article that make me take notice:

At the Southwestern Electric Power Company, a subsidiary of American Electric Power that serves parts of Louisiana, Arkansas and eastern Texas, attackers used guns and bombs against a power plant and a transformer, and 108,000 of the company’s 520,000 customers lost power. “There were certainly surprises for us,” said Venita McCellon-Allen, the president and chief operating officer. “I sat up straight in my chair.”

Thanks to the GridEx team!  Well done!











Wednesday, November 6, 2013

"The Bits and Bytes ... have been Weaponized"

In a fascinating article published yesterday in Automation World the author reviewed the opening remarks and panel conversations being held at the ISA Automation Week conference in Nashville.

Retired USAF Brigadier General Rudolf Peksens was quoted as saying:

“The bits and bytes in our systems have been weaponized, and your systems are being penetrated at will.” 

http://misteriosdomundo.com/wp-content/uploads/2012/05/Bits.jpg

In the Industrial Controls Security space as well as the enterprise domain there are many concerns about how the cyber "bad guys" are causing problems with theft of intellectual property, financial information and instruments, etc.  Even Stuxnet has been declared to be a cyber weapon -- and don't forget Shamoon and its impact in the Middle East.


Anyway, the article is a good read if you are into critical infrastructure protection with emphasis on cyber security of both IT and Operations Technology (OT) systems.  The point is that the "battle space" is expanding with the expansion of digital devices and systems and we need to pay attention and take defensive action.

Cheers!


Tuesday, November 5, 2013

Storm Photos - Our Infrastructure Under Duress

I just saw this slide show today including some interesting photos of post-storm damage and the important and courageous individuals who "fix" the problems.



Thanks to the public servants, utility workers and the volunteers who help restore our infrastructure back to "normal."

Have a good week, everyone and stay safe!

Sunday, November 3, 2013

Obama Proclamation - Nov 2013 - Critical Infrastructure Security and Resilience Month

With my blog's focus on infrastructure security I need to let my readers know of President Obama's proclamation last week.  The President has announced that November 2013 is Critical Infrastructure Security and Resilience Month.

http://openscience.com/wp-content/uploads/2013/05/White_House_Washington.jpg


In light of the anniversary of Super Storm Sandy being last week and with the events of this past year that included natural disasters impacting various infrastructure systems it certainly makes sense that we need to continue our collective focus on critical infrastructure and make it more resilient.

Finally, as a reminder, President Obama has signed one order and one directive focused on improving cybersecurity of critical infrastructure.  Those documents include:


And, due to these deliverables from the President, the National Institute of Standards and Technology (NIST) has been working with industry to develop a Cybersecurity Framework that is currently in draft and is open for comments due on 13 December 2013.

The good news is that the Administration is raising awareness on these important issues to our national defense and economy.  Let's just hope we -- our government and industries -- do not get bogged down in politics and instead help the country take action to repair and improve our infrastructure.

Cheers!





Saturday, October 26, 2013

Cyber Issues for Board and Chief Legal Officers

As my friends will tell you I am a voracious reader -- especially when it comes to cyber and physical security, supply chain security, critical infrastructure protection and industrial controls systems (ICS) security.  This past week I was catching up on my "to be read" pile and found a fantastic article I'd like to post.

Please take a moment to check out this web page -- Government Technology and Services Coalition -- otherwise known as GTSCFrom their website: "The Government Technology & Services Coalition (GTSC) is a nonprofit 501 (c)(6), non-partisan association of innovative, agile small and midsized company CEOs that create, develop, and implement solutions for the Federal homeland and national security sector."



On the GTSC Blog there was a really well done article by Divonne Smoyer, Brian E. Finch, and Emanuel Faust, Partners, Dickstein Shapiro LLP.  The blog is entitled "Ten Cyber Issues Board and Chief Legal Officers Need to Know (and Worry) About."

Of course when I saw the word "cyber" and the focus on Boards of Directors and Chief Counsels I immediately wanted to read it...and it was worth the time.

Ok, what are the 10 issues they want Board members to recognize?  Here they are in brief:

  1. The stakes to share value and the bottom line are high.
  2. The hackers are two steps ahead of you already.
  3. Cyber and data loss threats pose merger risks.
  4.  Lost or stolen intellectual property or customer or employee information can turn a deal from sweet to sour.
  5.  There is a maze of state and Federal data protection and data loss notification requirements to navigate.
  6. The failure to be fully informed of and proactive against cybersecurity and data loss risks could lead to litigation.
  7. If the breach doesn't get you, the litigation will.
  8. There are Federal programs available to help mitigate corporate liability through the SAFETY* act.
  9. Insurance coverage is available through traditional or tailored policies.
  10.  Outside counsel comes with the benefit of attorney-client privilege.


Many thanks to Mr. Finch, et al, for their insights.  It was quite interesting and validated my own opinion -- and I believe my friend Andy Bochman's opinion -- that the Directors and Chief Counsels need to be attuned to cyber security issues since these issues can -- and will -- affect their business.

Cheers!

* SAFETY ACT Support Anti-Terrorism by Fostering Effective Technologies Act of 2002 (known as the SAFETY Act). This law provides tort liability protections for products and services that can be used to detect, defend against, or respond to cyber attacks. It is essential that boards and their legal advisors be aware of these programs and assess their applicability to cybersecurity products and services they either procure or deploy on their own.

Monday, October 21, 2013

At the Risk of Presenting FUD**.....

**FUD = Fear, Uncertainty and Doubt

On Sunday, October 27th the National Geographic Channel will be presenting a "world premiere movie event" called American Blackout.  It looks like it is scheduled for 9 PM Eastern and Pacific -- please check your local listings.



This is a video made on the premise that the US electric grid would be knocked out due to a cyber attack.

I have not seen the video --- only the trailer which you can find at this link.

If you look closely on the video there is a link http://www.survivetheblackout.com/1/ that takes you to a graphic depicting the 10 days of the blackout along with some ideas described as "Personalize your Experience" to help you through such events.  A screen shot of "Day 1" is below.  This information does appear to be helpful and less dramatic than posed in the video.

http://www.survivetheblackout.com/2/

I plan on watching the show, but the trailer concerns me that there will be more "drama" than fact.  If NOVA were to be offering this video I'd be more confident in the factual content and demeanor.

Anyway, decide for yourself but please remember that the North American electric grid (map below) is made up of large, separate geographic sections and that knocking out the entire US grid is highly unlikely -- even from a physical or cyber attack.

I look forward to your thoughts on this video.

Cheers!

http://www.spp.org/publications/NERC_Interconnections_color_map_comm_toolkit.jpg



Microgrid Security -- European Utility Week, Amsterdam

On May 1, 2013 I wrote an article for Jesse Berst's Smart Grid News entitled "Interested in Microgrids? Don't forget security." That article resulted in three invitations to speak on the subject.

The first invitation resulted in speaking on May 23rd about Microgrid Security at the "Smart Grid Cyber Security Virtual Summit 2013" sponsored by Smart Grid Observer.  This was an opportunity to provide a very high-level overview of microgrids and what security issues are of concern.

The third invitation I received was to speak at the 3rd Military and Commercial Microgrids conference scheduled for San Diego on November 20-22, 2013.  At this conference I will be on the panel "The Role of Microgrids in Military & Commercial Cyber Security."

However, last week I was in Amsterdam, The Netherlands as an invited speaker at the European Utility Week conference speaking on a microgrid panel.



The EUW was a very busy and well-attended event!  The size and "business" reminded me of RSA-level meetings at Moscone Center in San Francisco.  There were over 300 booths and 8,000+ attendees from around the world but predominantly Northern and Western Europe; however, I did meet some attendees from Hungary, Bulgaria, the Middle East, Asia and Africa.  There were even a few USA folk; however, I was informed by the organizer that several speakers from the US had to cancel due to the US government shutdown.



Anyway, my talk on Microgrid Security Considerations included the following agenda:


  • Introduction to Microgrids**
  • Types of Microgrids
  • Microgrid Installations
  • Enabling Technologies
  • Security Issues
  • A Case Example
  • Q&A
My fellow panelists included Dr. Monica Aguado from the Spanish National Renewable Energy Centre (CENER), Mike Gordon of Joule Assets (US), Steve Pullins - Chief Strategy Officer of Green Energy Corp (US), and Jöerg Müeller of Accenture (Germany) moderated by Dr. Simon Minett, Managing Director of Challoch Energy.



** I have written a white paper, Introduction to Microgrids, that is free upon request.  Please send me an email if you would like a copy.

Overall the meeting was interesting, busy, and definitely offered the "European View" of electric grid issues, highlights on the massive installation of renewables (especially Germany), ubiquitous discussions about Smart Meters, and even a few "less than positive comments" about the US' inability to run its government :-(

I hope to go again in the future...In the mean time, please join me in San Diego at the Microgrids Conference in November.

Cheers!

Sunday, October 13, 2013

"What's the Deal?" 21st Century Energy Conference

This week I had the honor to be invited as the afternoon keynote at the annual energy conference sponsored by the Connecticut Business and Industry Association (CBIA) in Cromwell, CT.  The title of my speech was Critical Infrastructure Protection & Industrial Cybersecurity -- The Electric Grid as a Model.


Overall this is a daunting topic but one that is on many individual's minds -- especially in such states as Connecticut where their critical infrastructure was hit pretty hard by Super Storm Sandy and also where they are actively deploying microgrids in the state to improve grid resiliency.

The agenda for the meeting and copies of the presentations are at this link.  Also, photos from the event are at this link

Lastly, many thanks to the organizers to allow me to represent Securicon at this event and to educate the audience on the many issues associated with electric grid cyber and physical security.

Wednesday, October 9, 2013

Hot Off the Press! New White Paper from ENISA on Learning from ICS Incidents

Today our friends at the European Network and Information Security Agency (ENISA) published a white paper entitled Can We Learn from SCADA Security Incidents?



The paper is about 10-pages long and offers some ideas on how to organize and perform a systematic approach to evaluating Industrial Control System/SCADA incidents.  One helpful element of the white paper is Table 1 that shows a roles matrix for incident response and analysis in control systems which was extracted from the US Department of Homeland Security (DHS)/Idaho National Labs document Recommended Practice: Creating Cyber Forensics Plans for Control Systems. (Table 5)

Overall I'd suggest you at least skim through the document and use it when developing ICS/SCADA incident response plans.  It will offer some useful guidance for programmatic and organizational approaches to ICS incident analysis.  The US DHS document referenced above will give you a more thorough technical perspective for ICS post-event forensics.

Thanks again ENISA!  Keep up the good work!


Sunday, October 6, 2013

From the UK: Executive Companion - 10 Steps to Cybersecurity

"Value, Revenue and Credibility are at stake.  Don't let cyber security become the agenda -- put it on the agenda."



There are so many guides, guidelines, documents available to help the security professional get a sense of what needs to be done and why.  The US National Institute of Standards and Technology (NIST) and Department of Homeland Security (DHS) certainly produce some excellent documents.  I've also even cited our friends over in Europe at ENISA - the European Network and Information Security Agency -- and some of their guidelines as excellent resources.

This past week I came across a document from the UK GCHQ called Executive Companion -- 10 Steps to Cyber Security.  It is a 20-page guide intended to get the CEO/CFO/Board Members' attention and to get a summary sense of the cyber security challenges organizations face every day.  As I've quoted from Mr. Lobban's introduction above, the best advice to today's Board of Directors and CEO's -- in addition to the CIO's and CISO's -- is to get cyber security awareness on the agenda at all levels of the company including employees, vendors, consultants, shareholders, stakeholders, and other "holders."

Of course with a title like "10 Steps..." you are probably interested in the digest of the 10 actions to be taken.  Page 7 of the Executive Companion includes the graphic below that gives you a sense of the business steps the organization's leadership should take to "...review...invest where necessary...and to improve security..."


Overall, I like the graphic designed by GCHQ but I do want to add one more consideration for all companies and organizations.  Basically you need to assume you will have a data breach and you will have an attacker inside your network -- don't assume otherwise.  As such, heed the above 10 items with the expectations that you will need to defend your data, your intellectual property, etc. sometime in the near future.

(To read more about the "Assumption of Breach" concept please see my article in Asian Power at this link.)

Take a moment to review the Guide and I'm sure you will find it useful to pass along to the CEO and Board.

Cheers!