Thursday, September 26, 2013

5th Annual Transmission West Summit - San Diego

This past week I was an invited speaker at the 5th Annual Transmission Summit West 2013 in beautiful San Diego, California.  The event was from the 23rd to 25th of September and I had the opportunity to sit in on the sessions on the 24th and 25th.  Of course I spoke on "Threats to Grid Reliability -- Dealing with Cybersecurity and Other Threats in an Era of Control Area Consolidation." on the last day / last session.

Sunrise Powerlink Photo

Overall the meeting was quite interesting and a bit different than I expected.  First, the session where I presented was the only discussion focused on infrastructure protection/cybersecurity per se.  There were no discussions about the implications of President Obama's recent executive order focused on improving critical infrastructure cyber security.  To me that was quite surprising and maybe an indicator of how much work we have to raise awareness...

However, the sessions were not boring by any means.  Instead they focused on such considerations as FERC Order 1000 and its impact on transmission grid competition, projects, etc.  Also, there were interesting conversations regarding new business and financing models to increase the profitability of transmission projects in lieu of low interest rates and players interested in investing in relatively low risk infrastructure projects.

Probably the best presentation was by Jim Avery, Sr Vice President of San Diego Gas & Electric where he discussed the Sunrise Powerlink transmission project that was built to help move renewable energy from the Imperial Valley to San Diego and to the more densely populated areas of the coast.  This project was basically built almost entirely by helicopter at a substantial cost to the rate payers.  And, as serendipity plays, the project was completed just in time to help bring power to the area concurrent with the unplanned permanent shut down of San Onofre Nuclear Generating Station (SONGS).

Of course there were some vendor presentations on their technologies and services that still were interesting to most in the crowd.

In conclusion, though, I will say that with the challenges the electric grid is facing from cyber threats and supply chain security encroachment it would make sense to increase the dialogue and education about these topics to the transmission infrastructure managers, utility VPs, and attorneys at the conference.

Maybe next year.....

For details on the conference it was managed by Infocast (  The link to the conference is

Sunday, September 22, 2013

Most Fantastic Substation Photo!! Thanks EPRI!

The photo below was included in the Electric Power Research Institute's (EPRI) recent State of Technology | 2013 report.

The report is an excellent read about the state of the energy business and new technologies.  You can download the report here.

(By the way I worked at EPRI for about six years and enjoyed every minute of it!  EPRI is a top organization and provides so much to the industry.)

Saturday, September 21, 2013

New Certification Targeting Critical Infrastructure - GICSP

Info Security Magazine (not to be confused with my friends at Information Security Magazine published by  SearchSecurity and TechTarget) recently posted an article regarding a new certification entitled the Global Industrial Cyber Security Professional (GICSP).  Supposedly this new certification will be developed by a " industry collaborative..." in conjunction with the GIAC or Global Information Assurance Certification.

According to the article:

The objective of the certification is to help organizations which design, deploy, operate and maintain industrial automation and control system infrastructure to ensure best practices, starting with individual skills and knowledge. The GICSP will be available to candidates in late November 2013.

The community initiative plans to establish an open body of knowledge for process control design and information technology security as well. When it comes to ICT security, system vendors, project engineering contractors, process operators, IT service providers and maintenance/support personnel all require a blended set of IT, engineering and cybersecurity competencies.

For a closer look at the details regarding the certification, areas covered, exam requirements and frequency of recertification please take a look at the GICSP details link here.

I will be sure to closely follow this certification and other commentary that surfaces.  We all agree that industrial controls security should be substantially improved and maybe this new certification will help raise awareness and performance standards in this critical area.

I would be interested in your opinions on this new certification.


Friday, September 20, 2013

ENISA Threat Landscape -- Mid-Year 2013

An organization I've had the pleasure and opportunity to work with in the past is the European Network and Information Security Agency -- referred to as ENISA.  ENISA has produced some excellent thought leadership and reports I highly recommend you review and at least be aware.  They are currently working on Industrial Controls/SCADA security and have also published some interesting reports on Cloud Security.

Today ENISA announced release of the ENISA Threat Landscape, Mid-year 2013 report.  They describe this as a "taste" of current developments related to the 2013 Threat Landscape.

In the report they include a figure of the top 16 threats and a comparison of their 2012 and 2013 Threat Landscape reports including whether the trend is increasing, stable or declining.

The good news is that they show SPAM as declining; however, 13 of the 16 threats (or 81 percent) are increasing. (Corrected Count/percentage)

For instance, the top five threats listed that are increasing include:

  • Drive-by exploits
  • Worms/Trojans
  • Code Injection
  • Exploit Kits
  • Botnets
The report is only five pages long and is an easy and interesting read.

Wednesday, September 11, 2013

A Salute to All Patriots

Today is Patriot's Day and it is a day to mourn all the heroes who lost their lives on 9/11 and to thank those who continue to ensure we are a free and safe country.

Many thanks to our public servants and may God bless our country!

Photo from: 

Tuesday, September 10, 2013

Rule #1 -- Protect the Data

In today's Utility Intelligence email newsletter there is an article by Mr. Russel Van Tuyl entitled "Cybersecurity rule #1: Know your network."

His article for energy/utility executives notes that the new NIST cybersecurity framework and even the Department of Energy  Electricity Subsector Cybersecurity Capability Maturity Model (ES-C2M2) can be used to argue that the first thing you need to know is your network so you can better defend it.

I will not argue that knowing your network architecture is important; however, what I will argue is that the first and foremost thing you need to know is where your data is and where your control systems are and how they are protected.

Knowing a network architecture will not help prevent a breach when your CEO loses a USB drive with critical corporate information.  Also, knowing your network presumes that your "perimeter" will protect you.  

Sadly, the perimeter and "castle and moat" methods of cyber security defense are not the most effective in protecting systems and data in today's "perimeterless" networks.