This Blog includes thought leadership, news and pointers to helpful resources related to the rapidly evolving world of global infrastructure security, including physical and cyber concerns ### --- ### These comments and opinions are my own and do not reflect those of my employer or others unless noted.
Saturday, October 26, 2013
Cyber Issues for Board and Chief Legal Officers
Monday, October 21, 2013
At the Risk of Presenting FUD**.....
**FUD = Fear, Uncertainty and Doubt
On Sunday, October 27th the National Geographic Channel will be presenting a "world premiere movie event" called American Blackout. It looks like it is scheduled for 9 PM Eastern and Pacific -- please check your local listings.
This is a video made on the premise that the US electric grid would be knocked out due to a cyber attack.
I have not seen the video --- only the trailer which you can find at this link.
If you look closely on the video there is a link http://www.survivetheblackout.com/1/ that takes you to a graphic depicting the 10 days of the blackout along with some ideas described as "Personalize your Experience" to help you through such events. A screen shot of "Day 1" is below. This information does appear to be helpful and less dramatic than posed in the video.
I plan on watching the show, but the trailer concerns me that there will be more "drama" than fact. If NOVA were to be offering this video I'd be more confident in the factual content and demeanor.
Anyway, decide for yourself but please remember that the North American electric grid (map below) is made up of large, separate geographic sections and that knocking out the entire US grid is highly unlikely -- even from a physical or cyber attack.
I look forward to your thoughts on this video.
Cheers!
On Sunday, October 27th the National Geographic Channel will be presenting a "world premiere movie event" called American Blackout. It looks like it is scheduled for 9 PM Eastern and Pacific -- please check your local listings.
This is a video made on the premise that the US electric grid would be knocked out due to a cyber attack.
I have not seen the video --- only the trailer which you can find at this link.
If you look closely on the video there is a link http://www.survivetheblackout.com/1/ that takes you to a graphic depicting the 10 days of the blackout along with some ideas described as "Personalize your Experience" to help you through such events. A screen shot of "Day 1" is below. This information does appear to be helpful and less dramatic than posed in the video.
http://www.survivetheblackout.com/2/ |
I plan on watching the show, but the trailer concerns me that there will be more "drama" than fact. If NOVA were to be offering this video I'd be more confident in the factual content and demeanor.
Anyway, decide for yourself but please remember that the North American electric grid (map below) is made up of large, separate geographic sections and that knocking out the entire US grid is highly unlikely -- even from a physical or cyber attack.
I look forward to your thoughts on this video.
Cheers!
http://www.spp.org/publications/NERC_Interconnections_color_map_comm_toolkit.jpg |
Microgrid Security -- European Utility Week, Amsterdam
On May 1, 2013 I wrote an article for Jesse Berst's Smart Grid News entitled "Interested in Microgrids? Don't forget security." That article resulted in three invitations to speak on the subject.
The first invitation resulted in speaking on May 23rd about Microgrid Security at the "Smart Grid Cyber Security Virtual Summit 2013" sponsored by Smart Grid Observer. This was an opportunity to provide a very high-level overview of microgrids and what security issues are of concern.
The third invitation I received was to speak at the 3rd Military and Commercial Microgrids conference scheduled for San Diego on November 20-22, 2013. At this conference I will be on the panel "The Role of Microgrids in Military & Commercial Cyber Security."
However, last week I was in Amsterdam, The Netherlands as an invited speaker at the European Utility Week conference speaking on a microgrid panel.
The EUW was a very busy and well-attended event! The size and "business" reminded me of RSA-level meetings at Moscone Center in San Francisco. There were over 300 booths and 8,000+ attendees from around the world but predominantly Northern and Western Europe; however, I did meet some attendees from Hungary, Bulgaria, the Middle East, Asia and Africa. There were even a few USA folk; however, I was informed by the organizer that several speakers from the US had to cancel due to the US government shutdown.
Anyway, my talk on Microgrid Security Considerations included the following agenda:
The first invitation resulted in speaking on May 23rd about Microgrid Security at the "Smart Grid Cyber Security Virtual Summit 2013" sponsored by Smart Grid Observer. This was an opportunity to provide a very high-level overview of microgrids and what security issues are of concern.
The third invitation I received was to speak at the 3rd Military and Commercial Microgrids conference scheduled for San Diego on November 20-22, 2013. At this conference I will be on the panel "The Role of Microgrids in Military & Commercial Cyber Security."
However, last week I was in Amsterdam, The Netherlands as an invited speaker at the European Utility Week conference speaking on a microgrid panel.
The EUW was a very busy and well-attended event! The size and "business" reminded me of RSA-level meetings at Moscone Center in San Francisco. There were over 300 booths and 8,000+ attendees from around the world but predominantly Northern and Western Europe; however, I did meet some attendees from Hungary, Bulgaria, the Middle East, Asia and Africa. There were even a few USA folk; however, I was informed by the organizer that several speakers from the US had to cancel due to the US government shutdown.
Anyway, my talk on Microgrid Security Considerations included the following agenda:
- Introduction to Microgrids**
- Types of Microgrids
- Microgrid Installations
- Enabling Technologies
- Security Issues
- A Case Example
- Q&A
My fellow panelists included Dr. Monica Aguado from the Spanish National Renewable Energy Centre (CENER), Mike Gordon of Joule Assets (US), Steve Pullins - Chief Strategy Officer of Green Energy Corp (US), and Jöerg Müeller of Accenture (Germany) moderated by Dr. Simon Minett, Managing Director of Challoch Energy.
** I have written a white paper, Introduction to Microgrids, that is free upon request. Please send me an email if you would like a copy.
Overall the meeting was interesting, busy, and definitely offered the "European View" of electric grid issues, highlights on the massive installation of renewables (especially Germany), ubiquitous discussions about Smart Meters, and even a few "less than positive comments" about the US' inability to run its government :-(
I hope to go again in the future...In the mean time, please join me in San Diego at the Microgrids Conference in November.
Cheers!
Sunday, October 13, 2013
"What's the Deal?" 21st Century Energy Conference
This week I had the honor to be invited as the afternoon keynote at the annual energy conference sponsored by the Connecticut Business and Industry Association (CBIA) in Cromwell, CT. The title of my speech was Critical Infrastructure Protection & Industrial Cybersecurity -- The Electric Grid as a Model.
The agenda for the meeting and copies of the presentations are at this link. Also, photos from the event are at this link.
Lastly, many thanks to the organizers to allow me to represent Securicon at this event and to educate the audience on the many issues associated with electric grid cyber and physical security.
Overall this is a daunting topic but one that is on many individual's minds -- especially in such states as Connecticut where their critical infrastructure was hit pretty hard by Super Storm Sandy and also where they are actively deploying microgrids in the state to improve grid resiliency.
The agenda for the meeting and copies of the presentations are at this link. Also, photos from the event are at this link.
Lastly, many thanks to the organizers to allow me to represent Securicon at this event and to educate the audience on the many issues associated with electric grid cyber and physical security.
Wednesday, October 9, 2013
Hot Off the Press! New White Paper from ENISA on Learning from ICS Incidents
Today our friends at the European Network and Information Security Agency (ENISA) published a white paper entitled Can We Learn from SCADA Security Incidents?
The paper is about 10-pages long and offers some ideas on how to organize and perform a systematic approach to evaluating Industrial Control System/SCADA incidents. One helpful element of the white paper is Table 1 that shows a roles matrix for incident response and analysis in control systems which was extracted from the US Department of Homeland Security (DHS)/Idaho National Labs document Recommended Practice: Creating Cyber Forensics Plans for Control Systems. (Table 5)
Overall I'd suggest you at least skim through the document and use it when developing ICS/SCADA incident response plans. It will offer some useful guidance for programmatic and organizational approaches to ICS incident analysis. The US DHS document referenced above will give you a more thorough technical perspective for ICS post-event forensics.
Thanks again ENISA! Keep up the good work!
The paper is about 10-pages long and offers some ideas on how to organize and perform a systematic approach to evaluating Industrial Control System/SCADA incidents. One helpful element of the white paper is Table 1 that shows a roles matrix for incident response and analysis in control systems which was extracted from the US Department of Homeland Security (DHS)/Idaho National Labs document Recommended Practice: Creating Cyber Forensics Plans for Control Systems. (Table 5)
Overall I'd suggest you at least skim through the document and use it when developing ICS/SCADA incident response plans. It will offer some useful guidance for programmatic and organizational approaches to ICS incident analysis. The US DHS document referenced above will give you a more thorough technical perspective for ICS post-event forensics.
Thanks again ENISA! Keep up the good work!
Sunday, October 6, 2013
From the UK: Executive Companion - 10 Steps to Cybersecurity
"Value, Revenue and Credibility are at stake. Don't let cyber security become the agenda -- put it on the agenda."
Ian Lobban, Director, UK Government Communications Headquarters (GCHQ)
There are so many guides, guidelines, documents available to help the security professional get a sense of what needs to be done and why. The US National Institute of Standards and Technology (NIST) and Department of Homeland Security (DHS) certainly produce some excellent documents. I've also even cited our friends over in Europe at ENISA - the European Network and Information Security Agency -- and some of their guidelines as excellent resources.
This past week I came across a document from the UK GCHQ called Executive Companion -- 10 Steps to Cyber Security. It is a 20-page guide intended to get the CEO/CFO/Board Members' attention and to get a summary sense of the cyber security challenges organizations face every day. As I've quoted from Mr. Lobban's introduction above, the best advice to today's Board of Directors and CEO's -- in addition to the CIO's and CISO's -- is to get cyber security awareness on the agenda at all levels of the company including employees, vendors, consultants, shareholders, stakeholders, and other "holders."
Of course with a title like "10 Steps..." you are probably interested in the digest of the 10 actions to be taken. Page 7 of the Executive Companion includes the graphic below that gives you a sense of the business steps the organization's leadership should take to "...review...invest where necessary...and to improve security..."
Overall, I like the graphic designed by GCHQ but I do want to add one more consideration for all companies and organizations. Basically you need to assume you will have a data breach and you will have an attacker inside your network -- don't assume otherwise. As such, heed the above 10 items with the expectations that you will need to defend your data, your intellectual property, etc. sometime in the near future.
(To read more about the "Assumption of Breach" concept please see my article in Asian Power at this link.)
Take a moment to review the Guide and I'm sure you will find it useful to pass along to the CEO and Board.
Cheers!
Subscribe to:
Posts (Atom)