Saturday, October 26, 2013

Cyber Issues for Board and Chief Legal Officers

As my friends will tell you I am a voracious reader -- especially when it comes to cyber and physical security, supply chain security, critical infrastructure protection and industrial controls systems (ICS) security.  This past week I was catching up on my "to be read" pile and found a fantastic article I'd like to post.

Please take a moment to check out this web page -- Government Technology and Services Coalition -- otherwise known as GTSCFrom their website: "The Government Technology & Services Coalition (GTSC) is a nonprofit 501 (c)(6), non-partisan association of innovative, agile small and midsized company CEOs that create, develop, and implement solutions for the Federal homeland and national security sector."

On the GTSC Blog there was a really well done article by Divonne Smoyer, Brian E. Finch, and Emanuel Faust, Partners, Dickstein Shapiro LLP.  The blog is entitled "Ten Cyber Issues Board and Chief Legal Officers Need to Know (and Worry) About."

Of course when I saw the word "cyber" and the focus on Boards of Directors and Chief Counsels I immediately wanted to read it...and it was worth the time.

Ok, what are the 10 issues they want Board members to recognize?  Here they are in brief:

  1. The stakes to share value and the bottom line are high.
  2. The hackers are two steps ahead of you already.
  3. Cyber and data loss threats pose merger risks.
  4.  Lost or stolen intellectual property or customer or employee information can turn a deal from sweet to sour.
  5.  There is a maze of state and Federal data protection and data loss notification requirements to navigate.
  6. The failure to be fully informed of and proactive against cybersecurity and data loss risks could lead to litigation.
  7. If the breach doesn't get you, the litigation will.
  8. There are Federal programs available to help mitigate corporate liability through the SAFETY* act.
  9. Insurance coverage is available through traditional or tailored policies.
  10.  Outside counsel comes with the benefit of attorney-client privilege.

Many thanks to Mr. Finch, et al, for their insights.  It was quite interesting and validated my own opinion -- and I believe my friend Andy Bochman's opinion -- that the Directors and Chief Counsels need to be attuned to cyber security issues since these issues can -- and will -- affect their business.


* SAFETY ACT Support Anti-Terrorism by Fostering Effective Technologies Act of 2002 (known as the SAFETY Act). This law provides tort liability protections for products and services that can be used to detect, defend against, or respond to cyber attacks. It is essential that boards and their legal advisors be aware of these programs and assess their applicability to cybersecurity products and services they either procure or deploy on their own.

Monday, October 21, 2013

At the Risk of Presenting FUD**.....

**FUD = Fear, Uncertainty and Doubt

On Sunday, October 27th the National Geographic Channel will be presenting a "world premiere movie event" called American Blackout.  It looks like it is scheduled for 9 PM Eastern and Pacific -- please check your local listings.

This is a video made on the premise that the US electric grid would be knocked out due to a cyber attack.

I have not seen the video --- only the trailer which you can find at this link.

If you look closely on the video there is a link that takes you to a graphic depicting the 10 days of the blackout along with some ideas described as "Personalize your Experience" to help you through such events.  A screen shot of "Day 1" is below.  This information does appear to be helpful and less dramatic than posed in the video.

I plan on watching the show, but the trailer concerns me that there will be more "drama" than fact.  If NOVA were to be offering this video I'd be more confident in the factual content and demeanor.

Anyway, decide for yourself but please remember that the North American electric grid (map below) is made up of large, separate geographic sections and that knocking out the entire US grid is highly unlikely -- even from a physical or cyber attack.

I look forward to your thoughts on this video.


Microgrid Security -- European Utility Week, Amsterdam

On May 1, 2013 I wrote an article for Jesse Berst's Smart Grid News entitled "Interested in Microgrids? Don't forget security." That article resulted in three invitations to speak on the subject.

The first invitation resulted in speaking on May 23rd about Microgrid Security at the "Smart Grid Cyber Security Virtual Summit 2013" sponsored by Smart Grid Observer.  This was an opportunity to provide a very high-level overview of microgrids and what security issues are of concern.

The third invitation I received was to speak at the 3rd Military and Commercial Microgrids conference scheduled for San Diego on November 20-22, 2013.  At this conference I will be on the panel "The Role of Microgrids in Military & Commercial Cyber Security."

However, last week I was in Amsterdam, The Netherlands as an invited speaker at the European Utility Week conference speaking on a microgrid panel.

The EUW was a very busy and well-attended event!  The size and "business" reminded me of RSA-level meetings at Moscone Center in San Francisco.  There were over 300 booths and 8,000+ attendees from around the world but predominantly Northern and Western Europe; however, I did meet some attendees from Hungary, Bulgaria, the Middle East, Asia and Africa.  There were even a few USA folk; however, I was informed by the organizer that several speakers from the US had to cancel due to the US government shutdown.

Anyway, my talk on Microgrid Security Considerations included the following agenda:

  • Introduction to Microgrids**
  • Types of Microgrids
  • Microgrid Installations
  • Enabling Technologies
  • Security Issues
  • A Case Example
  • Q&A
My fellow panelists included Dr. Monica Aguado from the Spanish National Renewable Energy Centre (CENER), Mike Gordon of Joule Assets (US), Steve Pullins - Chief Strategy Officer of Green Energy Corp (US), and Jöerg Müeller of Accenture (Germany) moderated by Dr. Simon Minett, Managing Director of Challoch Energy.

** I have written a white paper, Introduction to Microgrids, that is free upon request.  Please send me an email if you would like a copy.

Overall the meeting was interesting, busy, and definitely offered the "European View" of electric grid issues, highlights on the massive installation of renewables (especially Germany), ubiquitous discussions about Smart Meters, and even a few "less than positive comments" about the US' inability to run its government :-(

I hope to go again in the future...In the mean time, please join me in San Diego at the Microgrids Conference in November.


Sunday, October 13, 2013

"What's the Deal?" 21st Century Energy Conference

This week I had the honor to be invited as the afternoon keynote at the annual energy conference sponsored by the Connecticut Business and Industry Association (CBIA) in Cromwell, CT.  The title of my speech was Critical Infrastructure Protection & Industrial Cybersecurity -- The Electric Grid as a Model.

Overall this is a daunting topic but one that is on many individual's minds -- especially in such states as Connecticut where their critical infrastructure was hit pretty hard by Super Storm Sandy and also where they are actively deploying microgrids in the state to improve grid resiliency.

The agenda for the meeting and copies of the presentations are at this link.  Also, photos from the event are at this link

Lastly, many thanks to the organizers to allow me to represent Securicon at this event and to educate the audience on the many issues associated with electric grid cyber and physical security.

Wednesday, October 9, 2013

Hot Off the Press! New White Paper from ENISA on Learning from ICS Incidents

Today our friends at the European Network and Information Security Agency (ENISA) published a white paper entitled Can We Learn from SCADA Security Incidents?

The paper is about 10-pages long and offers some ideas on how to organize and perform a systematic approach to evaluating Industrial Control System/SCADA incidents.  One helpful element of the white paper is Table 1 that shows a roles matrix for incident response and analysis in control systems which was extracted from the US Department of Homeland Security (DHS)/Idaho National Labs document Recommended Practice: Creating Cyber Forensics Plans for Control Systems. (Table 5)

Overall I'd suggest you at least skim through the document and use it when developing ICS/SCADA incident response plans.  It will offer some useful guidance for programmatic and organizational approaches to ICS incident analysis.  The US DHS document referenced above will give you a more thorough technical perspective for ICS post-event forensics.

Thanks again ENISA!  Keep up the good work!

Sunday, October 6, 2013

From the UK: Executive Companion - 10 Steps to Cybersecurity

"Value, Revenue and Credibility are at stake.  Don't let cyber security become the agenda -- put it on the agenda."

There are so many guides, guidelines, documents available to help the security professional get a sense of what needs to be done and why.  The US National Institute of Standards and Technology (NIST) and Department of Homeland Security (DHS) certainly produce some excellent documents.  I've also even cited our friends over in Europe at ENISA - the European Network and Information Security Agency -- and some of their guidelines as excellent resources.

This past week I came across a document from the UK GCHQ called Executive Companion -- 10 Steps to Cyber Security.  It is a 20-page guide intended to get the CEO/CFO/Board Members' attention and to get a summary sense of the cyber security challenges organizations face every day.  As I've quoted from Mr. Lobban's introduction above, the best advice to today's Board of Directors and CEO's -- in addition to the CIO's and CISO's -- is to get cyber security awareness on the agenda at all levels of the company including employees, vendors, consultants, shareholders, stakeholders, and other "holders."

Of course with a title like "10 Steps..." you are probably interested in the digest of the 10 actions to be taken.  Page 7 of the Executive Companion includes the graphic below that gives you a sense of the business steps the organization's leadership should take to " where necessary...and to improve security..."

Overall, I like the graphic designed by GCHQ but I do want to add one more consideration for all companies and organizations.  Basically you need to assume you will have a data breach and you will have an attacker inside your network -- don't assume otherwise.  As such, heed the above 10 items with the expectations that you will need to defend your data, your intellectual property, etc. sometime in the near future.

(To read more about the "Assumption of Breach" concept please see my article in Asian Power at this link.)

Take a moment to review the Guide and I'm sure you will find it useful to pass along to the CEO and Board.