Tuesday, November 26, 2013

White Paper Available - Introduction to Microgrids

As a follow-up to my presentations on Microgrid Security you may be interested in a white paper published at Securicon on Introduction to Microgrids.

You can view or download a copy of the paper HERE.

Cities Under Threat from Natural Disasters -- A Risk Assessment

In a report issued by the Swiss Reinsurance Company (cover and link below), an integrated view of the risks posed to cities around the world was offered.  The report notes that "...the growing concentration of people, assets and infrastructure also means that the loss potential in urban areas is high and rising."

The report summary also notes that "...physical prevention measures alone do not suffice to build a resilient city, since damage from the most severe catastrophes cannot be fully averted.  An important part of resilience is how well urban societies are able to cope with financial consequences of a disaster..."

One Tables 3 and 4 of the report (below) are a summary of their findings relative to the top 10 global cities affected by the five perils of river flood, earthquake, wind storm, storm surge and tsunami.

With the continued conversation about climate change affecting sea levels and the comments noted above regarding storm surge it appears that flooding catastrophes are risks cities need to plan and prepare for.

At a minimum you may want to at least read the Preface, Introduction, and glance at the tables prepared to gain a sense of the Swiss Re approach and conclusions.  The key conclusions are:

  • Asia's cities are the most at risk from natural disasters
  • Saving lives is and should be the highest priority in risk mitigation efforts
  • Investments to infrastructure are vital to strengthen the resilience of metropolitan areas
  • Investments in infrastructure would also help cities cope better with natural disasters and other shocks such as human pandemics and acts of terrorism. 

Anyway, as an "infrastructure geek" I found this review interesting and consistent with the other lessons learned from Super Storm Sandy, the 2011 Tohoku earthquake in Japan and the recent typhoon in the Philippines.

Friday, November 22, 2013

Microgrids and Security -- More News...

For the past three days I've been attending and speaking at the 3rd Military and Commercial Microgrids Summit in Del Mar, California -- just north of San Diego.  I was invited to speak on a panel entitled "The Role of Microgrids in Military and Commercial Cyber Security" as a result of my article in Jesse Berst's Smart Grid News about this subject back in May.

Overall, this was a very interesting conference organized by Infocast that included a pre-summit technology showcase reviewing microgrid technologies followed by a day and a half summit.  There were approximately eight case studies, seven panel discussions, 11 presentations and over 115 registered attendees.  The topics ranged from microgrid controls and inverters through to commercializing and financing microgrids.  The next microgrid summit is slated for the U.S. East Coast in May 2014 and I'd highly recommend you consider attending due to its content and how well this recent conference was organized.

Now regarding security of microgrids -- the conference dialogue was very refreshing.  Of note, the first three presentations by San Diego Gas & Electric, PriceWaterhouseCoopers and IPERC highlighted the need to include cyber and physical controls in the microgrid deployments.  The IPERC presentation was especially interesting from a controls security perspective in that the microgrid controller communications they have developed are intended to be secure.

The best discussion regarding efforts to overtly include cybersecurity into microgrid deployments was the session on SPIDERS -- an effort paid by the US Department of Defense and led by Sandia National Labs.  As you can see in the graphic below from Sandia Labs, the SPIDERS effort includes four phases and cybersecurity is an intended foundation for these deployments at Joint Base Hickam, Hawaii; Fort Carson, Colorado; Camp Smith, Hawaii; and future deployments.

So, the good news is that I am not the lone voice in the forest worrying about microgrid security; however, it still has a long ways to go -- in my opinion -- before the security elements are built into the microgrid designs and deployments as a standard operating process.

So, what needs to be done?  Here are some ideas:

1)  Build a cybersecurity standard for microgrids that weaves in physical, IT, and Industrial Controls/OT security elements.  Perhaps an extension of NISTIR-7628, Guidelines for Smart Grid Cybersecurity, may be a good start.

2)  Leverage the work done by Sandia Labs in their Microgrid Cyber Security Reference Architecture.

3)  Establish some training modules on microgrid security -- perhaps this could be done under sponsorship of the Electric Power Research Institute (EPRI) or other similar organization to assure vendor neutrality.

It was obvious from the conference that we will be hearing more about microgrids in the future -- let's hope the news is about their cybersecurity resilience rather than weaknesses.

PS -- Happy Thanksgiving to my US readers!  Have a safe week!

Sunday, November 17, 2013

Electric Grid Cyber Exercise - GridEx II

During the past month or so there has been a considerable emphasis on the resilience of the U.S. Electric Grid.  For instance the National Geographic Channel ran a program on a simulated cyber attack of the electric grid that resulted in a substantial national blackout (please see my blog comments HERE).

Secondly, the SANS Institute posted a well-produced video showing how a cyber attack could occur on a electric utility in the U.S.  You can view this very enlightening, eight-minute-long video HERE.

Thirdly, on Wednesday, November 13th, the North American Electric Reliability Corporation (NERC) began conducting a two-day national cyber war game to determine how resilient the electric grid and its many utility operators and supporters are to such an attack.  My friend Andy Bochman wrote about this exercise in his BLOG and Mr. Matthew Wald of the New York Times wrote an interesting article summarizing the drill.  NERC's very brief press release regarding the exercise is HERE.

Some key summary notes about the exercise include (Thanks to Mr. Wald's article for most of these "facts."):
  • The exercise was named "GridEx II" (the first Grid Exercise -- aka GridEx -- was held in 2011)
  • More than 200 industry and government organizations participated in the cyber and physical security exercise
  • The exercise was designed to enhance and improve cyber and physical security resources and practices within the industry. 
  • Each hour of drill time was meant to simulate four hours of actual activity -- the drill ran for eight hours on Wednesday and four hours on Thursday
  • The exercise gave participants the opportunity to check the readiness of their crisis action plans through simulated attacks/events to self-assess response and recovery capabilities, and to adjust actions and plans as needed, while communicating with industry and government organizations.
  • The simulated attacks included:
    • injected computer malware
    • cyber denial of service attacks
    • bombed transformers and substations
    • knocked out power lines
    • 150 simulated "casualties" including seven deaths of police officers, firefighters and utility workers investigating the attack scenes who were "shot" by attackers still at the damaged location
  • One main aspect of the drill was a log of all phone and email communications to determine whether the participants could promptly reach the appropriate people at power companies, police stations or distant cybersecurity centers, and whether they could communicate the appropriate information. 
  • According to Mr. Wald's article even the Royal Canadian Mounted Police (RCMP) participated in GridEx II. -- Don't forget that the electric grid we rely upon is the "North American" electric grid and Canadian electric companies are major providers of power to the U.S.

If done right exercises are an excellent way to really stress your policies, procedures and resources and to see how well prepared your company/state/region/country is for the "real thing."  My exposure to GridEx II -- albeit limited -- has certainly given me a sense that this was a good test and worthwhile for the electric grid operators, managers, regulators and policy makers.  

I'm looking forward to the formal after-action report.

And, just to show the value of such exercises, here is a quote from Mr. Wald's NYT article that make me take notice:

At the Southwestern Electric Power Company, a subsidiary of American Electric Power that serves parts of Louisiana, Arkansas and eastern Texas, attackers used guns and bombs against a power plant and a transformer, and 108,000 of the company’s 520,000 customers lost power. “There were certainly surprises for us,” said Venita McCellon-Allen, the president and chief operating officer. “I sat up straight in my chair.”

Thanks to the GridEx team!  Well done!

Wednesday, November 6, 2013

"The Bits and Bytes ... have been Weaponized"

In a fascinating article published yesterday in Automation World the author reviewed the opening remarks and panel conversations being held at the ISA Automation Week conference in Nashville.

Retired USAF Brigadier General Rudolf Peksens was quoted as saying:

“The bits and bytes in our systems have been weaponized, and your systems are being penetrated at will.” 


In the Industrial Controls Security space as well as the enterprise domain there are many concerns about how the cyber "bad guys" are causing problems with theft of intellectual property, financial information and instruments, etc.  Even Stuxnet has been declared to be a cyber weapon -- and don't forget Shamoon and its impact in the Middle East.

Anyway, the article is a good read if you are into critical infrastructure protection with emphasis on cyber security of both IT and Operations Technology (OT) systems.  The point is that the "battle space" is expanding with the expansion of digital devices and systems and we need to pay attention and take defensive action.


Tuesday, November 5, 2013

Storm Photos - Our Infrastructure Under Duress

I just saw this slide show today including some interesting photos of post-storm damage and the important and courageous individuals who "fix" the problems.

Thanks to the public servants, utility workers and the volunteers who help restore our infrastructure back to "normal."

Have a good week, everyone and stay safe!

Sunday, November 3, 2013

Obama Proclamation - Nov 2013 - Critical Infrastructure Security and Resilience Month

With my blog's focus on infrastructure security I need to let my readers know of President Obama's proclamation last week.  The President has announced that November 2013 is Critical Infrastructure Security and Resilience Month.


In light of the anniversary of Super Storm Sandy being last week and with the events of this past year that included natural disasters impacting various infrastructure systems it certainly makes sense that we need to continue our collective focus on critical infrastructure and make it more resilient.

Finally, as a reminder, President Obama has signed one order and one directive focused on improving cybersecurity of critical infrastructure.  Those documents include:

And, due to these deliverables from the President, the National Institute of Standards and Technology (NIST) has been working with industry to develop a Cybersecurity Framework that is currently in draft and is open for comments due on 13 December 2013.

The good news is that the Administration is raising awareness on these important issues to our national defense and economy.  Let's just hope we -- our government and industries -- do not get bogged down in politics and instead help the country take action to repair and improve our infrastructure.