Wednesday, December 15, 2010

The Smart Grid Security Misinformation Network

It seems that a lot of the news we hear about Smart Grid security seems to focus on how we are all potentially doomed due to the lack of attention being given to Smart Grid security.  Bad news does seem to get a lot of attention, so I can certainly see how this may be a great way to attract readers.  I have a Google Alert set to "Smart Grid Security", and every evening I get an email with the latest headlines.  It seems to come in waves, but I get a lot of links to random postings where the author proclaims that not enough attention is being given to Smart Grid security.

I am not sure what "enough" really means in the eyes of many of these authors, but I will say that there are a lot of people paying very close attention to Smart Grid security.  I personally belong to 2 of 12 NIST Smart Grid Cyber Security Working Groups (http://collaborate.nist.gov/twiki-sggrid/bin/view/SmartGrid/WorkingGroupInfo) and these groups generally meet for 1 hour per week.  Members from every corner of the energy and security industries regularly attend these meetings, and the discussions and associated tasks are certainly focused on securing our Smart Grid.  The NIST CSWG is also where the NISTIR 7628 Security Guidelines came from, which was a collaborative effort of over 400 people from the energy, security, legal, regulatory, government, educational, and general technology industries.  Many of these same people are still quite active in the efforts of the NIST Smart Grid Interoperability Panel (SGIP) and NIST CSWG.  Besides the NIST effort, several standards development organizations have become involved in working towards developing standards for securing the smart grid.  

The US Department of Homeland Security has put together a comprehensive Industrial Control Systems Joint Working Group (ICSJWG), which is open to anyone who wants to help (http://www.us-cert.gov/control_systems/icsjwg/index.html).  I am also a member of this group, and recently attended a conference (also open to anyone who wishes to attend) in Seattle Washington.  The speakers were all excellent (okay, I was one of them), and the presentations are all freely available at http://www.us-cert.gov/control_systems/icsjwg/presentations.html .

Under the UCA International Users Group (UCAIUG) there exists the vaunted and very active Open Smart Grid (OpenSG) users group, with several active Smart Grid security groups operating under their umbrella.  Literally hundreds of people (many of the same working with the NIST groups) meet regularly to discuss security, take on tasks, and publish documentation which has been utilized by NIST to help develop their special publications (including NISTIR 7628), and by both utilities and public utility commissions to guide their security efforts and regulatory efforts.

The Federal Energy Regulatory Commission (FERC) has worked with the North American Electric Reliability Corporation (NERC), who have developed critical infrastructure protection requirements (NERC CIPS), which are used by utilities for auditing the security in bulk generation and transmission.  The US Department of Energy (DOE) has granted millions of dollars to organizations who are charged with researching and developing security methods to protect our energy infrastructure.

There are several active Smart Grid and Industrial Control Systems active mailing lists, and several LinkedIN groups focused on Smart Grid security discussions and collaboration.  Several research organizations (most notably Pike Research) have invested enormous efforts on researching and reporting on the topic of Smart Grid security, and the security product and vendor community has come out in force to address the challenges that are constantly being discovered and discussed among Smart Grid security professionals.

Of course, I must take the opportunity to also give myself a shameless plug, since I created the Smart Grid Security Summit (www.smartgridsecuritysummit.com), which took place this past Summer, and this has led to the upcoming Smart Grid Security East conference (www.smartgridsecurityeast.com), where representatives from all the above mentioned organizations (and a lot more) will be presenting on nearly every Smart Grid security topic there is to talk about.  I certainly hope some of you can make it to the event.  It will be worth your time if Smart Grid security information is what you seek.  You can also freely join and attend meetings of the NIST, DHS, and OpenSG groups.  Anyone interested in helping is welcome.

Otherwise, please continue to peruse the fear, uncertainty, and doubt (FUD) driven news headlines.  If nothing else, they are quite entertaining.

No comments: