Thursday, July 14, 2011

The NRECA Cooperative Research Network Security Strategy

It was through a conversation I was having with Christopher Villarreal, Regulatory Analyst with the California Public Utility Commission (CPUC), that I was first made aware of Craig Miller, who is the Project Manager for the National Rural Electric Cooperative Association (NRECA).  Chris is generally a soft spoken guy, and that makes me pay a bit more attention to him when he talks.  He told me that I really needed to reach out to Craig Miller and include him in my Smart Grid Security Summit as a speaker, since Craig seemed to know what he was talking about with respect to cybersecurity.

It took me a while, but I finally got through to Craig (he is a busy guy).  I have to admit, being someone who has had a lot of conversations with "the big boys" in the world of Smart Grid security, I was not expecting the level of knowledge and professionalism that the NRECA exhibited.  Suffice it to say, the members of the NRECA are well served by the organization.

Let me explain.

Craig was a panelist at my Smart Grid Security East conference in Knoxville, TN this past March, 2011, and he was easily one of the most popular panelists at the event.  He does not mince words when he speaks.  He is a consummate straight shooter in every sense of the word, and gets down to business right away.  When asked about what the NRECA is doing to help their COOP network address security, he will tell you that they are defining a "process of continuous improvement", and goes on to explain that rather than telling their members what to do, they offer detailed and ACTIONABLE guidance, as well as continual educational programs.  It reminds me of the saying "Give a man a fish and he can feed himself for a day. Teach a man to fish, and he can feed himself forever.".

Back in March, it was all great talk, and I (and many others) left the event wondering how this program worked.  It did not take long to find out.  In May of 2011 (2 months after my conference) the NRECA released A Guide to Developing a Cyber Security and Risk Mitigation Plan, and made it publicly available for all to see.  It is a fantastic collection of materials, put together with the assistance of Cigital, and besides providing an fantastic collection of well referenced cybersecurity guidance (much of it based on the NISTIR 7628 guidance document), it provides templates and plenty of "getting started" materials and templates.

Why is this so important?  I'm glad you asked...

It may come as a surprise to many of you, but the fact is that most facilities that generate power in our great nation are not staffed with massive IT departments, and much less security experts.  This is true in general, and certainly true in the COOP world.  Providing guidance is important, but providing ACTIONABLE guidance is far more important.  This is important because cybersecurity is quite daunting to the uninitiated.  Showing someone how to do it (rather than telling them what to do) is what the NRECA CRN program focuses on.  They do not dictate to the COOP network (remember, the NRECA works for the COOP network, and not the other way around). They offer well researched guidance and continual support.

Craig Miller will be returning to my conference in October, 2011 (, and if you get a chance to read the NRECA documents prior to that event, please do so, and make sure you make it to my conference, where you can meet the man himself, and I am sure he will be happy to answer your questions.

Just be prepared for straight answers...he does not mince words.

No comments: