Thursday, September 15, 2011

Smart Grid Security East 2011: AMI Vendor Roundtable


This is the video taken of the AMI Vendor Roundtable panel at the Smart Grid Security East conference in March 2011.

The presenters were:

Edward Beroset, Director of Technology & Standards, Elster Solutions Inc.
Stephen Chasko, Principal Security Engineer, Landis+Gyr
Walter Sikora, VP of Security Solutions |Industrial Defender
Ido Dubrawsky, Principal Software Engineer/Security, Itron

We hope you will join us at the EnergySec Smart Grid Security Summit West 2011 conference from October 3-5 in San Diego, California.









See you at the next event - www.smartgridsecuritysummit.com

Sunday, September 11, 2011

Smart Grid Security East 2011: Panel - How Utilities Are Managing Security

This is the video taken of the "How Utilities Are Managing Security" panel at the Smart Grid Security East Conference in March 2011. 

The presenters were:
David Batz, Manager, Cyber & Infrastructure Security, Edison Electric Institute (EEI) 
Ward Pyles, Senior Security Analyst, Southern Company 
James Sample, Director of Enterprise Information Security, Tennessee Valley Authority (who has recently been promoted to CISO of Pacific Gas & Electric)
Robert Humphrey, Senior IT Security Analyst, Duke Energy
Moderator: Bob Lockhart, Senior Analyst, Pike Research

I am pleased to report that all of these panelists (and more) will be returning to the EnergySec Smart Grid Security Summit West conference from October 3-5 in Sand Diego, California.  We hope to see you there!





See you at the next event - www.smartgridsecuritysummit.com


Friday, September 9, 2011

Smart Grid Security East 2011: NISTIR 7628 - Progress Report


This is the video taken of the NISTIR 7628 Progress Report session at the Smart Grid Security East Conference in March 2011.

The presenters were:
Annabelle Lee, Technical Executive - Cyber Security, EPRI
William Hunteman, Senior Advisor For Cyber Security, US Department of Energy (DOE)
Daniel Thanos, Chief Cyber Security Architect, GE Digital Energy
Sandy Bacik, Principal Consultant, EnerNex
Mike Coop, ThinkSmartGrid
Moderator: Mike Ahmadi

Please join us for the EnergySec Smart Grid Security Summit from October 3-5, 2011 in San Diego, California.









See you at the next event - www.smartgridsecuritysummit.com



Thursday, September 8, 2011

Smart Grid Security East 2011: Keynote Address - Annabelle Lee

This is the video taken of Annabelle Lee's fantastic keynote at the Smart Grid Security East Conference in March 2011.  Please join us for the EnergySec Smart Grid Security Summit from October 3-5, 2011 in San Diego, California.



See you at the next event - www.smartgridsecuritysummit.com


The Importance of Context When Discussing Smart Grid Security

This letter was originally posted on the excellent Smart Grid Security Blog.  It is a letter from former NERC CSO Michael Assante to the global community of stakeholders who are working diligently to keep our critical infrastructure safe from attackers.


I recently had an opportunity to learn about the importance of context. I tried to help someone understand the challenges of regulation and cyber security in the context of smart grid technology deployments and electric infrastructure, and learned once again how polarized this topic can become. Certainly many can appreciate the challenge of communicating with clarity on this topic, as it can be nuanced, highly-technical, process-laden, and mired in the details of a little-followed piece of history and U.S. federal and state law.

Let me begin by providing some of the context, or background, that explains why I work hard to help develop a better understanding of how cyber security impacts operational technology in critical infrastructures. As a boy I was fascinated with the engineering required to generate and deliver electricity. To me, the power system represented a grand achievement that demonstrated what dedicated men and women could accomplish.

My father worked for a utility and was rightfully proud of the public service his company delivered to homes, schools, manufacturing plants, and hospitals. He worked with impressive machines that excavated coal, and cutting edge control centers with analog light displays. But the thing that made the biggest impact on me was the dedication with which my father and his colleagues performed jobs, and their uniform sense of mission, as they clearly understood that what they did made people’s lives better. I was quick to appreciate the vision, investment, and effort that enabled vast natural resources like coal and hydro-power to be turned into electricity, which was then transported and delivered over vast distances to every household and business.

The success of the electricity industry in designing, building and maintaining an incredible system of systems, continues to inspire children and adults alike. It has grown to become a critical infrastructure that underpins modern society. The delivery of highly-affordable and reliable electricity has paved the way for the industrial and technological revolutions that have transformed global economies. It is ironic that over the last forty years of progress, we have also created a significant set of challenges that need to be addressed as a consequence of our continued innovation.

The rapid advancement and application of digital technology has improved electric system operations, reliability, and process efficiency. But it carries with it a heavy responsibility. We must now safeguard this increasingly ubiquitous element of the grid from those who would seek to disrupt technology and cause harm.

This dilemma of digital technology is that, like electricity, it enables great things but can cause great damage if not managed properly. There is one very important difference, though. The nature of electricity is understood sufficiently to prudently manage the risks it can present, whereas cyber threats are constantly evolving and are co-adaptive (the threat will consider the protections you have employed and find ways to circumvent or compromise them). This has led me to conclude that many of the difficulties we experience addressing cyber security come less from how the electricity industry behaves, and originate more from the complex nature of digital technology and the unique risks it engenders.

Many of you know that I have often shared my thoughts on the difficulties of managing cyber risk in the complex and vast systems that comprise power grids. There are a number of necessary constraints, such as the golden rule of “first, do no harm” (do not negatively impact system reliability and safety). Other challenges have more to do with state of industrial control system technology and the tough job of keeping up with the rapid changes in technology and the evolving capabilities of would-be cyber attackers.

NERC and the industry have pioneered the use of mandatory reliability standards as one tool to manage risks to reliability across the complex weave of entities that comprise the bulk power system in North America. I am confident that progress will continue to be made by NERC and the industry, but it takes time to learn what works well when dealing with the scale of the bulk power system and specifically, when trying to address the difficult-to-bound risk that comes from cyber threats. I, like many others, understand that we must continually evaluate the processes we use to develop and manage the CIP standards. We must consider the effectiveness of the standards requirements when compared to how digital systems are being compromised by current cyber attackers. Cognizant of the risks of unintended consequences, we need to fully understand the behaviors we are promoting by using standards that require strict compliance. Finally, we need to be mindful of the spirit and goal of the standards and the importance of providing enough flexibility so that utility security programs can adapt to best confront the threats they face.

I have had the pleasure of working alongside of some of the most gifted experts in power engineering and industrial control system security over the years. The power industry has a rich collection of experts often passionately inclined to work together as a community to solve complex problems. Their expertise is essential in determining how to best apply cyber defenses in the highly-specialized environments of power generation, transmission, and distribution. We would also, however, benefit from the experience and learnings of other industries’ cyber professionals who themselves labor to defend highly-targeted networks. I have grown to appreciate the adaptive nature of cyber threats and importance of maintaining a current understanding of how systems are compromised. NERC has engaged with the U.S. government to benefit from its understanding and should continue to look for opportunities to learn from government and cyber security experts from other industries bent on tackling this common problem.

Context matters in how we think about these problems, in how we frame our concerns, and in how we formulate new approaches so that we may attain the many benefits of new technologies while managing the risk. I am confident that we will begin to engineer away the worst consequences, continually find more effective practices and develop the necessary skills to better address sophisticated and ever changing cyber threats. This is a difficult task that will continue to require our best efforts, to include regulation. It is a task that demands a prudent approach as the effectiveness of our investments needs to be measurable and demonstrable. We must continue to innovate if we're to fully enjoy the many benefits of affordable and reliable electricity.

Michael can be reached at michael.assante@nbise.org

Michael will also be speaking at the EnergySec Smart Grid Security Summit West in San Diego, California, October 3-5, 2011.

Wednesday, September 7, 2011

Customer Data: Authorization, Privacy and Security - Smart Grid Security Summit East 2011

This is the video taken of the Customer Data: Authorization, Privacy and Security session at the Smart Grid Security East Conference in March 2011.  The presenters were:


Sandy Bacik, Principal Consultant, Enernex
Megan Hertzler, Director of Data Privacy, Xcel Energy Services
Boris Segalis, Partner, Information Law Group
Moderator: Chris Kotting, ThinkSmartGrid


Please join us for the EnergySec Smart Grid Security Summit from October 3-5, 2011 in San Diego, California.

Due to the extreme popularity of the Privacy in the Smart Grid, we will be hosting a pre-conference workshop.  Please make sure you sign quickly as space is limited.  You can sign up at http://www.smartgridsecuritysummit.com/Info/RegistrationInfo.aspx.









See you at the next event - www.smartgridsecuritysummit.com