GraniteKey

Friday, February 10, 2012

First Smart Grid Documentary Ever !

It's an interesting ride...so hang on!

I am fascinated by reality much more than I am fascinated by anything in the world of fantasy. I mean, think about it for a moment. In my life I have watched us go from phones with rotary dials and coiled cords that always got bizarrely tangled, tethered to walls via mysterious outlets, to handheld computers that allow you to place video calls, and allow you to have conversations with them as they reply to your commands with a sexy voice.

It seems like humans are capable of building anything if they see a need for it to be built, and that is the most fascinating story ever told...and it has been told many times in all of our lives, and as far as time goes back.

We all build things...create things if you will...for our own reasons, or for those who employ us. It seems to me that the most interesting things built are built by those who driven by a desire to make something great, or make something better, and not necessarily for a paycheck.

Don't get me wrong...a paycheck is nice, and definitely a necessity in life, but it is rarely the driver to those who want to build great things. What drives people to build great things is the human need to prove to themselves (and others) that they can create great things, or make other things better.

It's a fascinating story to watch unfold, if you will take the time to discover it. If you like your iPhone, you really should get yourself a copy of Steve Job's biography, and understand what drove him to create the device that literally changed the way we consume information, navigate, and communicate.

Besides reading books, my favorite way of consuming these fascinating tales of how things came to be as they are today is through watching documentaries...and lot's of them. I remember the first time I discovered that through Netflix streaming services I could watch literally hundreds of documentaries on nearly as many topics...and so I did (much to the behest of my small children). It seems like I cannot get enough of them. There are so many interesting stories to be told, and the documentarians seem to do a fine job of getting past the hype, marketing spin, and myths surrounding so many subjects worth exploring.

So let's fast forward to my security conference. Back in 2010 my company was hired by a company (a silicon vendor) to produce a whitepaper that outlined the Smart Grid security landscape. I dove right in, as I normally do, and attempted to capture the essence of the Smart Grid as quickly as I could. What I soon discovered is that, although the Smart Grid was rapidly evolving, our understanding of the Smart Grid was changing with every passing moment. The issue of Smart Grid security was particularly challenging to grasp, since the topic is very sensitive in nature to most, and those involved in the Smart Grid security ecosystem still had a lot to learn. While I discovered pockets of knowledge here and there (e.g. NIST, OpenSG, DHS ICSJWG), there was no place I could go to truly immerse myself in the dialogue that I felt needed to happen. There were lots of Smart Grid conferences out there, but they covered the topic of Smart Grid security at a very minimal level at best. There were also lots of security conferences out there, but Smart Grid was only a tiny portion of the event. I felt that we needed a Smart Grid security event, and created the first Smart Grid security conference that I knew of in the United States. I was shocked to have around 100 people show up for the first event, and it led to two more after that (and my 4th event is coming up at www.GridSec.com, which is focused on not only Smart Grid, but also energy infrastructure security).

As someone who was working within the ecosystem, I was able to bring in some great speakers, and gain the trust and support of some very key players. I always sought to evolve the conference as the industry evolved, and decided that the next event (upcoming March 27-29 in Irving, Texas) should involve people at the CxO level, and went on a quest to find at least one utility CxO who would speak on the sensitive topic of security. I have to say, it was a lofty goal and was not easy, but persistence pays off, and I was put in touch with Dave Hallquist, the CEO of the Vermont Electric Cooperative, who agreed to speak. That, in and of itself, was absolutely fantastic.

What happened next (a few days later) became even more interesting. Dave's son, Derek Hallquist, is a documentary film maker, and contacted me asking if he could film his father at my upcoming conference, since he had partnered with documentary film producer Aaron Woolf (of "King Corn" fame), and they were going to follow Dave Hallquist around the country as he went from conference to conference interacting with people in the Smart Grid world. It was to be the first Smart Grid documentary ever created, and they planned to submit it to the Sundance Film Festival.

Needless to say, I was flabbergasted. Not only was the story of the Smart Grid going to be told in a documentary (and we are still in the very early stages of the Smart Grid), but it was going to break ground at my conference.

This has, of course, unleashed a storm of interest and support from everyone I know in the industry. Utilities are all thrilled, vendors are all thrilled, and all those who have helped me make this happen are all thrilled. I was wondering when a Smart Grid documentary was going to come to fruition.

...now I know.

Please Attend This Seminal Event!

Sign Up At www.GridSec.com

Monday, December 5, 2011

Humbled By The Outpouring Of Support

This past week I discovered that an article I submitted to the Information Systems Security Association (ISSA) Journal had been selected for publication, and made the cover. Although I am part of the editorial board (the shark tank, as we call it), I submitted it anonymously, and made the cut. Needless to say, I was thrilled.

The article was about medical device security, and I have a Google Alert set up for medical device security. The day after my article was published, I saw a Google Alert that pointed to an article with a similar title. My article is called "Oh, Hackable You!" and the similarly titled article was "The Hackable You." Interesting.

When I went to the website, I realized that the author of the article had, quite literally, completely plagiarized my article. He changed the introduction a bit, copied and pasted the entire rest of the article WORD FOR WORD, and then changed the conclusion a bit. It was obvious and willful fraud, and I was livid.

I immediately posted this on my Twitter feed, and what happened next truly reminded me why I absolutely love working with the information security community. My dear friend Travis Goodspeed (who has over 2700 followers) re-tweeted it and then embarked on a quest to find out more about this person, who, as it turns out, is a serial plagiarist. He quickly discovered that dozens of members of the infosec world had been plagiarized by this person, and let them all know that this had happened, which unleashed a Twitter storm like nothing I had ever witnessed. Within hours the organization he works for had pulled the blog, issued a public apology, and called me (and at least one of the other writers) and personally apologized for the incident(s).

What amazes me about the information security community is that it has evolved into a very tight brotherhood, independent of any "official" regulatory body. Every member of the community is charged with the duty of policing even other member, and NOBODY gets a pass go. Anyone who tries to enter the infosec world and attempt to sell snake oil is immediately smacked down by the community. It took me years of hard work to get to the point in my career where the community accepted me as one of their own, and I have to say that I am completely overwhelmed by the support, and knowledge that by brothers (and sisters) in the information security world are there for me...and I for them.

Thank you!

Saturday, November 5, 2011

The SCADA Within Us

I have been saying this for quite some time now, and I was absolutely thrilled when someone from the health care industry came up to me and said "We are running SCADA systems in health care." For those who do not know what the acronym stands for, it is "Supervisory Control and Data Acquisition".

Let's examine this for a moment.

Supervisory - Medical systems are indeed used to supervise patients. That is exactly what they do.

Control - Medical systems are indeed used to control patient procedures at many levels. That is exactly what they do.

Data Acquisition - Medical systems record patient data constantly, and use this information to make decisions. That is exactly what they do.

Yup! They are SCADA systems.

I just returned from the Amphion Medical Forum in Minneapolis, home of Medtronic (the largest medical technology company in the world). Medtronic is very concerned with medical device security, and they are now beginning to understand the potential impact of mounting interest among the attack sector in hacking SCADA systems. Rest assured they are taking this VERY seriously, and this is an absolutely fantastic bit of news for the health care community, because they are the most likely organization to make an impact on health care security. I applaud Medtronic executives for their decision to aggressively address these issues.

One of the most interesting discussions I had with a member of the Medtronic engineering staff, who seemed very familiar with SCADA systems, was the very unique challenges the medical device industry is facing. One challenge is that they cannot easily address physical security of many medical devices, since they are frequently found in patients (e.g. insulin pumps, pacemakers) or in their homes (e.g. monitors). While it is possible to educate patients about this, it is nearly impossible to control physical security. Another issue is that, even if devices are designed with firmware that can be updated, there is no easy way to update the firmware in devices implanted in the human body, and for several reasons. One obvious reason is...well...because it is implanted in a human body. Another reason is because many of these devices operate on coin sized batteries, and many of you know that firmware updated dramatically decrease battery life. Let's not forget, by the way, that a failed firmware update on an implanted device that puts it in a DOS state is also very serious.

On the subject of power, if you think that the "traditional" SCADA systems have resource constraints, you are not even close to the resource constraints of some of these medical devices. Let's not forget the need for reliability as well.

The health care industry is taking this very seriously, but there are some major challenges to address...and this is very high priority.

Health care touches each and every life on Earth. I look forward to working with the health care industry to get this under control.

Friday, October 14, 2011

What We Really Want Is A Hot Meal, Good Health, And Electricity

Those of you that know me are perhaps aware that I have have spent large portions of my life working in 3 somewhat distinct areas: Food Service, Health Care Security, and Smart Grid Security. All 3 disciplines have taught me a few things that I carry with me every day.

I am no longer in the Food Service industry...thank God! If any of you have ever watched Hell's Kitchen on TV, trust me...it is not far from reality. Working in high technology means better pay, less heavy lifting, and weekends and holidays off (more or less).

Still, I learned some things in the Food Service industry that serve as valuable lessons to this very day. One thing I learned is that regardless of how hard you work, you are inevitably judged for the last good (or bad) deed you accomplished, often irrespective of your history. Memories are short, and you always have an opportunity to either redeem yourself, or fall flat on your face. The choice is yours.

Another thing I learned about the Food Service industry is that they have 2 objectives:

Make Food
Get Paid For The Food

Hey! What can I say? I am nothing if I am not perceptive.

As it turns out, this carries over into both the Health Care and Energy industries. The Health Care industry wants to deliver health and get paid for it. The Energy industry wants to deliver energy and get paid for it.

We can apply this logic to just about any industry we choose, as it turns out :-)

Okay, so I am here to talk about security. What does all of this have to do with security?

As it turns out, security is essentially about safety (or perhaps safety is really about security). The two go hand in hand...and perhaps can be conflated in some (if not all) cases.

So let's go back to my life in foodservice for a moment. Having spent many years working as a chef in restaurants, I noticed a few things about safety that were recurring themes. One was that every single restaurant I worked in had a fire safety system installed by a competent installer, and (most importantly), the fires safety system itself was built by a competent manufacturer. After this was done, the fire inspector would perform an inspection and make sure it satisfied the requirements for fire safety, and the fire inspector would periodically return to make sure all was in order. Eventually, we saw the arrival of the National Fire Protection Association's Certified Fire Protection Specialist Certification Program, which is ANSI accredited. Additionally, UL has a program in place for approval of fire safety systems (e.g. sprinklers) in use today.

Having worked in a restaurant where the fire safety system has triggered, I have to admit that it is very effective. However, in retrospect, the fact that I find most interesting is that not one restaurant, hotel, or resort (and I worked for some big resorts) had any staff on board who was responsible for the design, implementation, and maintenance of the fire safety system.

They simply hired someone to put on in, got it inspected, and then went on with the business of making and serving food. I have to say, it works splendidly.

Imagine that!

So let's take this back to the Health Care and Energy industries for a moment. We need to understand that what we have to do in the security world is get to that point where health care and utility staffs can focus as much of their time as possible on delivering what they are in the business of delivering. We are currently living in an environment where we have place nearly all the burden for securing health care and energy systems on those who are ill suited for the job. Sure, they are getting better...by hiring staff to help get them up to speed, and reaching out to professionals, but is this necessarily the desired end state.

I fully realize that the food service industry is not saddled with the enormous burden of protecting their network stack from intrusion, and that no level of cyber attack is likely to mess with the integrity of their signature dish covered with delicious Béarnaise sauce. Yet the threat of fire is very real, generally quite devastating, and ever present. Nonetheless, we have managed to create a management system that is both extremely effective and extraordinarily simple to live with.

...and let's look at the health care industry for a moment.

We are all familiar with the FDA (the Food and Drug Administration). Hospitals use health care equipment and use drugs that are FDA approved...and absolutely do not use any health care equipment or drugs that are not FDA approved. Okay...at least they better not...or face stiff fines and immediate shutdown (believe me, the FDA is hardcore about their rules). Although it is a US organization, FDA approval is so highly regarded globally that most nations accept FDA approval as a "green light" for use in their own countries. Health care providers do not have to manage staff to ascertain the safety in using FDA approved products. They simply stick with the FDA approved products and (ostensibly) use them to deliver good health care.

I fully believe that we will eventually come to terms with cyber security issues, as we have come to terms with fire, and as we have come to terms with "snake oil" health care solutions of the past. As Paul Kocher of Cryptography Research indicate during his excellent keynote at my Smart Grid Security Summit this past month, security today is still struggling with the same "snake oil" issues that health care had to deal with in the past. As we continue to move forward with addressing cyber security issues, we all need to keep in mind that a lot of what we hear is going to be "snake oil", and we should look towards how other safety issues have been addressed in the past, and perhaps learn some valuable lessons.

Okay...now I'm hungry.

Monday, October 10, 2011

Upcoming Event: Amphion Medical Forum

I have been invited to moderate a panel at the Amphion Medical Forum on November 3rd, 2011 in Minneapolis, Minnesota. This fantastic event features security experts who specialize in studying, understanding, testing, and addressing security issues related to connected medical devices.

What you may or may not know is that nearly every piece of medical equipment that collects and records data today (heart monitors, X-Ray machines, MRIs, IV Monitors...and the list goes on and on) has a communications stack of some built in, or will have one soon. Recent demonstrations at Blackhat, for example, have re-awakened our consciousness to the seriousness of security issues surrounding medical devices (if this attack in 2008 was not enough).

If this is of interest to you, join me at the Amphion Medical Forum on November 3rd, where you will have an opportunity to listen to some of the most brilliant minds in the world of medical device security, as well as meet them face to face.

Oh...and by the way...IT'S FREE !

See you there!

Mike Ahmadi

P.S. To guarantee yourself an invitation, use priority code "GraniteKey"

My Sally Field Moment

My third Smart Grid Security Summit has drawn to a close. This past week in San Diego was a seminal event in my life as a conference chairman. For the last 3 weeks I have been working out a hundred plus details that no amount of advance preparation ever prepares you for. Anyone who has ever put on a conference is keenly aware of that. For those who have not, I would describe it as something akin to the excitement of the descent from the peak of a roller coaster coupled with the fact that you decided to finish you children's corn dogs.

When I stated the Smart Grid Security Summit my intention was to build my network and get some like-minded people together to chat about what was, and continues to be, an important topic. We had around 100 people show up, and 1 sponsor (SAIC). We were so proud of that event, and I still harbor fierce loyalty for those who helped make that event what it was. We knew we had something, and built on it. The second event was held in Knoxville in early 2011, and we had around 10 times the sponsorship, and double the attendance. Most importantly, we had asset owners coming to the event to both participate as speakers and join the crowd of attendees. We were sure we had something of value at this point. Let's face it, Knoxville is a really nice place, but it is certainly not a "conference boondoggle" location. People showed up because they had a thirst for knowledge and because they wanted to communicate with people who understand what they need, and we delivered that.

The third event say us partner with the Energy Sector Security Consortium (EnergySec), and we were blessed with lots of great sponsorship, and perhaps the finest selection of speakers and attendees to date (although that is a tough call, since both of our other events had fantastic speakers and attendees). It just seems to keep getting better and better as time goes by. I tried to take the time to speak to everyone I ran into at this event, with around 15 sponsors and around 250 attendees, but found myself nearly overwhelmed by the outpouring of interest in the event, the massive amount of networking going on, the fantastic sessions, and the constant outpouring of love from all who took the time to come up to me and tell me what a fantastic event our little conference has grown into.

I cannot help thinking about that famous Sally Field moment, when she accepted the Oscar for her starring role in the 1984 drama "Places In The Heart". She took the stage after receiving the Oscar and gushed "I haven't had an orthodox career, and I've wanted more than anything to have your respect. The first time I didn't feel it, but this time I feel it, and I can't deny the fact that you like me, right now, you like me!"

Peer acceptance is what we all crave in our careers, regardless of what we may think or say about the subject. I am humbled by everyone's acceptance and love, and will continue to deliver the quality you have all come to expect.

Kindest Regards,

Mike Ahmadi
Conference Chairman

Thursday, September 15, 2011

Smart Grid Security East 2011: AMI Vendor Roundtable

This is the video taken of the AMI Vendor Roundtable panel at the Smart Grid Security East conference in March 2011.

The presenters were:

Edward Beroset, Director of Technology & Standards, Elster Solutions Inc.
Stephen Chasko, Principal Security Engineer, Landis+Gyr
Walter Sikora, VP of Security Solutions |Industrial Defender
Ido Dubrawsky, Principal Software Engineer/Security, Itron

We hope you will join us at the EnergySec Smart Grid Security Summit West 2011 conference from October 3-5 in San Diego, California.

See you at the next event - www.smartgridsecuritysummit.com

About GraniteKey

What we do
What do fortune 100 companies, government, and smart businesses have in common with you? They turn to GraniteKey when they need to secure their products, services and operations. At GraniteKey we are experts in risk analysis, security planning, business process, security design, technology selection and implementation. Most importantly, we know how to use our expertise to help you achieve your business objectives.

Why we do it better
Excellence in security starts with excellence in management. Implementing complex security technologies, such as cryptography, key management and PKI is not nearly as challenging as conducting solid management practices. Using our Solid Foundations™ process, GraniteKey helps you analyze and plan for risk, adopt business practices that enhance your security solution, plan your security roadmap, and define your objectives and measurements to ensure excellence from the beginning of a project.