Friday, July 29, 2011

Smart Grid Security East 2011 - Harmonizing Federal and State PUC Guidelines

This is the video taken from the Harmonizing Federal and State PUC Guidelines session at the Smart Grid Security East Conference in March 2011.  Please join us for the EnergySec Smart Grid Security Summit from October 3-5, 2011 in San Diego, California.

While Federal agencies may indeed have jurisdiction of some parts of the Smart Grid, a large part of the Smart Grid falls directly under State jurisdiction, and certainly most of AMI. This session will present the perspectives of State Public Utility Commissions in various stages of deployment.

Alan Rivaldo, Cyber Security Analyst, Public Utility Commission Of Texas 

Christopher Villarreal, Regulatory Analyst, California Public Utility Commission (CPUC) 

Craig Miller, Project Manager at National Rural Electric Cooperative Association (NRECA)

Moderator: Chris Kotting - ThinkSmartGrid

See you at the next event -

Thursday, July 14, 2011

The NRECA Cooperative Research Network Security Strategy

It was through a conversation I was having with Christopher Villarreal, Regulatory Analyst with the California Public Utility Commission (CPUC), that I was first made aware of Craig Miller, who is the Project Manager for the National Rural Electric Cooperative Association (NRECA).  Chris is generally a soft spoken guy, and that makes me pay a bit more attention to him when he talks.  He told me that I really needed to reach out to Craig Miller and include him in my Smart Grid Security Summit as a speaker, since Craig seemed to know what he was talking about with respect to cybersecurity.

It took me a while, but I finally got through to Craig (he is a busy guy).  I have to admit, being someone who has had a lot of conversations with "the big boys" in the world of Smart Grid security, I was not expecting the level of knowledge and professionalism that the NRECA exhibited.  Suffice it to say, the members of the NRECA are well served by the organization.

Let me explain.

Craig was a panelist at my Smart Grid Security East conference in Knoxville, TN this past March, 2011, and he was easily one of the most popular panelists at the event.  He does not mince words when he speaks.  He is a consummate straight shooter in every sense of the word, and gets down to business right away.  When asked about what the NRECA is doing to help their COOP network address security, he will tell you that they are defining a "process of continuous improvement", and goes on to explain that rather than telling their members what to do, they offer detailed and ACTIONABLE guidance, as well as continual educational programs.  It reminds me of the saying "Give a man a fish and he can feed himself for a day. Teach a man to fish, and he can feed himself forever.".

Back in March, it was all great talk, and I (and many others) left the event wondering how this program worked.  It did not take long to find out.  In May of 2011 (2 months after my conference) the NRECA released A Guide to Developing a Cyber Security and Risk Mitigation Plan, and made it publicly available for all to see.  It is a fantastic collection of materials, put together with the assistance of Cigital, and besides providing an fantastic collection of well referenced cybersecurity guidance (much of it based on the NISTIR 7628 guidance document), it provides templates and plenty of "getting started" materials and templates.

Why is this so important?  I'm glad you asked...

It may come as a surprise to many of you, but the fact is that most facilities that generate power in our great nation are not staffed with massive IT departments, and much less security experts.  This is true in general, and certainly true in the COOP world.  Providing guidance is important, but providing ACTIONABLE guidance is far more important.  This is important because cybersecurity is quite daunting to the uninitiated.  Showing someone how to do it (rather than telling them what to do) is what the NRECA CRN program focuses on.  They do not dictate to the COOP network (remember, the NRECA works for the COOP network, and not the other way around). They offer well researched guidance and continual support.

Craig Miller will be returning to my conference in October, 2011 (, and if you get a chance to read the NRECA documents prior to that event, please do so, and make sure you make it to my conference, where you can meet the man himself, and I am sure he will be happy to answer your questions.

Just be prepared for straight answers...he does not mince words.

Tuesday, July 12, 2011

Videos: NERC CIP Compliance Workshop - Smart Grid Security East 2011

The North American Electric Reliability Corporation (NERC) enforces electric reliability standards under the authority of the Federal Energy Regulatory Commission (FERC). A large part of these enforcement efforts include Critical Infrastructure Protection (CIP), which is currently a key area of cyber security enforcement for NERC, and the set of guidelines are referred to as the NERC CIP guidelines. Organizations who are subject to enforcement under NERC CIP face fines of up to 1 million dollars per day for failing to comply with set requirements. This workshop will focus on the following:
  • Understanding NERC CIP Requirements
  • How to prepare for a NERC CIP Audit
  • Tips and Findings from organizations that have experienced a NERC CIP Audit
  • Overview of the direction NERC CIP is heading

Monday, July 11, 2011

Everyone Wants Their Pound Of Flesh

I was directed to an article this morning titled "CRS: Smart grid cybersecurity standards potentially subject to conflict of interest", which points to a paper from the Federation of American Scientists (FAS) titled "The Smart Grid and Cybersecurity— Regulatory Policy and Issues".  If you scroll down to the section called "Policy Concerns" (beginning on page 13) you will find the following:

"...While reliability standards are mandatory, the ERO process for developing regulations is somewhat unusual in that the regulations are essentially being established by the entities who are being regulated. This can potentially be an issue when cost of compliance is a concern, and acceptable standards may conceivably result from the option with the lowest costs. While FERC ultimately has approval authority over the regulations NERC submits and can remand such regulations it judges as not satisfying requirements, any such revisions are ultimately subject to NERC stakeholder approval..."

We need to first clearly understand that everything is ultimately a conflict of interest in the regulatory world.  There are few people who take an altruistic approach to making rules.  Our entire US government system is driven by lobbyists who all come to Congress looking for their "pound of flesh", and they are generally very successful at it.  It is not different in the world of cybersecurity.  Organizations are being tasked with addressing cybersecurity for the smart grid.  What we have in terms of participation is a few large utilities who have a vested interest in avoiding regulations that would make their lives more difficult, consultants who stand to gain if rules should lead stakeholders to hire consultants to help address the requirements, and vendors who either want to avoid regulations that would harm their business models, or who want to fight for regulations that would bring them more business.  All of these "volunteers" to the effort are there for strategic reasons, and I am not exempt from that.

Will this potentially lead to better cybersecurity?  I would say yes.

One of the best ways to get people to implement better security is to get people interested in and talking about and learning more about security.  This stimulates heated discussions and lots of geek talk.  It is how I learned a lot of what I know.  It is also reasonable to conclude that having lots of cybersecurity experts involved in the process will probably lead to some solid technical reviews.  I can tell you from direct experience that there are a lot of security vendors involved in the Smart Grid security process, and they all try to convince everyone else that what they do is the way to go, but there are also a lot of people who are willing to (and enjoy) scrutinize every word they say.

Still, a conflict of interest will always exist, and unless Congress or any other regulators want to take some time to understand security, it is perhaps best if they allow the process to continue as it is going, conflicts of interest and all.

Just my opinon.