My third Smart Grid Security Summit has drawn to a close. This past week in San Diego was a seminal event in my life as a conference chairman. For the last 3 weeks I have been working out a hundred plus details that no amount of advance preparation ever prepares you for. Anyone who has ever put on a conference is keenly aware of that. For those who have not, I would describe it as something akin to the excitement of the descent from the peak of a roller coaster coupled with the fact that you decided to finish you children's corn dogs.
When I stated the Smart Grid Security Summit my intention was to build my network and get some like-minded people together to chat about what was, and continues to be, an important topic. We had around 100 people show up, and 1 sponsor (SAIC). We were so proud of that event, and I still harbor fierce loyalty for those who helped make that event what it was. We knew we had something, and built on it. The second event was held in Knoxville in early 2011, and we had around 10 times the sponsorship, and double the attendance. Most importantly, we had asset owners coming to the event to both participate as speakers and join the crowd of attendees. We were sure we had something of value at this point. Let's face it, Knoxville is a really nice place, but it is certainly not a "conference boondoggle" location. People showed up because they had a thirst for knowledge and because they wanted to communicate with people who understand what they need, and we delivered that.
The third event say us partner with the Energy Sector Security Consortium (EnergySec), and we were blessed with lots of great sponsorship, and perhaps the finest selection of speakers and attendees to date (although that is a tough call, since both of our other events had fantastic speakers and attendees). It just seems to keep getting better and better as time goes by. I tried to take the time to speak to everyone I ran into at this event, with around 15 sponsors and around 250 attendees, but found myself nearly overwhelmed by the outpouring of interest in the event, the massive amount of networking going on, the fantastic sessions, and the constant outpouring of love from all who took the time to come up to me and tell me what a fantastic event our little conference has grown into.
I cannot help thinking about that famous Sally Field moment, when she accepted the Oscar for her starring role in the 1984 drama "Places In The Heart". She took the stage after receiving the Oscar and gushed "I haven't had an orthodox career, and I've wanted more than anything to have your respect. The first time I didn't feel it, but this time I feel it, and I can't deny the fact that you like me, right now, you like me!"
Peer acceptance is what we all crave in our careers, regardless of what we may think or say about the subject. I am humbled by everyone's acceptance and love, and will continue to deliver the quality you have all come to expect.
Kindest Regards,
Mike Ahmadi
Conference Chairman
Monday, October 10, 2011
Thursday, September 15, 2011
Smart Grid Security East 2011: AMI Vendor Roundtable
This is the video taken of the AMI Vendor Roundtable panel at the Smart Grid Security East conference in March 2011.
The presenters were:
Edward Beroset, Director of Technology & Standards, Elster Solutions Inc.
Stephen Chasko, Principal Security Engineer, Landis+Gyr
Walter Sikora, VP of Security Solutions |Industrial Defender
Ido Dubrawsky, Principal Software Engineer/Security, Itron
We hope you will join us at the EnergySec Smart Grid Security Summit West 2011 conference from October 3-5 in San Diego, California.
See you at the next event - www.smartgridsecuritysummit.com
Sunday, September 11, 2011
Smart Grid Security East 2011: Panel - How Utilities Are Managing Security
This is the video taken of the "How Utilities Are Managing Security" panel at the Smart Grid Security East Conference in March 2011.
The presenters were:
David Batz, Manager, Cyber & Infrastructure Security, Edison Electric Institute (EEI)
Ward Pyles, Senior Security Analyst, Southern Company
James Sample, Director of Enterprise Information Security, Tennessee Valley Authority (who has recently been promoted to CISO of Pacific Gas & Electric)
Robert Humphrey, Senior IT Security Analyst, Duke Energy
Moderator: Bob Lockhart, Senior Analyst, Pike Research
I am pleased to report that all of these panelists (and more) will be returning to the EnergySec Smart Grid Security Summit West conference from October 3-5 in Sand Diego, California. We hope to see you there!
See you at the next event - www.smartgridsecuritysummit.com
Friday, September 9, 2011
Smart Grid Security East 2011: NISTIR 7628 - Progress Report
This is the video taken of the NISTIR 7628 Progress Report session at the Smart Grid Security East Conference in March 2011.
The presenters were:
Annabelle Lee, Technical Executive - Cyber Security, EPRI
William Hunteman, Senior Advisor For Cyber Security, US Department of Energy (DOE)
Daniel Thanos, Chief Cyber Security Architect, GE Digital Energy
Sandy Bacik, Principal Consultant, EnerNex
Mike Coop, ThinkSmartGrid
Moderator: Mike Ahmadi
Please join us for the EnergySec Smart Grid Security Summit from October 3-5, 2011 in San Diego, California.
See you at the next event - www.smartgridsecuritysummit.com
Thursday, September 8, 2011
Smart Grid Security East 2011: Keynote Address - Annabelle Lee
This is the video taken of Annabelle Lee's fantastic keynote at the Smart Grid Security East Conference in March 2011. Please join us for the EnergySec Smart Grid Security Summit from October 3-5, 2011 in San Diego, California.
See you at the next event - www.smartgridsecuritysummit.com
The Importance of Context When Discussing Smart Grid Security
This letter was originally posted on the excellent Smart Grid Security Blog. It is a letter from former NERC CSO Michael Assante to the global community of stakeholders who are working diligently to keep our critical infrastructure safe from attackers.
I recently had an opportunity to learn about the importance of context. I tried to help someone understand the challenges of regulation and cyber security in the context of smart grid technology deployments and electric infrastructure, and learned once again how polarized this topic can become. Certainly many can appreciate the challenge of communicating with clarity on this topic, as it can be nuanced, highly-technical, process-laden, and mired in the details of a little-followed piece of history and U.S. federal and state law.
Let me begin by providing some of the context, or background, that explains why I work hard to help develop a better understanding of how cyber security impacts operational technology in critical infrastructures. As a boy I was fascinated with the engineering required to generate and deliver electricity. To me, the power system represented a grand achievement that demonstrated what dedicated men and women could accomplish.
My father worked for a utility and was rightfully proud of the public service his company delivered to homes, schools, manufacturing plants, and hospitals. He worked with impressive machines that excavated coal, and cutting edge control centers with analog light displays. But the thing that made the biggest impact on me was the dedication with which my father and his colleagues performed jobs, and their uniform sense of mission, as they clearly understood that what they did made people’s lives better. I was quick to appreciate the vision, investment, and effort that enabled vast natural resources like coal and hydro-power to be turned into electricity, which was then transported and delivered over vast distances to every household and business.
The success of the electricity industry in designing, building and maintaining an incredible system of systems, continues to inspire children and adults alike. It has grown to become a critical infrastructure that underpins modern society. The delivery of highly-affordable and reliable electricity has paved the way for the industrial and technological revolutions that have transformed global economies. It is ironic that over the last forty years of progress, we have also created a significant set of challenges that need to be addressed as a consequence of our continued innovation.
The rapid advancement and application of digital technology has improved electric system operations, reliability, and process efficiency. But it carries with it a heavy responsibility. We must now safeguard this increasingly ubiquitous element of the grid from those who would seek to disrupt technology and cause harm.
This dilemma of digital technology is that, like electricity, it enables great things but can cause great damage if not managed properly. There is one very important difference, though. The nature of electricity is understood sufficiently to prudently manage the risks it can present, whereas cyber threats are constantly evolving and are co-adaptive (the threat will consider the protections you have employed and find ways to circumvent or compromise them). This has led me to conclude that many of the difficulties we experience addressing cyber security come less from how the electricity industry behaves, and originate more from the complex nature of digital technology and the unique risks it engenders.
Many of you know that I have often shared my thoughts on the difficulties of managing cyber risk in the complex and vast systems that comprise power grids. There are a number of necessary constraints, such as the golden rule of “first, do no harm” (do not negatively impact system reliability and safety). Other challenges have more to do with state of industrial control system technology and the tough job of keeping up with the rapid changes in technology and the evolving capabilities of would-be cyber attackers.
NERC and the industry have pioneered the use of mandatory reliability standards as one tool to manage risks to reliability across the complex weave of entities that comprise the bulk power system in North America. I am confident that progress will continue to be made by NERC and the industry, but it takes time to learn what works well when dealing with the scale of the bulk power system and specifically, when trying to address the difficult-to-bound risk that comes from cyber threats. I, like many others, understand that we must continually evaluate the processes we use to develop and manage the CIP standards. We must consider the effectiveness of the standards requirements when compared to how digital systems are being compromised by current cyber attackers. Cognizant of the risks of unintended consequences, we need to fully understand the behaviors we are promoting by using standards that require strict compliance. Finally, we need to be mindful of the spirit and goal of the standards and the importance of providing enough flexibility so that utility security programs can adapt to best confront the threats they face.
I have had the pleasure of working alongside of some of the most gifted experts in power engineering and industrial control system security over the years. The power industry has a rich collection of experts often passionately inclined to work together as a community to solve complex problems. Their expertise is essential in determining how to best apply cyber defenses in the highly-specialized environments of power generation, transmission, and distribution. We would also, however, benefit from the experience and learnings of other industries’ cyber professionals who themselves labor to defend highly-targeted networks. I have grown to appreciate the adaptive nature of cyber threats and importance of maintaining a current understanding of how systems are compromised. NERC has engaged with the U.S. government to benefit from its understanding and should continue to look for opportunities to learn from government and cyber security experts from other industries bent on tackling this common problem.
Context matters in how we think about these problems, in how we frame our concerns, and in how we formulate new approaches so that we may attain the many benefits of new technologies while managing the risk. I am confident that we will begin to engineer away the worst consequences, continually find more effective practices and develop the necessary skills to better address sophisticated and ever changing cyber threats. This is a difficult task that will continue to require our best efforts, to include regulation. It is a task that demands a prudent approach as the effectiveness of our investments needs to be measurable and demonstrable. We must continue to innovate if we're to fully enjoy the many benefits of affordable and reliable electricity.
I recently had an opportunity to learn about the importance of context. I tried to help someone understand the challenges of regulation and cyber security in the context of smart grid technology deployments and electric infrastructure, and learned once again how polarized this topic can become. Certainly many can appreciate the challenge of communicating with clarity on this topic, as it can be nuanced, highly-technical, process-laden, and mired in the details of a little-followed piece of history and U.S. federal and state law.
Let me begin by providing some of the context, or background, that explains why I work hard to help develop a better understanding of how cyber security impacts operational technology in critical infrastructures. As a boy I was fascinated with the engineering required to generate and deliver electricity. To me, the power system represented a grand achievement that demonstrated what dedicated men and women could accomplish.
My father worked for a utility and was rightfully proud of the public service his company delivered to homes, schools, manufacturing plants, and hospitals. He worked with impressive machines that excavated coal, and cutting edge control centers with analog light displays. But the thing that made the biggest impact on me was the dedication with which my father and his colleagues performed jobs, and their uniform sense of mission, as they clearly understood that what they did made people’s lives better. I was quick to appreciate the vision, investment, and effort that enabled vast natural resources like coal and hydro-power to be turned into electricity, which was then transported and delivered over vast distances to every household and business.
The success of the electricity industry in designing, building and maintaining an incredible system of systems, continues to inspire children and adults alike. It has grown to become a critical infrastructure that underpins modern society. The delivery of highly-affordable and reliable electricity has paved the way for the industrial and technological revolutions that have transformed global economies. It is ironic that over the last forty years of progress, we have also created a significant set of challenges that need to be addressed as a consequence of our continued innovation.
The rapid advancement and application of digital technology has improved electric system operations, reliability, and process efficiency. But it carries with it a heavy responsibility. We must now safeguard this increasingly ubiquitous element of the grid from those who would seek to disrupt technology and cause harm.
This dilemma of digital technology is that, like electricity, it enables great things but can cause great damage if not managed properly. There is one very important difference, though. The nature of electricity is understood sufficiently to prudently manage the risks it can present, whereas cyber threats are constantly evolving and are co-adaptive (the threat will consider the protections you have employed and find ways to circumvent or compromise them). This has led me to conclude that many of the difficulties we experience addressing cyber security come less from how the electricity industry behaves, and originate more from the complex nature of digital technology and the unique risks it engenders.
Many of you know that I have often shared my thoughts on the difficulties of managing cyber risk in the complex and vast systems that comprise power grids. There are a number of necessary constraints, such as the golden rule of “first, do no harm” (do not negatively impact system reliability and safety). Other challenges have more to do with state of industrial control system technology and the tough job of keeping up with the rapid changes in technology and the evolving capabilities of would-be cyber attackers.
NERC and the industry have pioneered the use of mandatory reliability standards as one tool to manage risks to reliability across the complex weave of entities that comprise the bulk power system in North America. I am confident that progress will continue to be made by NERC and the industry, but it takes time to learn what works well when dealing with the scale of the bulk power system and specifically, when trying to address the difficult-to-bound risk that comes from cyber threats. I, like many others, understand that we must continually evaluate the processes we use to develop and manage the CIP standards. We must consider the effectiveness of the standards requirements when compared to how digital systems are being compromised by current cyber attackers. Cognizant of the risks of unintended consequences, we need to fully understand the behaviors we are promoting by using standards that require strict compliance. Finally, we need to be mindful of the spirit and goal of the standards and the importance of providing enough flexibility so that utility security programs can adapt to best confront the threats they face.
I have had the pleasure of working alongside of some of the most gifted experts in power engineering and industrial control system security over the years. The power industry has a rich collection of experts often passionately inclined to work together as a community to solve complex problems. Their expertise is essential in determining how to best apply cyber defenses in the highly-specialized environments of power generation, transmission, and distribution. We would also, however, benefit from the experience and learnings of other industries’ cyber professionals who themselves labor to defend highly-targeted networks. I have grown to appreciate the adaptive nature of cyber threats and importance of maintaining a current understanding of how systems are compromised. NERC has engaged with the U.S. government to benefit from its understanding and should continue to look for opportunities to learn from government and cyber security experts from other industries bent on tackling this common problem.
Context matters in how we think about these problems, in how we frame our concerns, and in how we formulate new approaches so that we may attain the many benefits of new technologies while managing the risk. I am confident that we will begin to engineer away the worst consequences, continually find more effective practices and develop the necessary skills to better address sophisticated and ever changing cyber threats. This is a difficult task that will continue to require our best efforts, to include regulation. It is a task that demands a prudent approach as the effectiveness of our investments needs to be measurable and demonstrable. We must continue to innovate if we're to fully enjoy the many benefits of affordable and reliable electricity.
Michael can be reached at michael.assante@nbise.org
Michael will also be speaking at the EnergySec Smart Grid Security Summit West in San Diego, California, October 3-5, 2011.
Wednesday, September 7, 2011
Customer Data: Authorization, Privacy and Security - Smart Grid Security Summit East 2011
This is the video taken of the Customer Data: Authorization, Privacy and Security session at the Smart Grid Security East Conference in March 2011. The presenters were:
Sandy Bacik, Principal Consultant, Enernex
Megan Hertzler, Director of Data Privacy, Xcel Energy Services
Boris Segalis, Partner, Information Law Group
Moderator: Chris Kotting, ThinkSmartGrid
Please join us for the EnergySec Smart Grid Security Summit from October 3-5, 2011 in San Diego, California.
Due to the extreme popularity of the Privacy in the Smart Grid, we will be hosting a pre-conference workshop. Please make sure you sign quickly as space is limited. You can sign up at http://www.smartgridsecuritysummit.com/Info/RegistrationInfo.aspx.
Sandy Bacik, Principal Consultant, Enernex
Megan Hertzler, Director of Data Privacy, Xcel Energy Services
Boris Segalis, Partner, Information Law Group
Moderator: Chris Kotting, ThinkSmartGrid
Please join us for the EnergySec Smart Grid Security Summit from October 3-5, 2011 in San Diego, California.
Due to the extreme popularity of the Privacy in the Smart Grid, we will be hosting a pre-conference workshop. Please make sure you sign quickly as space is limited. You can sign up at http://www.smartgridsecuritysummit.com/Info/RegistrationInfo.aspx.
See you at the next event - www.smartgridsecuritysummit.com
Subscribe to:
Posts (Atom)