Cyber Achilles Heal Afflicts Electric Sector (and other) Senior Leaders

Just for fun, let's begin with a few quotes from an article in yesterday's Wall Street Journal of the mind-blower variety:

Executives are disconnected from reality when it comes to IT and security.

Top leaders seem particularly inclined to do things their IT departments warn against, such as opening email from unfamiliar senders, or clicking on links.

During ... simulated attacks, top executives are 25% more likely to click on the links that in a real attack could install malware. One reason ... is that most senior leaders skip company programs on developing cautious email habits.

You can visit this WSJ page below for the full article and attribution.

But wow. What a cyber Achilles Heal we've got if the folks with access to the most important, most sensitive info in our companies are the easiest to scam into coughing it up.

Training Alert: ICS / 2 Control Systems Security Sessions Coming Up

SGSB readers: first a brief housekeeping note. Due to a dose of awareness I just received yesterday, I'll no longer be including live links in posts. When I want to recommend a web page for you to visit I'll give you the full URL, which you can paste into the browser of your choice (see below).

OK moving on. SANS is developing an ICS & utility focused security practice with NIPSCO's Tim Conway assisting.  And this effort is already bearing fruit, with training classes coming up next month.  Here are the deets for you:

• When: June 11, 2013 (Saturday)
• Where: Westin Houston Memorial City, Houston, TX USA
• What: two courses:

1) SCADA Security Training 

2) Pen testing ICS and Smart Grid

For more info and to register, do what you need to do with the following URL: 

http://www.sans.org/event/scada-training-houston-2013

Special SGSB Offer: use the code SmartGrid2013 when you register and you'll receive $150 off the Pentesting ICS or the Smart Grid or the SCADA Security Training course.

Sanity Check: Nuclear Cyber Security Should be the Best, Right?

A few recent missile launchings notwithstanding, you may recall a little over a month ago things were hot and heavy in the North vs. South Korea showdown. On April 15th Japan Times published this account: South Korea Bolsters Security of Nuclear Plant Network, which opened thusly:

SEOUL – The state-run operator of South Korea’s nuclear power plants has separated its internal computer network from the Internet in an effort to guard against possible North Korean cyber attacks, Yonhap News Agency reported Sunday.

and continued:

It said Korea Hydro & Nuclear Power Co. has also completely divided its nuclear plant control systems from its internal computer networks and restricted both systems’ access to the Internet, while USB ports of the plant control systems have also been sealed.

Energy Security Conference Alert: IAGS' Target Energy 2013

What is IAGS you say? I'll answer briskly: the Institute for the Analysis of of Global Security. Teaming with NATO's Energy Security Center of Excellence, IAGS is hosting a conference called Target Energy that includes but goes well beyond cybersecurity and the grid.

For those SGSB readers whose professional lives are circumscribed by electric sector security, this is a chance to stretch a bit. Here's how the organizers describe the focus:

The cost of securing energy supplies is increasing due to threats from terrorists, hackers, activists and hostile nations. What is the impact of attacks against energy, and how can companies, organizations, and governments work with NATO to increase security?

Energy Sector Orgs: How Would You Know if You Were Secure Enough?

Along with my friend and IBM colleague Jeff Katz, I was recently cited in an article by a new publication called Breaking Energy. One of the things they captured was this statement:

[Legislators and regulators] hear statements that the grid is not secure enough .... That begs the question: how would you know? how do you know how secure it is now?”

If one was hellbent on better securing the grid, how would define your destination and how you know you were making progress towards it? Sorry so many questions.  Maybe you can provide some in the comment space below.

Meanwhile, in this USA Today piece, senior leaders in Washington continue to make alarming sounds about our industry's preparedness:

The power industry [ranges widely in security maturity] from companies that are very good to companies that need a lot of work and a lot of help," Gen. Keith Alexander, commander of Cyber Command, said Friday.

Meanwhile, in the NYTimes, two senior [DHS] officials just said "[a new wave of intrusions] were aimed largely at the administrative systems of about 10 major American energy firms, which they would not name."

Seems we have the motivation. And maybe the means. But I still question whether we have a roadmap, tools, or even language recognize progress. More on this coming up.

More on the Model: are Utilities Planning for the Future or Hoping it Doesn't Come?

A few weeks ago I posted about threats to the traditional investor owned utility (IOU) business model and I'm still soaking in what EEI and others are saying. Since then, I:

• Attended a presentation on the future of renewables at MIT given by energy futurist Dr. Eric Martinot. You can download Martinot's full 2013 report HERE and follow his periodic updates HERE
• Also had a great conversation with another energy futurist, Chris Nelder, after reading his Greentech Media Article titled "Adapt or Die: Private Utilities and the Distributed Energy Juggernaut". Nelder's personal site is HERE
• Read THIS from Bloomberg, a name not normally associated with wild or starry eyed cleantech visions. Bloomberg analysts are predicting very strong gains with renewables comprising up to 37% of total power produced by 2030

I'm not a self proclaimed futurist, nor do I play one on TV or the Web. And I know if I was on a debate team, I could find plenty of arguments (e.g., low cost natgas, end of renewables subsidies, slow updake of EVs, etc.) for thinking it'll be business as usual for IOUs for decades to come.

All the NIST Critical Infrastructure Security RFI Responses You Can Eat

Re: the many and various submissions from companies and individuals to NIST, someone who knows more than a few things about grid security recently tweeted twice thusly:

Reading - and in many cases laughing at - #NISTCSF responses

and ...

The responses? Mostly neutrally irrelevant, some nonsensical. I've marked only 14% so far for "real" read later

I just want you to set your expectations bar sufficiently low before you click HERE and read all of the responses.

By the way there were a few good and very good responses too.

If, after reading, you not only feel like you have something to suggest that hasn't yet been suggested, but you also want to physically transport and immerse yourself in this grand sausage making activity, then ...

For more information on the 2nd workshop coming up in late May in Pittsburgh, and a link where you can register, click on THIS.

Photo credit: @Doug88888 on Flickr.com