A Means to a Measured Approach to Cybersecurity

Having posted innumerable times on the many benefits the energy and other critical infrastructure sectors would achieve if they would identify a few security metrics and start measuring them, it seems that a practical means to at least partially achieve this objective may be at hand.

Just came upon a new company that appears to be pursuing a good part of the SGSB playbook, though they appear to have found their way to these ideas by following their own path.

A few of the principles we seem to share include:

• You must measure security if you're ever going to manage it well
• Similarly, you must measure security if you're ever going to align security investments and policies with business or mission objectives
• Compliance-based approaches provide at best a false sense of security
• Significant attention by and involvement of Senior Management and Board is important

In a recent WSJ article, this company, BitSight, noted a correlation between its findings re: the observable technical security indicators it tracks and the companies that scored the best in its recent study. Top performers had: "a greater focus on cybersecurity by senior management." But of course.

And here's its critique of compliance approaches to security, published in Risk Management Monitor last week. Sounds as if they're channeling many of our thoughts about compliance regimes like the NERC CIPs: 

A company may be compliant with all the appropriate regulations and have excellent security policies but may be completely ineffective in the day-to-day implementation of these policies .... Also, no matter how complete a checklist or audit is, its results are only a point in time reflection and can’t measure the dynamic nature of the risks it is meant to assess ....

Please note the security measurement techniques developed by BitSight in their early days are neither comprehensive nor perfect. But they needn't be to be of great value to orgs (or their partners, suppliers, regulators, etc.) trying to figure out how they are doing and how to improve over time.  Recommend you/we keep an eye on them.

Read More

Webinar Alert: UTC Cybersecurity Metrics Training

Never thought I'd see training on one of my favorite topics, but somehow the Utilities Telecom Council (UTC) is going to do it a week from now.  To some readers' pleasure and others chagrin, I've done a million posts on metrics, some absurdly long (see: HERE) and I for one, will be paying very close attention.

When: 12 November 2013, 2 - 3:30 pm ET

What: "This webinar provides an overview of metrics development and implementation approaches based on national and international standards and best practices. It describes how to develop and use metrics to gauge performance and facilitate improvement and gives examples from the utilities space."

How: Click HERE for more info and to register

Thanks again to tmorkemo on Flickr.com for this image ... my 2nd timing using it

Read More

CPUC's Villarreal is the Real Deal for Grid Security from the US States' Perspective

From cybersecurity to privacy, the Green Button and security metrics, this recent deck from the California Public Utility Commission's (CPUC's) Chris Villarreal covers the entire grid security waterfront from a (very big) state's point of view.

This is well worth your time if you're a regulator in another state, a regulated entity in any state, or you just want to get a better feel for the way this process is evolving.

Note links on last slide to excellent CPUC security white paper by Chris and his security savvy colleagues, Liza Malashenko and J. David Erickson, and to NARUC's excellent "Cybersecurity for State Regulators 2.0" guide. There are other states upping their cybersecurity game as well, but California and Texas have been the two trailblazers. Of that there is no doubt.

----------------------------

URL for this deck, which accompanied Erfan Ibrahim's SG Educational Series webinar:

https://docs.google.com/file/d/0B83Q27_xggOTV3JpVTlSNnRGNGM/edit?usp=sharing

URL for another nice write-up on the work of Chris and his colleagues, from Greentech Media's Jeff St. John:

http://www.greentechmedia.com/articles/read/smart-grid-cybersecurity-the-california-way

Read More

Webcast Alert: Establishing Security Baselines at Industrial Facilities

I love good baselines, and I'm not the only one. When famous jazz composer arranger Gil Evans (see Sketches of Spain) heard the early Police playing Walking on the Moon, he took time to personally compliment the stunned base player, Gordon Sumner aka Sting.

Now another baseline for you, less musical but more actionable, courtesy of the new ICS-ISAC:

• Title: Raising All Boats: Establishing Security Baselines at Industrial Facilities
• Date: Monday April 29th, 2013
• Time: 1:00-2:00pm USA Eastern Time
• Registration and more info here: http://ics-isac.org/events.html

Hope you can make it. Oh, and here's Miles for you: http://www.youtube.com/watch?v=7KDQNoqKya0

Read More

Metrics Mark the End of Faith-based Cybersecurity

Thanks to Dark Reading for covering the RSA 2013 metrics panel and for the article: "Governance Without Metrics Is Just Dogma."

To whom do we owe this powerful and provocative headline? Not the editors at Dark Reading, though they were smart enough to grab it and put it at the top. It was Alex Hutton, an Operations Risk and Governance director at Zions National Bank.

In case you're not used to seeing the word dogma in this context, let's refresh ourselves with a definition (thanks Wikipedia):

Dogma is an official system of belief or doctrine held by a religion, or a particular group or organization. It serves as part of the primary basis of an ideology or belief system. 

While there are appropriate places and good uses for dogma, the C-Suite and Board of Directors conference table is not one of them. (At this point I can imagine some long-term readers saying, "tell us how you really feel").

With both risk and governance in his title, clearly Hutton's been thinking this through, when he finishes with this zinger for the Security Governance ages:

You know what you call governance guided by metrics? Risk management.

I'll be submitting some business-oriented security metrics to the NIST Critical Infrastructure Cybersecurity Framework folks in a few days, and will follow up in person with them in Gaithersberg, MD on April 3.

People love to argue about metrics; that's one of the reasons they rarely come into being in our world.  Let's see if can agree on a few that work this time ... it's partly what NIST and others are looking for us to do this time.

The whole article is, HERE.

Photo credit: Still from Dogma film (1999) from Fanpix.net

Read More

Heralding the Dawn of Critical Infrastructure Security Metrics

You may like this blog because of its emphasis on business-oriented security metrics and measurement. Or you may loathe it for the same reason (though if you do, you shouldn't still be visiting much).

Can't measure, can't manage. On this we agree, right?

So ... we're two weeks past the Presidential executive order (EO) that kicked off a new round of meetings that will ultimately produce a new NIST framework for grid security. You can read about the goals for this thing, including the RFI process HERE.

Thanks for EnergySec's Patrick Miller who tweeted yesterday that this round of work is designed, among other things, to produce metrics that can be used to assess the current security posture of your organization.

To whit, "The Framework should include flexible, extensible, scalable, and technology-independent standards, guidelines, and best practices, that provide:

Metrics, methods, and procedures that can be used to assess and monitor, on an
ongoing or continuous basis, the effectiveness of security controls that are
selected and deployed in organizational information systems and environments in
which those systems operate and available processes that can be used to facilitate
continuous improvement in such controls."

Bravo. Also I note and you'll see, in a section called Current Risk Management Practices, these highly metrics-suggestive questions:.

• How do organizations define and assess risk generally and cybersecurity risk specifically?
• To what extent is cybersecurity risk incorporated into organizations’ overarching enterprise risk management?
• What standards, guidelines, best practices, and tools are organizations using to understand, measure, and manage risk at the management, operational, and technical levels?

You can see where this is leading, can't you? I'll plan to be at the first framework development meeting that's open to industry, and will be including my 2 cents in the RFI process as well. Recommend you do same. 

Heard that meeting might be on April 3 and will confirm or revise accordingly.

Photo credit: Wikimedia.org

Read More

One Step Closer: Announcing NARUC's Cybersecurity Guide for State Regulators 2.0

My last post on NARUC*, from June of 2012, was on the first version of their cybersecurity guide for state regulators, and the somewhat sprawling piece ended thusly:

I would like to end by saying that this was a document that could never fully please everyone, and if we remember it's a 1.0 version, then in that context it's an ambitious and excellent start. Let's start providing feedback now so that 2.0 can be even better.

Well guess what readers? Some of you and maybe some others provided feedback, so well and fully in fact that we find ourselves fewer than 9 months later with a new and improved 2.0 version, just released by NARUC after announcing it at its Winter Meetings (note sublime, almost hypnotic snowflake animation on landing page).

After reviewing the new document myself, and getting some input from the authors, while there are numerous small changes that help, the main difference seems to be an emphasis on having regulators develop an overarching strategy before diving into more granular elements like orders, requirements and rules.

To me this is creates a nice parallel to what some of the more forward leaning utilities are doing when they work to create security architectures. In both cases, whether on the regulator or the regulated side, the enabling concept is to craft a coherent larger plan before making point enforcement decisions or deploying point security solutions.  Unquestionably sound stuff.

But still there's this (a holdover from version 1.0). Question 28 under Personnel and Policies invites commissioners to ask: "Do you have a Chief Security Officer and do they have explicit cybersecurity responsibilities?"

I would arm the commissioners with the knowledge that while many utilities will reflexively say they have a CSO, that he or she is neither a true C (chief) nor a true O (corporate officer).  When there are more true executive level security chiefs out there, empowered to develop and enforce cybersecurity policy enterprise-wide (IT, Smart Grid and OT) then that will clearly mark a departure from status quo and the beginning of a more proactive, cyber risk management-based utility culture.

And maybe we'll see that called out in NARUC's 3.0 version. But for the moment, I think these folks deserve a pause to refresh. They've been producing high quality guidance at a very rapid pace ... kudos.


* For those unfamiliar with this acronym, it stands for the National Association of Regulator Utility Commissioners.  This is the national body that represents the electric, telecom and water regulating interests of the 50 US states. From a security point of view, NARUC and the state commissioners primarily watch the distribution elements of the grid, whereas the NERC CIPs in North America focus on large generation and transmission assets. You can check out the NARUC site by clicking HERE.

Read More

Michael Assante Holds Forth on Cybersecurity Leadership

You've seen him here before, but for those not familar, his quals, in reverse chronological order:

• National Bureau of Information Security Examiners (NBISE) Founder, Pres & CEO
• NERC CSO
• Critical Infrastructure Protection Strategist
• AEP VP & CSO
• VP at several security start-ups
• Navy intelligence officer

Great background, right? Though he lives in the Northwest, he's pretty visible in DC as a frequent testifier on national security issues related to cybersecurity and critical infrastructure.

Here's an excerpt from a just published Q&A session I was lucky enough to engage him in. When asked:

 "... What can the energy & utilities industry learn and leverage from these other critical infrastructure industries?" Mike responded:

It is more the norm than the exception to find executive-level cybersecurity leadership in banking and telecommunications today. Years ago, both industries realized that protecting their networks, systems and data from attackers was a strategic imperative. And some industries have even gone so far as to police themselves with their own security standards. Now it’s time for electric utilities and other energy companies to elevate cyber resilience in their business planning and investment decisions.

You bet it is.

The interview is not too long ... only 4 questions, but I highly recommend you view his well-informed responses to all of them, which you can see RIGHT HERE.

Image credit: NewsMilitary.com

Read More

2 Control Systems Metrics Movers/Shakers: Jim Brenton and Joe Weiss

The more metrics the merrier, I say. After yesterday's post on IDC's take on energy sector cybersecurity metrics, let's pivot to control systems, where the three most important things are:

1. reliability
2. reliability, and
3. reliability

... and where what passes for cybersecurity in IT realms just doesn't cut the mustard.

First see this NEW POST from Joe Weiss on how to begin wrapping your head around what control systems metrics could look like.

Then I'd recommend Jim Brenton's PRESENTATION at GridSec earlier this year on a new group that's formed to look at developing security (or should I say reliability and resiliency) metrics for the Bulk Electric System (BES).

OK, that's it, this is a short one. You can go back to what you should have been doing all along.

Read More

New IDC Report Takes Measure of Energy Security Metrics

They had me with the title: "Methods and Practices: Creating a Metrics-Based Security Culture".  It seems IDC must have used a key word optimizer app designed to discover the best title based on the complete works at the Smart Grid Security Blog.

I can't vouch for the utility of this report because I haven't read it.  But I do know lead IDC energy and security analyst Usman Sindhu because we've been discussing grid security topics since we met back when he was still at Forrester Research.

Jesse Berst and the SmartGridNewsers did a nice little intro to it HERE.

The price may not be right for you, though maybe your company already has a subscription with IDC that will let you see it for free. Or maybe you can negotiate a "friends price" with Usman, the economy being somewhat iffy at the moment.

Photo credit: Steven Harris on Flickr.com

Read More

DOE's Prescription for Electric Sector Cybersecurity Uncertainties

I've had a link to this document in the blog's "Relevant Docs" section since it appeared, but with today's press release, I think it's time to shine a spotlight DOE's latest and greatest electric sector cybersecurity resource.

The campaign for measurement has just been given a big shot in the arm. By definition, in a weird permutation of Newton's Third Law, the minute a metric or measurement is proposed it creates its own opposition. Often vocal opposition, I might add.

Nevertheless, neither Newton nor opposition should cause us to accept stasis and the uncertainties that attend the status quo. "What uncertainties?" you might well ask.

And my answer is that the majority of C-Suiters and BoDs at medium-to-large electric utilities likely do not have a decent understanding of the cyber-related reliability and safety risks confronting their IT and OT operations. Nor do they understand well how sound (or unsound) are the defensive measures (people, policy, processes) their cybersecurity folks have deployed.

If I were to now transition to a tirade about the crying need for business-oriented security metrics and measurement, while linking to previous tirades, few would be surprised. But in a moment uncommon self restraint, I won't do that.

Instead, I invite you to consume a few tapas-sized sound bites from DOE's press release earlier today announcing its new, unpronounceable acronymed tool, the ES-C2M2.

Dig in:

• Energy Department Develops Tool with Industry to Help Utilities Strengthen Their Cybersecurity Capabilities
• New Tool Available to Enable Electric Utilities to Better Assess their Cybersecurity Needs and Assets 
• Maturity models, which rely on best practices to identify an organization’s strengths and weaknesses, are widely used by other sectors to improve performance, efficiency and quality. 
• More than a dozen utilities nationwide participated in pilot evaluations to help refine the model
• The Cybersecurity Self-Evaluation Tool itself helps electric utilities and grid operators identify opportunities to further develop their own cybersecurity capabilities by posing a series of questions that focus on areas including situational awareness and threat and vulnerability management
• Utilities that choose to provide their anonymous self-assessment results to the Energy Department will receive reports with anonymous benchmarking results of all utilities participating in the “opt-in” program.

Here's a LINK to the model. Utilities can request the Cybersecurity Self Evaluation Survey Tool by contacting the Energy Department at ES-C2M2@hq.doe.gov. Note: The Energy Department is also offering facilitated self-evaluations on request.

Please keep in mind that this is a 1.0 version developed at break-neck speed. The more feedback DOE gets from its earliest users, the more we can expect from future versions. And they do seek your feedback.

I think what's been started here is good, very good in fact. Now let's seek to use it, make it great, and substantially improve the industry's understanding of itself along the way.

Image credit: DiaVoLo Group on Flickr.com

Read More