I’m a little late getting this out but had a few thoughts to share from last week’s EnergySec Summit. The “Intersection of Security and Compliance” conference theme turned out to be largely an indictment of NERC CIP. I’ll come back to that but first a few other pieces of information.
“…a broad-based, public-private partnership that will work to improve electric sector computer and network cybersecurity, including those used in the smart grid. Working with the DOE and other federal agencies, it will bring together domestic and international experts, software developers and users to focus research efforts; to assess and test the security of new cyber technologies, architectures, and applications; and analyze, monitor, and disseminate infrastructure weaknesses and threats.”
- I heard several groans from people whenever Stuxnet came up (and of course it did frequently). I can see the frustration with some who are spouting hyperbole, stretching it as a means to sell their product, or just trying to create a headline. But I still believe it is a significant event that we can learn from and use for responsible education and awareness. So I don’t get all the groaning — at least now maybe there will be something to replace the Vitek Boden / Maroochy Shire incident.
- Dr. Carol Hawk from DOE covered what they are funding under Cybersecurity for Energy Delivery Systems (CEDS) and specifically mentioned closing the security/compliance gap as a goal of their funding. You can read a summarized list of the “Cyber Security Project Selections” here. Bandolier got some nice recognition as a success story in this presentation and several others.
As I mentioned, NERC CIP got beat up pretty badly. Even former insiders and long-term drafting participants took their swings or at least confessed to some inadequacies in the requirements and approach. I’ve acknowledged and understood the challenge and difference between security and compliance and we’ve discussed that frequently here on the blog. Before this conference, I had some thread of optimism left that CIP could turn the corner and ultimately improve security — if not all at least for some. Now I’m not so sure. Maybe the good news is that a lot people, including the insiders and those involved in the drafting process, are realizing this as well. So my new optimism is that with this awareness will come the imperative to take a fresh look.
Other highlights include:
- A reminder from Patrick Miller that there are many noble causes out there but electric reliability is really all about the money. This was actually echoed in some of the other presentations as well (directly and indirectly).
- James Arlen took on some of the non-technical (people) problems in his presentation about coming together to fix the problem. It included a challenge to leave your ego at the door. I think some places have overcome the Us vs. Them / IT vs. Operations problems but, just in case, Arlen’s presentation was there to call out both sides.
- I had to apologize to Sean McBride from Critical Intelligence for missing his presentations two conferences in a row now. This time there was was a schedule shift and I was out prepping for the Bandolier class we taught on the last day of the Summit. I did hear some good feedback on his presentation. One section was titled “Show me the goodness” where he talked about positive developments, including Bandolier. Having some positive highlights was probably a nice way to close out the conference.