EnergySec Summit Recap

I’m a little late getting this out but had a few thoughts to share from last week’s EnergySec Summit. The “Intersection of Security and Compliance” conference theme turned out to be largely an indictment of NERC CIP. I’ll come back to that but first a few other pieces of information.

  • In case you missed it, there is a new acronym to add to your list: NESCO (National Energy Sector Cybersecurity Organization). EnergySec was selected by DOE to start this new organization and it comes with nearly $6 million of funding. There wasn’t really an official announcement or much to-do about this at the Summit. I’m not real clear on the details or scope yet but here is some information from the DOE press release: NESCO will be…
  • “…a broad-based, public-private partnership that will work to improve electric sector computer and network cybersecurity, including those used in the smart grid.  Working with the DOE and other federal agencies, it will bring together domestic and international experts, software developers and users to focus research efforts; to assess and test the security of new cyber technologies, architectures, and applications; and analyze, monitor, and disseminate infrastructure weaknesses and threats.”

    • I heard several groans from people whenever Stuxnet came up (and of course it did frequently). I can see the frustration with some who are spouting hyperbole, stretching it as a means to sell their product, or just trying to create a headline. But I still believe it is a significant event that we can learn from and use for responsible education and awareness. So I don’t get all the groaning — at least now maybe there will be something to replace the Vitek Boden /  Maroochy Shire incident.
    • Dr. Carol Hawk from DOE covered what they are funding under Cybersecurity for Energy Delivery Systems (CEDS) and specifically mentioned closing the security/compliance gap as a goal of their funding. You can read a summarized list of the “Cyber Security Project Selections” here. Bandolier got some nice recognition as a success story in this presentation and several others.

    As I mentioned, NERC CIP got beat up pretty badly. Even former insiders and long-term drafting participants took their swings or at least confessed to some inadequacies in the requirements and approach. I’ve acknowledged and understood the challenge and difference between security and compliance and we’ve discussed that frequently here on the blog. Before this conference, I had some thread of optimism left that CIP could turn the corner and ultimately improve security — if not all at least for some. Now I’m not so sure. Maybe the good news is that a lot people, including the insiders and those involved in the drafting process, are realizing this as well. So my new optimism is that with this awareness will come the imperative to take a fresh look.

    Other highlights include:

    • A reminder from Patrick Miller that there are many noble causes out there but electric reliability is really all about the money. This was actually echoed in some of the other presentations as well (directly and indirectly).
    • James Arlen took on some of the non-technical (people) problems in his presentation about coming together to fix the problem. It included a challenge to leave your ego at the door. I think some places have overcome the Us vs. Them / IT vs. Operations problems but, just in case, Arlen’s presentation was there to call out both sides.
    • I had to apologize to Sean McBride from Critical Intelligence for missing his presentations two conferences in a row now. This time there was was a schedule shift and I was out prepping for the Bandolier class we taught on the last day of the Summit. I did hear some good feedback on his presentation. One section was titled “Show me the goodness” where he talked about positive developments, including Bandolier. Having some positive highlights was  probably a nice way to close out the conference.

    There were others that are interesting and informative. Of course you lose something by not being there, but you can find the links to all the slideware here:

    5 comments to EnergySec Summit Recap

    • kproth

      FYI… Your link to the energysec web site is broken (it’s missing the final “t”).

    • […] Jason touched on the growing frustration with NERC CIP, and the realization that in many ways the CIP mandated compliance focus is actually impeding security progress. Joe Weiss has led the charge that CIP should be replaced with NIST SP800-53, but this comes as the government is realizing SP800-53 is a huge paperwork exercise that has not markedly improved security. […]

    • Thanks, Kevin. Got that fixed.

    • patb

      NERC CIP should be replaced by PCI-DSS. “use two-factor authentication” vs. “strong procedural and technical controls”… I threw up in my mouth a little bit, ahem, excuse me..

    • […] EnergySec Summit Recap – The “Intersection of Security and Compliance” conference theme turned out to be largely an indictment of NERC CIP. […]

    Leave a Reply