Andy Bochman

Don’t Get Me Started: A Quantum of Security Solace

2013-03-14T15:52:20Z

Recent tech news trumpets the advancement of quantum cryptography (QC) to secure the Smart Grid. I watched the Academy Awards this year (not normal) and found a whole bunch of Bond (James Bond) running through it, including performances of Goldfinger by the great Shirley Bassey and the latest Skyfall theme by Adele.

...(read more)

Electric Sector Security Observations from Distributech 2013, and a Word about Trees

2013-02-05T11:30:00Z

The show is over for me as I'm up in LA for some IBM training, but it was a very good 2 days. Here's a few of the highlights I took away:

Patrica Hoffman, DOE's Assistant Secretary for the Office of Electricity Delivery and Energy Reliability (OE), following great, largely renewable-energy oriented keynotes from senior executives at SDG&E and Cal ISO, gave her perspective on the world and beat a drum loudly for improved cybersecurity awareness and action towards the end of her talk
Speaking of DOE, after visiting several security vendor booths found a remote outpost DOE cybersecurity booth in the far corner of the big hall. Those folks seemed glad to have any human contact :)
One industry security guru whose knowledge I implicitly trust said he would like to see a greater emphasis on security architectures this year. Too many point products are being bought and strung together with little consideration for the bigger, enterprise protection picture. And that's a recipe for weakness and inefficiency, and for the folks recommending or doing the buying, a formula for losing credibility and trust
From my extended family at IBM flown in from all over the world, definitely detecting heightened security awareness and interest from utilities that until recently weren't all that active

And then there's this: one analogy that seems to resonate is comparing cyber security risk reduction requirements and efforts to utilities mature programs for arboreal risk mitigation. Except for those located in deserts or the tundra, utilities have to closely monitor vegetation and in particular, trees that are in proximity to hard assets and in particular, power lines. They have to trim back and outright remove ones that pose a significant threat, yet they also need to leave most trees standing so as not to diminish the beauty of the towns they service, anger their residential customers, or render too many birds homeless.

In a similar way, while some nervous security pro's might be more comfortable if we could turn off or at least reduce the number of connected systems and devices, computation and communication are what make the world go around these days so security controls have to be applied judiciously and non disruptively. But the analogy ends with a call to clarity for utilities: the same way you have mastered your management of arboreal risk, effectively turning it into a science, please insist on the same level of understanding, oversight and managerial effectiveness for cybersecurity risk. I believe with help from IBM and others, this is an attainable goal in 2013.

Conference Alert: Security at Distributech 2013

2013-01-21T18:46:00Z

The annual electric sector conference in North America is coming up next week in San Diego. Called Distributech, the 7,500 or so attendees will peruse booths featuring the latest reclosers, transformers, comm gear, outage management systems, etc.

...(read more)

DoD Software Assurance for Electric Sector Security?

2013-01-15T12:00:00Z

The US Department of Defense has been thinking about this for a long time, and recently codified a pretty robust response in the form of the National Defense Authorization Act (NDAA) of 2013.

...(read more)

Security Double Dutch: Shodan Points out Critical Infrastructure Gaps in the Netherlands

2013-01-14T17:41:10Z

I've been to the Netherlands several times and saw the country in the news a lot recently when UberStorm Sandy raised concerns that New York City should perhaps get similar types of protective systems. I can assure you that this is about much more than a preference for dry feet.

...(read more)

Smart Grid Security 2012 Highlights and 2013 Look Forward

2012-12-19T12:00:00Z

As a chronic complainer re: the lack of grid security metrics (see post from nearly 2 years ago: "Smart Grid Security Truth: You Can't Do What You Don't Measure"), this has been the most amazing and surprising year for me.

By far the most important development this year was that it began with only a few specific guidance documents from NIST and NRECA) and is now ending with a comparative landslide of guidance, including some directly aimed at helping utilities assess their current security posture and plot future courses for improvement.

...(read more)

Thoughts on the Explosive MI6 OT Breach in Skyfall

2012-11-26T18:52:00Z

Have you seen the new 007 movie yet, the third of the series that features Daniel Craig as Bond? Called Skyfall, one of its key plot drivers occurs when the evil mastermind blows up part of British spy headquarters, MI6, in London, with a handful of deft key strokes.

...(read more)

Electric Utility Data Governance: A Prerequisite to Data Security, Privacy and the Promise of Big Data

2012-11-06T05:33:00Z

Suppose you are the CEO of a large electric utility and you just learned that you’ve had a large data breach. Your guys are telling you it’s possible that several million detailed customer records have been exposed. The privacy ramifications are alarming.

...(read more)

Energy Sector Security in the Age of Big Data, Mobile and Cloud

2012-10-31T12:30:00Z

While folks who work in or otherwise know the industry will tell you, utilities are by nature very conservative. Their highest values are reliability and safety, but as most utilities transition from monopolistic to competitive business environments, there's a new value contending for the top slot: trust. That's what one needs to earn and work to maintain if they're in business and their customers have alternatives that don't include them. This is a big deal in the electric sector, of course, as many utilities are working hard to build the trust relationships that until now didn't exist because they didn't need to.

...(read more)

From Famine to Feast to Overload: New Electric Sector Security Metrics and Measurement Guidelines Super Helpful (but can be Overwhelming)

2012-09-26T11:00:00Z

In the space of just a few months, electric utility executives and their security leadership have seen a spate of new guidance documents published that intend to help them manage, monitor, and measure the effectiveness of their cyber risk mitigation strategies and controls.

...(read more)

Thinking about Mobile Device Security for a Very Mobile Electric Sector Workforce

2012-09-12T13:00:00Z

One thing you can say about working for an electric utility: for most employees, it's not a desk job. More than their peers in many other sectors of the economy, electric utilities have used and managed mobile devices as essential tools for a long time, outdoors, on the ground and in the air, and in their trucks.

...(read more)

People are Talking: Social Media, Electric Companies, Customers and the Quest to Maintain Privacy

2012-09-04T14:16:00Z

For the longest of time electric utilities had little reason to focus on customer communications, and their residential customers, similarly, often didn’t have much to say to them. So much so that when pressed, many customers couldn’t even name the company from which they purchased this essential service.

...(read more)

In Energy and Every Business Sector, Connected Devices Bring Great Gains, but Up the Security Ante

2012-08-26T10:49:00Z

In many industries, increasingly network-connected products are enabling previously unimaginable new capabilities and, at the same time, creating new privacy and security challenges.

...(read more)

Walking while Chewing Gum: Building the Smart Grid with Secure Software

2012-08-21T13:00:00Z

With the naked eye one can see signs of change in our electric infrastructure: smart meters installed by the millions and solar panels going up in similar numbers. Further away and sixty times per second, synchrophasers are monitoring the quality of high voltage electricity in transmission lines high overhead.

...(read more)

A Call to Elevate Electric Sector Cyber Security Leadership

2012-08-14T14:15:24Z

Around the world, it’s hard to miss the constant media and analyst drumbeat of warnings about new threats to critical energy infrastructures. Yet recent reports by Carnegie Mellon University and IBM reveal that most utility executives are more focused on other priorities, and it’s easy to understand why.

...(read more)