Wednesday, April 15, 2009

Yes- Omaha's Infotec09 Rocked !

After taking a year off and regrouping, Infotec09 April 14-15, 2009 rocked.

This bargain conference offered excellent keynotes, including Erik Wahl's phenomenal opening "Art of Vision" message (website), and a broad set of innovation themed tracks addressing security, infrastructure, collaboration, leadership, culture and more. There were plenty of excellent, oft published speakers, industry leaders- one of my favorites being the pragmatic, candid security leadership guru Mike Rothman. Also well represented, a sponsor mix across a wide solution space of products and services. It was also great seeing some folks I haven't seen in a while, catching up and talking shop, and making new contacts.

Infotec's solid comeback with an unofficial 600+ reportedly attending this week at Qwest Center Omaha made its mark- a success to build on bolstered with online and informative session blog summaries w/slides.

Monday, April 6, 2009

Feds Backing Up Rhetoric with Cybersecurity Action
-plus Joe Weiss's latest testimony

Lawmakers and the Obama Administration continue ratcheting up federal level attention to private sector critical infrastructure cyber security defenses. Concurrently, with a 60-day review ordered by the Administration yet underway (interim update -3/3), the Senate is developing sweeping legislation that would Federalize Cybersecurity. Many of the proposals stem from recommendations provided within the seminal Cybersecurity for the 44th Presidency study submitted last year by the Center for Strategic and International Studies, including:
  • appointing a White House cyber security "czar" with the authority to shut down government and private computer networks during a cyber-attack
  • charging the National Institute of Standards and Technology (NIST) to establish "measurable and auditable cyber security standards"
  • mandating an ongoing, quadrennial review of the nation's cyber defenses
  • requiring licensing and certification of cyber security professionals.

Also notable, NSA’s increasing role in such developments is causing growing concerns about privacy and pursuing an inherently flawed strategy by charging the organization with both ongoing intelligence gathering and an expansive new mission around national cyber defenses. The resignation of Rod Beckstrom from an executive-level cyber security federal government position underscores such concerns.

FERC Order - Nuclear "Regulatory Gap" Update.
The Federal Energy Regulatory Commission (FERC) is pressing forward to resolve commercial nuclear cyber security jurisdictional “regulatory gap” concerns raised last year. A FERC issued clarification (~17 pages; Docket No. RM06-22-000; Order No. 706-B) on March 25th addresses previously requested industry input. It also concludes with a determination insisting that the portions of a nuclear power plant, not specifically addressed with tighter security program coverage in the forthcoming regulations from the Nuclear Regulatory Commission (NRC), will be required to adhere to NERC Critical Infrastructure Protection (CIP) Reliability Standards. This rule became effective March 25, 2009. The combination of enhanced NRC requirements and the addition of FERC/NERC expectations into the mix make addressing cyber security an even more important licensing and compliance challenge for commercial nuclear power. Some good news- FERC is providing implementation schedule flexibility which will first be addressed by the Electric Reliability Organization (ERO). NERC, as ERO, is is required to submit related compliance filing to FERC within 180 days.

Congressional Hearing- Latest Round on Cybersecurity w/Joe Weiss.
On Thursday, March 19, 2009, the US Senate Committee on Commerce,Science, and Transportation held a hearing titled Cybersecurity: Assessing Our Vulnerabilities and Developing an Effective Defense (webcast-jump 12m to session start, testimony) Among the witnesses offering testimony was Mr. Joseph Weiss, a nuclear and industrial controls system (ICS) engineer, who long has been critical of most vendor, industry, and governmental/regulatory measures addressing related cyber security risks. His statement included pointing out how industrial control systems have experienced at least 125 significant cyber security incidents during the past decade (written testimony). The effects include environmental damage, mechanical damage and in once case, death. He said that a coordinated attack could have devastating consequences, "taking months to recover." (Editorial note: Potential physical and other electronic systemic attacks yet to be substantively experienced remain a noteworthy risk with conceivably even lengthier recovery periods.) Worth watching as each of the witnesses had their perspective backed with solid points followed by Q&A that pressed for answers around concerns raised and improvement approaches needed.

It's increasingly clear that cyber security in critical infrastructure settings, especially the Electric Sector, will continue gathering growing attention at a national level that goes well beyond sensationalized media coverage.