Sunday, October 18, 2009

FERC Hammers Florida Power & Light Co with $25M Civil Penalty
- $5M to go above and beyond current regulatory requirements

On Oct 8th, Florida Power & Light (FPL) agreed to pay a $25 million penalty after blunders by a field engineer led to a service outage affecting nearly a million customers - i.e. 2008 Florida Blackout.

This marks the first settlement resulting from a reliability investigation by the Federal Energy Regulatory Commission (FERC) enforcing a 2005 law establishing electric reliability standards. This fine won't be going to customers. Instead FPL, facing a potential of $1B+ in fines, agreed to pay $10M to the United States Treasury, $10M to the North American Electric Reliability Corp. (NERC). The remaining $5 million is to go towards measures beyond current reliability requirements in a regulatorily approved manner- otherwise, whatever remains of the last $5M will be evenly split between US Treasury and NERC.

  • "Today's settlement demonstrates the high priority the commission places on electric reliability,'' said Norman Bay, director of the commission's Office of Enforcement. ``The message to the industry is clear: Compliance with the standards is critical.''
Holly smokes! This civil settlement clearly marks the end of wrist slaps for reliability violations with a whole new level of realizable penalty levels. It's also worth emphasizing that NERC CIPs cyber security focus represents just one of fourteen reliability groupings in current NERC Reliability Standards. The process reaching this settlement clarifies how FERC will increasingly be taking a very active role in industry reliability investigations going forward. Industry compliance programs will need to be reviewed and appropriately bolstered to help ensure sufficient program measures are defined and being maintained. The settlement also speaks to the need for continuous improvement efforts by industry aiming well beyond meeting today's reliability requirements- i.e. increasing regulatory margin. Increasingly akin to commercial nuclear regulatory challenges and supporting programs- with heavy doses of auditable evidence required.


Sunday, October 4, 2009

Striking the Right Balance: MS Windows Screensaver Locking
- AutoIt: A Potential Cure for Headaches

Updated 11-16-2010
While there has been plenty of higher stake cyber security challenges dominating my team's attention lately, I stumbled on an interesting approach to address an issue many organizations wrestle with.

The basic, consistent implementation of automatic locking Microsoft Windows PC screen savers, requiring password entry for access after a period of inactivity, poses a number of challenges. At least Microsoft's Active Directory (w/Group Policy Objects) makes implementation technically manageable. However, areas taking issue with implementing a required inactivity lockout often only have occasional legitimate business needs that are not suitable for a full exception. For example, personnel may give presentations and don't want to have disruptions, others may burn DVDs, view network traffic in a locked room, or occasionally engage in other unique activities where there is less interactive PC use- making realistic automatic screen locking burdensome.

To help address this issue, we've been looking at several "Egg Timer" type of PC utilities to provide the means of temporary relief when merited so we can pursue a more consistent implementation of mandatory inactivity screen saver lockouts technical policy measures company-wide. One particular commercial offering has not yet gone to a new release (that we've been waiting on since 4Q2008) with expected pricing $10-$20 per PC plus annual maintenance.

Alternatively, a very interesting, freeware scripting and compilation tool called AutoIt has been available and improving for years. I haven't coded seriously in a long time and wasn't aware of this tool or its capabilities until recently. Surprisingly, the tool and associated slick editor along with lots of sample code, and large community of users together helped rapidly put me at ease. Although I didn't have much time available over the weekend, I still plunged ahead anyway and developed a "Beta" solution for review and feedback. The CDS utility developed since with AutoIt seems to do pretty much what we need and compiles into a reasonably small, single executable file that can just be dropped on the menu or just the desktop - sweet. The latest version supports use of Active Directory groups to authorize specific systems and logs user startup, activation, and exit events (user, timeout) of CDS to the local Windows Application event log and a designated central logging server (if assigned and available).

This excursion is aimed at saving us some hard cash - a good thing in tough times - while also helping make the consistent implementation of screen saver technical controls easier to live with for all involved. Additionally, the sheer ease of using AutoIt underscores how open source-like technology tools are continuing to develop so even the free stuff can be the very good stuff.

Updated 11-16-2010
A SourceForge open source edition of the Corporate Delay Screensaver (CDS) utility - CDS-v100-Open- is now available for download with commented source code, use documentation, and an example AutoIT complied executable at