Saturday, December 29, 2012

Retirement and Opportunity - A Personal Note Going into 2013

Friends and family gathered last night to wish my wife and I the best during a Nebraska Public Power District retirement party.   My retirement, effective October 31st, wraps up a twenty-one year career with a large, vertically integrated public power utility company.   Also invited and present were some of my prior Behlen Mfg. Co.  colleagues, where my career first focused on developing and supporting engineering and manufacturing solutions across a wide range of platforms and technologies.

Career and Technology Perspective.     Those of us that have been in the information technology and security fields for several decades can easily look back at our own experiences and appreciate incredible advancements.     When I started with Behlen Mfg.,  the systems were distinct and independent:  mainframe for business  (IBM 3400 series), mini for engineering design and schematics production (Synercom Technology's flavor of DEC's PDP 11/70), and a sprinkling of dedicated, often proprietary end user systems that ranged from graphics stations, word processing stations, to dumb terminals (aka tubes).    Behlen offered a great opportunity to work a wide range of challenges from programming engineering and manufacturing focused solutions (generating bill of materials, etc. based on parametric inputs on the mainframe) to eventually include "downscaling" some of mini-computer building steel frame design/iteration programs to engineering PCs.  This allowed the engineering team to further enhance, optimize frame building designs by speeding up an iterative process, permitting more than one design to be analyzed at a time, without huge additional spend.    I also had the neat infrastructure challenge to directly support Mainframe VM and mini-computers.. planning, performing key upgrades (OS, DASD storage, core to digital memory with salvage parts, etc)    Behlen was also where I helped bring on the PC revolution with computer aided design systems (CAD) including some useful CNC (computer numerical control for manufacturing automation) and more broadly used office productivity software, establishing networking (3COM, Banyan Vines), while coding up some very useful Turbo Pascal applications.

After five years with Behlen, joining NPPD offered additional opportunities to bring on server and PC local area networking "LAN" advancements, and seeing a very large commitment to mainframe based computing continue scaling up before being rapidly phased out of the organization with a Y2K focused large ERP (Enterprise Resource Planning) implementation on mini computers.      Networking during this time frame eventually transitioned from distinct architectures and implementations to the now ubiquitous TCP/IP protocol.  The Internet opened up with the first killer app being email, followed by continued world wide web and search engines advancements to help access rapidly improving capabilities while also making the Internet broadly more accessible and useful.

Over the years we have seen the rising flood of information technology increasingly encompass everything we know and care about:  smaller, faster, decreasing cost and increasingly connected.  Computing power that used to take a building with dedicated staff from the early commercial days now fits in the palm of our hands, a thousand times faster; representing over a billion-fold price/performance improvement.  All this change articulates an exponentially paced advancement that is continuing and further accelerating according to some ...more.

Increasing connectivity, capability, and dependence on information technology dynamically and dramatically ramps up real world risk considerations.    Today, a solid grasp of the security issues, including compliance, must be factored into technology strategy and decisions for organizational success.
Cyber Security Focus.   Since 2002, my focus at NPPD centered on cyber security in corporate and increasingly operational settings, e.g., fossil, nuclear.   While this work with colleagues was rewarding, an opportunity emerged after reaching retirement eligibility mid-2012 to join the ES-ISAC (Electricity Sector Information Sharing and Analysis Center), supported by NERC (North American Electric Reliability Corporation).  I have accepted the challenge, directly supporting the ES-ISAC at NERC in Washington DC.

The focus on mandatory standards and compliance enforcement dominates much of what electric utility entities think of NERC since the Energy Policy Act of 2005 and ERO (Electric Reliability Organization) designation by FERC (Federal Energy Regulatory Commission).  The challenge for the ES-ISAC is to continue building capabilities and trust with the industry, federal partners, and regulatory bodies while also striving to be increasingly forward leaning in anticipating and appropriately addressing key security challenges using automation and more traditional methods, such as NERC Alerts.  The key industry security focus areas for the ES-ISAC looking forward into 2013 include building out operational capabilities under development and further bolstering core programs  (e.g., assessments, exercises) and outreach (e.g. webinars, workshops).

Federal bodies remain acutely interested and inquisitive about what the electric power industry is doing to address security concerns even as related standards advance and compliance enforced footprints scope rapidly expand across the industry with FERC and NRC (Nuclear Regulatory Commission) driven oversight, auditing, and inspection.

I expect cyber security to continue being a challenging and rapidly evolving critical infrastructure arena.  This is an exciting time to be engaged with critical infrastructure protection!

Monday, August 6, 2012

Rules of the Game Still Apply (Terrorism)
1989 G. Gordon Liddy Article Continues To Resonate

As an avid Omni magazine reader years ago, one particular "after-the-fact" fictional article from the Jan 1989 issue captivated my attention- penned by former Nixon Administration convicted confidant G. Gordon Liddy.

The fictional memo characterizes critical infrastructure concerns and analysis from postulated events that continues to remain in many ways applicable and a challenge today:

    -  Since 9/11, air terminal facilities security upgrades provides substantial mitigation from the threat of liquid metal embrittlement (LME) agents.
    -  Potential electric grid physical attacks on high voltage transformers across a wide area would be quite debilitating and difficult to recover from even with progress on spare transformer programs.  Other significant types of physical grid damage blackout risks include larger area electromagnetic pulse attacks  (commission findings) and geomagnetic storm events being address with NERC's Geomagnetic Disturbance Task Force - GMDTF.
  5. COMPUTER DATABASE ERASURE OF WALL STREET, SIX FEDERAL RESERVE BANKS, TWO IRS SERVICE CENTERS, SEVERAL OF LARGEST COMMERCIAL BANKS, AND NUMEROUS CORPORATIONS PRODUCES FISCAL CHAOS - since 9/11, financial organizations have bolstered offsite backup facilities and continuity planning that would help at least in part mitigate the impact today.
The memo goes on to provide insights and recommendations:
  • ... the "prayer" of public officials has always been that a disaster will be either so immense as to be perceived as an "act of God" and thus engage the loyalty and team spirit of both the government and a patient populace or so small that it will go away by itself. The dread of officials is the one in between, affecting more than one choke point, the one with which government cannot cope. It is dreaded because it damages the faith of the people in their government and the way of life.
  • .. current situation is a nightmare. The people know this was not an act of God. What has happened is so immense as to be almost incomprehensible to them. The people expect their government to do something about it; to fix the problem and punish those responsible. And the American people are not patient.
  • ..  delay in the use of force, and hesitation to accept responsibility for its employment when the situation clearly demands it, will always be interpreted as a weakness. Such indecision will encourage further disorder, and will eventually, necessitate measures more severe than first instance."
    --The United States Marine Corps Small Wars Manual (1940), page 27, paragraph (d)

Cybersecurity continues  gaining an increasingly important role bolstering critical infrastructure security with a rising flood of IT risks, including those associated with Smart Grid.  The potential for serious  impacts from physical or blended attacks also demands ongoing attention.

Monday, February 20, 2012

NERC CIP V5 Drafting: Showstoppers and Tune-Ups Addressed
-Honeywell-Matrikon's Team Shares Latest as Key Next Draft Forms Up

Updated 2/24/2012
NERC CIP V5 continues to form up since the first ballot failed to pass even as much of the industry incrementally focuses more on CIP V4. The NERC approved V4 adds up to a rather straightforward application of CIP V3, plus prescriptive bright-line criteria to determine facilities in scope (instead of owner developed risk based assessment methodology permitted prior). NERC CIP V5 is a whole new ball game.

Lastest on NERC CIP V5 - Proposed Changes

Honeywell-Matrikon's [in]Security Culture Blog and webcasts continue offering solid insights for organizations focusing on where CIPs are heading, addressing related compliance challenges. From the Jan 30th posting SDT Meeting updates – Or, an informal open letter, Tom Alrich provides his opinions regarding the direction on a set of key V5 draft issues:
  1. Inventory for Low-Impact Assets
    - First draft would require an inventory of all assets for compliance. This is in conflict with the SDT's intent and should be resolved in the next draft.

  2. Asset Identification
    - First draft has a fatal flaw of requiring review of all assets to identify BES reliability Operation Services supported. Next draft should return back to the approach of starting with facility identification before going deeper to supporting assets- a much more feasible and reasonable methodology.

  3. DPs and LSEs
    - To only be included if they have one or more systems meeting the bright-line criteria.

  4. TO Control Centers
    - Transmission operators (TOPs) already on the hook, no need to also burden transmission owners.

  5. Blackstart Plants
    - First draft's direction of raising all to Medium Impact would be counterproductive to reliability. Generators have a choice on whether or not to participate in regional blackstart plans and the cost of CIP compliance significantly exceeds typical financial benefit. Many anticipate large withdrawal of blackstart units nationwide from plans, some say this is already happening. A compromise proposed would assign blackstart to Low impact if no external routable or dialup connectivity is used.

  6. Power Plant Thresholds - 1500 MW
    - Right now very few plants meet this threshold for cyber assets given multiple industrial control systems, not a single cyber system, typically supports production. Many see it likely FERC will decide to lower this threshold given increasing concerns about having sufficient bulk electric assets addressed.

    2/23 Update - A simple thought experiment:
    "How much of the Bulk Electric System would remain available if all related facilities not in the scope of NERC CIPs or Nuclear (NEI 08-09)
    were taken out of service?

    Honeywell-Matrikon's latest post by Tom Alrich explains more -
    Version 5: About those Large Plants…. (2/23): ".. The main question is whether FERC will be pleased with 7.2 percent of non-blackstart generating units being part of a plant that will be a Medium Impact facility under CIP Version 5 or a Critical Asset under Version 4."


Thursday, January 26, 2012

Project Basecamp 2012 a Hit... Are We Really Ripe for More Attacks Like Stuxnet?
-Researcher Ralph Langner says "Yes" at NATO Keynote.

Project Basecamp A Hit- But Will It work?

Researchers participating in Project Basecamp clearly demonstrated just how extremely fragile and vulnerable many Industrial Control Systems (ICSs) remain to targeted cyber attacks during DigitalBond's S4 conference this month. Amazingly, a number of persistent vulnerabilities include poorly devised "features" in addition to a bucket load of underlying software flaws. Tools released include point and click easy Metasploit modules. All of this effort to extensively demonstrate persistent ICS security problems is ultimately intended to wake up C-level executives to help amp up pressure on the vendors for secure replacements ("a Firesheep moment"). Regardless, don't expect much soon as many experts agree we've seen ten years pass with few ICS vendor security improvements. DigitalBond's site continues dishing up excellent interviews (podcasts), videos, and blog entries worth paying attention to for those interested in ICS security.

What about Stuxnet - More to come or really just a one time event?

Here’s one of the most insightful, solid presentations available explaining how Ralph Langer & team pulled apart Stuxnet, what they found, and broader implications. While the Stuxnet windows “dropper” was top tier malware in many ways, including multiple zero-days, the real rocket science was approx. 15,000 lines of crafted industrial control system (ICS) malware   “digital warhead” payload developed by seasoned engineers (Langner’s opinion- not just “hackers”) targeting specific nuclear enrichment ICS assets.

Mr. Langner makes a solid case that this was a highly successful attack (like a missile) which invites an escalation for more to come. The code and modular approach itself is reusable in many ways. He’s also written a book "Robust Control System Networks: How to Achieve Reliable Control After Stuxnet" that ICS engineers, others can benefit from focusing on designing ICS systems with robust security baked in ..more.
Today (1/26) Safari Books Online has followed through on their promise to make Langner's book available to members at my request in 2011- oh yeah!

Thursday, January 12, 2012

Welcome 2012: Leaping Into The Future With A Singularity Primer
-"On track" per Ray Kurzweil as he answers the latest critics.

The future is something I've always enjoyed focused, insightful perspective around and seems like a good topic to get my blogging mojo back in gear for 2012.

As I've touched on in a decade-plus forward look 2010 posting, Ray Kurzweil’s “Singularity is Near: When Humans Transcend Biology” 2005 book (672p) provides a science derived, profound view of how exponentially accelerating IT is driving ever increasing broader advancements. A very well executed, cited work in my opinion, with anticipated continuing advancements resulting in very dramatic changes affecting humanity over the next several decades (2020s genetics, 2030s nanotech followed by an intelligence take off, already in progress – i.e. technological singularity). One does not have to agree with all the points and conclusions raised in order to appreciate and gain much. This work was also released in 2011 as an Audible audiobook (unabridged, 25 hours).

Singularity Primer 2012:
  • Seminar Podcast: “Kurzweil's Law”- Ray Kurzweil (106m) - The Long Now Foundation - audio download is free

  • Video/Article:Kurzweil: 3 Supplements To Let You Live Until The Singularity (1m) May 2011
    - Coenzyme Q10
    - Phosphatidylcholine (
    derived from lecithin)
    - Vitamin D (perhaps the most critical of the three)

  • Movie: Transcendent Man (2009)- Netflix Instant Play Inventor and futurist Ray Kurzweil is the subject of this documentary that follows him on a world speaking tour in which he expounds on his ideas about the merging of man and machine, which he predicts will occur in the not-so-distant future. The visionary who invented the first text-to-speech synthesizer and much more raises eyebrows here with his wildly optimistic views of a technology-enhanced future. I give it B- rating.. but worth seeing once for most.
The Singularity is something that may utimately be an overwelming primary factor in shaping our future- very interesting indeed!