I had the pleasure of attending Open Group Conference Boston just two weeks ago. Historically, this conference aims at bringing enterprise architects together from various industries to talk about important architectural issues. This time around, they dedicated track sessions to the security topic. Among other things, I had an opportunity to record a podcast with Dana Gardner, Gen. Harry Raduege, and Jim Hietala on the topic of cyber security.

You can listen to the full podcast at the Forrester page as well as catch the synopsis of the conversation at Dana Gardner’s blog. 

Cyber security has gained quite a bit of attention in the past year or so. Although the concept has been discussed for almost a decade, the evolving nature of threats has created lots of buzz recently. There are numerous threat vectors and thus, diverse targets. Increasingly, data espionage, identity theft, cyber attacks on the critical infrastructure, denial of service (DDOS), and advanced persistent threats (APT) are coming to the surface. Public and private sectors alike are concerned about the targeted attacks that are aimed at stealing confidential data, which produces a domino effect and harms companies' brand names and operations.  

In the past 18 months we have seen many examples and scenarios that highlight the cyber security discussion. For instance:

I was just reading the recent Elinor Mills interview with Joe Weiss, and I wanted to share a few of my thoughts on the subject of securing industrial control system (ICS). Security for industrial control systems is an important topic in the modernization of critical infrastructure components. Sometimes we get too hung up on concepts like Smart Grid, but we forget that we've been dealing with similar systems for some time now. Currently, supervisory control and data acquisition (SCADA) and programmable logic controllers (PLC) systems are commonly found in electric, oil, gas, and water environments. Over the years these components have gone through varying degrees of modernization, but they are no less susceptible to security threats than smart meters or grids.

Just this week on Tuesday, NIST published release 1.0 of the smart grid interoperability standards. Most notably, this is the first attempt to address cyber security in smart grid deployments. This release points to various standards that can be used for implementing interoperability and security controls, and it’s fair to say that it plants the seeds for what should become comprehensive, control-driven guidelines for implementing various aspects of smart grid.

The timing of this report is perfect, as current smart grid rollouts are often criticized for lack of proper security controls. Our utility customers have shown similar concern about the lack of planning for information security before the roll out phase. This lack of security and risk management perspective in the smart grid ecosystem can jeopardize the overall objective of these smart energy initiatives, and it’s about time that we devise a game plan going forward.

The NIST publication will be an important piece of work as it brings various standards, bodies, and regulators like IEEE, NERC, and FERC to the table. Note, this is not a control based standard like others published by NIST, but a guideline to other frameworks that should be referenced when working in a smart ecosystem. A more control based work on cyber security in smart grid is in development and the draft of these standards is available for public review.

A few important highlights to pay close attention to in the cyber security sections are:

I attended McAfee’s analyst day at its FOCUS 09 Security Conference last week in Las Vegas. It was interesting to see former army general and Secretary of State General, Colin Powell, addressing an information security audience. He attended the same university as I did — City College of New York — so I especially enjoyed cheering on a fellow alum. His speech was very relevant to the security arena, as he discussed the danger of vulnerabilities within any information system and the critical need to safeguard against them. Of course, it fit very well with McAfee’s story, as McAfee CEO, Dave DeWalt did a good job continuing the military theme. However, I still left with feeling of wanting more — perhaps expecting McAfee leaders to say something more concrete about what it all means for them. Do they want to help with cybercrime, cybersecurity, and critical information protection? Will they be working more closely with government in information security initiatives?

(On a positive note, Colin Powell became an unexpected customer reference, as he mentioned recently licensing McAfee antivirus for his personal laptop.)

Along with many executive briefings I had with product managers and marketing folks, there were several highlights for me:

I attended a Cisco Systems briefing early this week about its Smart Connected Communities initiative. Once again Cisco demonstrated its forward thinking by bringing together various government initiatives under the umbrella of what they call Smart Connected Communities.  A Smart Connected Community is built on IP-based infrastructure. This means that all of the critical components of a city infrastructure like utility, transportation, healthcare, commercial buildings, and emergency response systems connect via an IP-based network.

Overall, it was a good update briefing. But I was surprised to hear just how confident Cisco is that securing this networked infrastructure is a no brainier. When I asked the presenter: “Given that network infrastructure is not nearly as robust and secure in some emerging geographies, how are you planning to ramp up the backbone and make the network secure enough end-to-end to run smart services?”