[ga] The New National Initiative for Cyber Security: SCADA Security in the Cross-Hairs

["Jeffrey A. Williams" <jwkckid1@xxxxxxxxxxxxx>]

To all whom should be concerned,

  There will be more of these meetings in other locations that
will be announced later but very soon.

Subject: Update: The New National Initiative for Cyber Security: SCADA
Security in the Cross-Hairs

Date: January 8, 2008

President-elect Obama will soon announce the consolidation and elevation
of the nation's cyber defense against the waves of cyber attacks that
are stealing terabytes of sensitive data from DoD computers, the defense
industrial base, and seizing control of industrial computers in the
critical national infrastructure.  A primary focus of the new leadership
team will be raising the defenses and improving the cyber-response
capabilities of utilities to shelter them from increasing extortion
attacks (that have already led to multi-city power outages outside the
US) and to reduce the risk to the reliability of nation's power supply
and other critical services.

In four weeks, the process control and IT security managers from most
major utilities will be meeting with leaders from US regulatory and
oversight agencies, state public utility commissioners, and the most
advanced researchers and SCADA security experts to fully define the
challenge and to identify the most promising practices for dealing with
it.  If you have any role in SCADA or control systems security, this is
a meeting you will not want to miss.  It is in Orlando, Florida on
February 2-3.  The whole agenda is at http://www.sans.org/info/36908

At the Summit, people who actually know the answers and are in a
position to implement them will be answering the following questions:

For example, Garry Brown, Chair of the Public Service Commission of New
York, will be leading two important sessions at the Summit.  The first
will cover the future of the smart grid - followed by an intense
discussion of the security issues surrounding the smart grid; the second
will cover how to talk about security issues in language that public
utility commissioners can understand. In addition, the FBI will be there
to explain what they are seeing. Also, the person who is in charge of
changing the NERC CIP standards, to make them effective, will be
explaining what is happening on that front.

The sessions will focus on answering these questions and giving you
tools that you can apply as soon as you return to work.

 1. How did the threat to control systems change during 2008? Who
 are the new attackers? What kind of damage have they already done?
 What can they do?

 2. What big threats are being ignored by the utilities?

 3. Exactly how do attackers penetrate the defenses that have been
 established by most control system users? What are the principal
 vulnerabilities in control systems, and how should they be prioritized
 for mitigation?

 4. How will the NERC CIP regulations change in 2009? What can you
 do now to get ahead of the changes?

 5. What are the plans for the US smart grid, and how will it be
 secured?  6. What are the some of the most valuable lessons learned
 by leading asset owners to improve security of control systems? For
 example:  How one utility enabled outsiders to gain access to their
 systems during the hurricane aftermath while maintaining security.

 7. How can utilities educate their Public Utility Commissions so
 that investments in cyber security may be included in the rate base?

 8. What techniques are the most advanced control-systems users
 implementing to mitigate the threat? How are they training their
 people?  How are they balancing information technology and control
 systems needs?

 9. How can utilities gain top management support for major security
 initiatives?

 10. Which SCADA security research projects have shown useful results?
 How can asset owners put those findings to work?

 11. Which control-system vendors have made the most progress on
 implementing the new standards for secure configuration of their
 products?

 12. What tools have governments developed that make security of
 control systems more effective and efficient?

In addition to the Summit, several courses are being offered to help you
hone your skills.

Free Training from the Department of Homeland Security CSSP and DOE:
 - Introduction to Control System Security for IT Professionals - This
 lecture-based course consists of several modules providing students
 with basic control systems definitions and identification of key
 components and protocols to major applications and architectures within
 critical infrastructure and key resources (CI/KR) sectors.

 - Intermediate Control System Security - This technical, hands-on
 course is structured to help students understand exactly how attacks
 against process control systems could be launched and to provide
 mitigation strategies to increase the cyber security posture of their
 control systems networks.

Regards,

Spokesman for INEGroup LLA. - (Over 284k members/stakeholders strong!)
"Obedience of the law is the greatest freedom" -
   Abraham Lincoln
"YES WE CAN!"  Barack ( Berry ) Obama

"Credit should go with the performance of duty and not with what is
very often the accident of glory" - Theodore Roosevelt

"If the probability be called P; the injury, L; and the burden, B;
liability depends upon whether B is less than L multiplied by
P: i.e., whether B is less than PL."
United States v. Carroll Towing  (159 F.2d 169 [2d Cir. 1947]
===============================================================
Updated 1/26/04
CSO/DIR. Internet Network Eng. SR. Eng. Network data security IDNS.
div. of Information Network Eng.  INEG. INC.
ABA member in good standing member ID 01257402 E-Mail
jwkckid1@xxxxxxxxxxxxx
My Phone: 214-244-4827