For six years running, the EnergySec Summit has proven to deliver the highest value when it comes to Energy/Electric Sector security events. And no, I’m not just saying that because I’m on the Board of Directors [FD]. I say it because I have yet to see another conference where such a diverse body of professionals meet under one roof and actually talk to each other. The variety of attendees ranges from all organizational strata of electric asset owners spanning the operational and business groups, State Regulators, Feds of all agencies, national labs, consulting firms big and small, security product vendors, industrial control systems vendors, research firms, and universities.
But it’s not enough to just get great minds to the table. The magic is when those great minds begin sharing in ways they hadn’t before, thus generating a result that is greater than the sum of its parts. The EnergySec culture draws this out of you. The collaborative spirit is simply pervasive and infectious. There is no singular agenda or axe to grind. The audience isn’t just there to listen and blink at powerpoint slides from the so-called “experts” all day. Instead, all attendees are recognized as experts and they are active participants in the event. You can’t help but leave empowered with new connections, new knowledge and an invigorated desire to do more for your company and your industry. Sure, this happens at many conferences, but there is something unique about the EnergySec vibe that takes it to a different level.
The information sharing grass roots effort known as EnergySec today has matured from its humble beginnings back in 2004 as Energy Security Northwest (E-Sec NW). Those original meetings of adjacent asset owners over lunch and the mailing list were the seeds of something great. The membership started as an all-volunteer group with no real organizational structure other than a loose “board” of moderators who maintained the vision of the EnergySec culture. They fostered it through technological advancements and beyond into non-profit status as a 501(c)(3) company. Today, it boasts 380+ members, 102+ organizations, 50%+ North American Generation, 65.3%+ North American Distribution, etc.
Ok, so back to the Summit... ICF International [FD: my current employer] kicked things off with a networking breakfast on Day One. I followed with my “Energy Sector Crystal Ball” spiel to kick off the event and set the mood. I really tried to keep it FUD-free and just talk about trends I’m seeing within the industry. Carol Hawk of the Department of Energy then walked through some of the projects they are currently working/funding - one of which is the National Electric Sector Cybersecurity Organization (NESCO). More on this again later. Mike Mertz of PNM then presented on security policy. His subtitle was “The most important element for Security and Compliance.” By the time he was done, he had me convinced. Mike always has such a great way of getting to the core of the issue and providing actionable take-aways. Bill Hunteman of DOE was up next to tell the group about the department’s strategic direction for smart grid security, an area in which nearly everyone is interested. Bill was followed by Brian Girardi of NetWitness presenting on network forensics & advanced threat analysis for critical infrastructure - an area where NetWitness is recognized as a practice leader.
Then came lunch, sponsored by NetWitness and more networking. I eavesdropped on several conversations as I usually do and joined in as many as I could. I am always surprised to see how much fusion happens when the walls come down and the silos are broken.
Lunch was followed by an entertaining and insightful presentation from Mike Assante (now with NBISE, formerly NERC Chief Security Officer). I particularly enjoyed the parallels between suicidal squirrels and the threat actors, but this portion of his talk was curiously left out of the presentation he provided to EnergySec for posting (I’ll see if he’d be willing to furnish the un-redacted deck). Suicidal squirrels aside, Mike had some solid and sobering wisdom to share about how regulatory compliance has affected cybersecurity for the industry. Jack Whitsitt, Sr Critical Infrastructure Cyber SME supporting the Transportation SSA followed Mike with a technologist’s admission of inadequacy, the executive’s role in national cybersecurity. Though Jack doesn’t come directly from the power biz, he knows industrial control systems security and his subtle-but-wry humor and acute technical references really fit the audience well in my opinion. Tim Erlin of nCircle was next with a talk on configuration auditing and vulnerability management in the NERC CIP era. Short of the free tool Nessus, nCircle probably has the largest presence in the vulnerability and configuration management space within the electric sector, based on what I’ve seen as an auditor and consultant.
Day One closed with a panel on the Summit’s primary topic, the intersection of security and compliance. The panelists were: Josh Axelrod, WECC CIP Audits and Investigations Team Lead; Dave Norton, Entergy Policy Consultant - Critical Infrastructure Protection; Mike Assante, NBISE President and CEO; Mike Mertz, PNM Resources Sr Project Manager of FERC Compliance and Ben Miller, Constellation Supervisor of Information Security Operations. As you can probably imagine, this was a lively debate. There was no shortage of opinions, from the panelists or the audience. A recurring thread was that the existing NERC CIP standards may be decreasing security in some (but not all) implementations for the sake of compliance. Some great examples of satisfying both security AND compliance were also provided. It was a fantastic way to end the day and really primed the discussions during the reception.
Big thanks to nCircle for providing drinks and hors d'oeuvres. Liquor and food have a funny way of changing the dynamic. After a day immersed in the collaborative culture and high-value content, minds were reeling and ruminating. What was left of the inhibition to release opinions quickly vanished, which made for weighty and direct conversation. I eavesdropped some more, made more new friends and had my fair share of the hotel’s Bourbon.
Day two started with Tim Roxey, NERC Manager - Critical Infrastructure Protection. Tim’s presentation did a fantastic job of capturing the complexity of today’s power grid. The analogy of flocking birds as the intelligent future of power management was very intriguing. The vulnerabilities in such a complex system are not being fully considered - yet. Next came the highlight of the event in my opinion. James Arlen (Push The Stack Consulting) reinforced the information sharing purpose with his presentation “SCAD’oh - An Agnostic’s View: stop the ‘us v. them’ and come together to solve the problem.” James delivered the message with refreshing candor and corrosive humor. No one was safe. We all got a chance to laugh at each other and ourselves. We were all well aware of many opportunities for self-improvement by the time James left the stage. But everyone needed to hear every single word. If there was any ego remaining in the room, they simply weren’t listening.
Up next was Steven Parker, EnergySec Director. Steve used puzzle pieces handed out at the beginning of the event to convey his message of sharing and collaboration. Each attendee put their name on their piece and then handed them back at the end of Day One. On Day Two, the puzzle was available for assembly at the registration table. The message: we are all parts of the cybersecurity puzzle. Only when we work together do we form the complete picture. Steve also included a briefing on the EnergySec state of the union including the announcement of the formation of the NESCO. The event was wrapped up by Sean McBride of Critical Intelligence with a presentation on developments in ICS defense. As usual, Critical Intelligence hit the mark based on their deep involvement in the subject. CI provides the light version of their open-source intelligence reports to EnergySec members.
Day Two ended with a final networking lunch. You probably guessed it but I eavesdropped again, chatted more and exchanged contact details on napkins because I was out of business cards.
Throughout the event I received strongly positive feedback from the attendees on the quality of the content in addition to the networking/collaboration benefit. It may sound like a big hugfest or kumbaya session, and it was to a certain extent but there was also plenty of dissenting opinion and experienced debate to keep things balanced. No doubt that everyone likes to know they're not alone in the difficult struggle to secure the North American power grid, and the level of professional exchange is what makes the EnergySec Kool-Aid taste so good.
Another interesting addition this year was the live tweeting from the event and commentary/discussion from those on the floor and those who were unable to attend. The real-time discussion went beyond the walls of the conference room. Very cool indeed. I finally met a bunch of people from Twitter face to face...
...to name just a few.
Lastly, a HUGE thanks to Lisa James, EnergySec Chair and her supporting cast of volunteers, Jeri Freimuth and Ed Croft. I’ve been to very expensive conferences with paid armies of staff and the EnergySec logistics were better.
I’d like to close the post with a brief note about the National Electric Sector Cybersecurity Organization (NESCO) mentioned above. EnergySec was awarded a $5.8M grant over three years to stand up the NESCO. The NESCO will be supported by EPRI and their collaborative as the research element, NESCOR - the “R” is for resource. Some details are in the presentations from Carol Hawk, Bill Hunteman and Steven Parker. You can read more in the official press release. If you are interested in hearing more, contact Lisa James, EnergySec Chair at email@example.com.