It's taken me a couple weeks to get this note out, but better late than never, right? I had the opportunity to attend the 6th EnergySec Summit in Denver, CO, a couple weeks ago. EnergySec was interesting in that it brought together people from all levels of the business, along with vendors, regulators, and consultants. It was great to meet a lot of people, and even better to start gaining a better understanding of the problems facing this industry.
Perhaps the most striking impression I had in walking out of the Summit was just how crushed (and paralyzed) the industry is as a result of well-intentioned, misguided regulations. If you think that PCI is challenging, then multiple it by a million, and be sure to introduce a number of contradictory and incompatible requirements. That seems to be where this sector is today, which is a bit troubling considering just how vital it is to our very existence.
Stop and consider for a moment, if you will, how important electricity is to your life. Now, consider what happened the last time you lost power at your home or office for more than a few minutes. How did you fare? What did you do? Now extend that from minutes to hours to days, and maybe even weeks. Suffice to say, our entire way of life would be completely challenged. I think of my current home, which runs entirely on electricity (heat, AC, stove, oven, water heater, communications). A multi-day outage would not be a good thing.
What's heartening is that the energy sector is turning the corner on realizing that cybersecurity is important and necessary. Unfortunately, they seem to be, in many ways, attempting to reinvent the wheel rather than learning from other industries. This is, I'm afraid, all too common. It's a type of combined hubris and ignorance, in that sectors often think that only they are positioned to properly solve problems in their environments, even if those problems are large congruent with problems encountered in other sectors. Case-in-point, as we see repeated throughout recent history, every time a new platform becomes available (e.g., Smart Grid) we end up starting from square 0 with infosec.
Making things worse is a ridiculously over-the-top regulatory environment that is literally making things worse rather than better. It's hard to overstate just how squashed businesses in this sector feel. At the same time, despite crushing regulations, we continue to see initiatives like Smart Grid charging forward (completely with federal and White House backing, nay, pushing), despite the fact that platforms that have broken for well over a year remain unfixed. Broken technology is literally being deployed in the field with no expectation for remediation. In what world does this make sense, even if we don't consider that this is perhaps the most important industry we have today?
As an outsider looking in, there is a a good opportunity if we can get the right people involved. Unfortunately, very few worthy people are interested, in large part due to the onerous regulatory landscape, but also due to the "old boys club" nature of the industry. Breaking into the industry is clearly a daunting challenge, and one that will simply take more time than is probably worthwhile for all but the hardiest of infosec professionals. To top it off, there are a lot of posers in this sector who are beating various drums (often in support of their own products), but who aren't actually benefiting the industry. All of this is troubling.
In retrospect, this industry is currently hanging from a noose of its own choosing. Bad decisions were made decades ago that are now overcomplicating the way forward. For example, the grid is generally based on a centralized model of apps hosted on systems, rather than lying on a distributed network of embedded systems that were specifically engineered for a task. If you were to remove full-function operating systems from the equation, then attacks like Stuxnet would not have been possible because the vulnerabilities it exploited would have been isolated or removed (in theory, anyway).
It seems to me that this industry is ripe for a sea-change in thinking and design. I'll write about this more separately, but allow me to sum it into the notion that these systems are perfectly suited for adapting a networked systems survivability model for defense and recovery. Survivability is fully compatible with notions like reliability with which the sector is already familiar and comfortable. It is only a small, yet logical, step to start looking at this all in terms of the defensibility and recoverability of these critical systems.
At the same time, the sector would also benefit from a wholesale change in models. In particular, part of the threat to the reliability and survivability of these systems is due to the highly important central command-n-control systems in place. Moving to a distributed model, such as by moving to micro-generation (i.e., changing from power distribution to distributed generation), could turn the industry on its ear, improving security, all while still allowing energy companies to exist and profit. It also potentially meets other goals around reducing environmental impact and achieving sustainability that are as desirable as Smart Grid (and which are, incidentally, part of the key motivators behind the White House's support).
The bottom line is this: the game cannot be won, which means it's time to change the rules of play. We need to swiftly revamp the regulatory landscape, but at the same time we also need to take dramatic steps to move toward a survivability mindset that fundamentally alters how the business is approached. If these two initiatives are brought together quickly, then we can jump the curve to the next generation, with strong benefits to everyone involved. If you make the core infrastructure less critical while producing better solutions then security/survivability will emerge as a property. However, to do this, we need to stop shooting ourselves in the foot. Anyway...
Overall, I greatly enjoyed the Summit and look forward to attending again next year. In the meantime, I'm now pondering what li'l ol' me can do to help trigger changed thinking around these topics.