Take Your Pick

In the recent TechNewsWorld article by Richard Adhikari "Study: Electric Grid Needs Full-Time Cyberguard," I was quoted as saying "We would welcome a single authority." At the end of that sentence, I also said "whomever that may be: DOE, DHS, etc." Note that I wasn't favoring any agency over another. The discussion was in reference to a recent report released from MIT, "The Future of the Electric Grid."

It is certainly true that the legislative, regulatory and overall policy sands are shifting. The existing bulk power system security regulations (NERC CIP) are changing. Multiple federal agencies are competing for control over the authority for grid security. The Distribution system, with its deep relationship to the consumer side of the grid modernization (smart grid) push, is hotly contested between the State Commissions and the feds.

All of this confusion has a numbing effect the utility executives. They are traditionally risk averse to begin with, and the policy forecast essentially indicates a 70% chance of storms ahead. The unintended consequence is that many organizations will only do the bare minimum required to be compliant with today's regulation. It is difficult to justify dedicating resources to future efforts with the significant possibility that things could change and that money may have been wasted.

With all of this churn, yes, I do think that some focus and harmonization in the policy landscape would be a good thing. Who can do this best? Well, the jury is still out on that one. I think all of the proposed agencies have their pros and cons. Ask me again in a year or so.

14 Seconds

I'm still a nobody (so I don't really qualify for a full 15 seconds) but I've been getting some media hits lately. Everyone told me, and I believed them to a certain extent, that everything you say can be twisted. I've dealt with many people who do just that and I have always felt that the truth will surface no matter what. Truth is like data. It wants to be free.

I sincerely make every effort to be balanced in my statements/positions and always say the good with the bad. My personal belief is that there's always good to be found. At times when I can't see it immediately, I try to drop the ego or emotion and look a little deeper. Invariably, it's there. With this in mind, I decided to dust off my personal blog and use it as the future platform to correct any misstatements, quotes taken out of context or just add the "whole story" where necessary.

So, let me start with the recent set of articles about various SCADA security topics (http://goo.gl/Kty17, http://goo.gl/KcvCh and http://goo.gl/txIDp). It is true, those statements are mine, and I did provide them in email interviews. They're actually pretty close to the mark, but I'd like to add a few of my other statements that were omitted, just for context...

"All of the above (and more) lead to a state where many are forced to operate with aging infrastructure extended beyond its lifespan. Note however, that many staff at municipal utilities are actually remarkably dedicated and resourceful people. They have to be, given the circumstances." 

"The threat is somewhat exaggerated, but it is still very real. The vulnerabilities are underestimated."

Please understand that I'm not casting aspersions on the Municipal Utilities of the world. Some are further along the security maturity path than others, but I have worked with many of them and I find them to be amazing people and amazing organizations.

Beyond The Bullets

It’s been a while since I’ve posted. I’ve been busy and various other pseudo-legitimate excuses, but something happened at a meeting recently that caused me enough pause to actually carve out time for a quick blog post.

I was discussing some trends from recent meetings when a participant began venting his frustration with a few of the bullets in one of my past presentations. I made a genuine attempt to explain that I don’t just read the bullets on the screen and go away. Rather, I provide context and backstory to each bullet while presenting. I gave him the context and backstory to the bullets of his concern but that didn’t seem to satisfy his frustration. Which is ok. I know I can’t please everyone. I’m certainly open to constructive criticism (as anyone who knows me from my WECC CIP Audits and Investigations days can attest). The fact that someone was frustrated with me and my content wasn’t the issue that spurred me.

The rub is that people actually think a PowerPoint presentation stands alone by itself. It doesn’t. Bullets are (or should be) used to cue the presenter’s thought process to provide valuable descriptive elements surrounding the bumper-sticker-bulletized blurb on the screen. You might get a fraction of the intended substance from the bullets in the slide deck but, assuming the presenter is worth a dime, then the presentation itself – given by the presenter – is where the real value resides. Whether webcast or in-person, the presenter should make an attempt to go beyond the bullets.

If you read something in a presentation that sets you sideways – or if you read something that really resonates with you – take either emotion with a grain of salt. After all, you’re only getting part of the story. If you can’t make it to the presentation then consider emailing or even calling the presenter to get the complete and intended message.