I must
confess that, at least two months after it was available, I just listened today to
the recording
of the panel that I was on at the RSA conference in early March this year. Our
title was “Supply chain security for critical energy infrastructure” We had
all agreed afterwards that it went very well, and guess what…I can now confirm it
went very well!
The panel
members were the same ones as the panel I was on in 2018: Dr. Art Conklin of the
University of Houston (O&G security expert), Marc Sachs, former NERC CISO
and head of the E-ISAC and me. What was different was that our moderator in
2018, Mark Weatherford, had to bow out and was replaced this year by Sharla Artz, VP of Government
Affairs, Policy & Cybersecurity of UTC.
Last year,
we were told by the conference that some reviews pointed out that we agreed
with each other too much, so it made the session kind of boring. Even though we
didn’t consciously try to pick fights with each other, there was lots of
disagreement (friendly of course). But more importantly, I think the content is
very good, both in the panelists’ discussions and the Q&A afterwards (where
we had some really good questions). You may want to listen to the recording:
there are a lot of good points about supply chain security, CIP-013 and cyber
regulation in general.
Plus a lot
of humor. Marc had had neck surgery recently because – as he said – he’d jumped
out of too many airplanes when he was in the service, so he was wearing a neck
brace. There were various jokes that the real story was that we’d gotten into a
fight at a bar the night before, when we met to discuss the panel (that’s
patently not true. We didn’t meet in a bar) - although I helpfully pointed out
to Marc afterwards that the next time he jumps out of an airplane, he should
wear a parachute! He thanked me for this good advice, but said his doctor says
no more jumping out of airplanes.
My favorite part (which I didn't remember until I listened to the recording) was around 15:30 in the recording, when Art told a great story about risk management. He said that the security people at DoD had wanted to spend a lot of money (and since we're talking about DoD, I assume this is a whole lot of money) on some sort of widget that would solve some security problems for one part of the organization.
When they went to the higher levels of DoD to get the funding, they were asked whether there was some way in which DoD could spend the same amount of money - or even less - and mitigate a greater amount of risk. The security people answered "Sure, we could upgrade the whole Department to Windows 10 and finally get rid of all the old versions that are hanging around, causing security nightmares." But they were told "Oh no, we can't do that. It would be too hard."
So DoD went with the widget solution and spent more money mitigating less overall risk, because it was easier for them to do. This is a great example of why any security program should start with a risk assessment, and focus resources on the threats that pose the most risk; it is only by doing this that the entity can be assured of getting the most bang for their buck, in terms of total risk mitigated. And guess what! Not only is this the best way to comply with CIP-013, you're actually required to do this by R1.1!
My favorite part (which I didn't remember until I listened to the recording) was around 15:30 in the recording, when Art told a great story about risk management. He said that the security people at DoD had wanted to spend a lot of money (and since we're talking about DoD, I assume this is a whole lot of money) on some sort of widget that would solve some security problems for one part of the organization.
When they went to the higher levels of DoD to get the funding, they were asked whether there was some way in which DoD could spend the same amount of money - or even less - and mitigate a greater amount of risk. The security people answered "Sure, we could upgrade the whole Department to Windows 10 and finally get rid of all the old versions that are hanging around, causing security nightmares." But they were told "Oh no, we can't do that. It would be too hard."
So DoD went with the widget solution and spent more money mitigating less overall risk, because it was easier for them to do. This is a great example of why any security program should start with a risk assessment, and focus resources on the threats that pose the most risk; it is only by doing this that the entity can be assured of getting the most bang for their buck, in terms of total risk mitigated. And guess what! Not only is this the best way to comply with CIP-013, you're actually required to do this by R1.1!
All four of us are hoping we’ll be chosen to do the panel again next year, and that we’ll all be able to
participate again. I think the group has developed a great collaboration style,
so that the discussion is both very entertaining and very informative.
Any opinions expressed in this blog post are strictly mine
and are not necessarily shared by any of the clients of Tom Alrich LLC.
If you would like to comment on what you have read here, I
would love to hear from you. Please email me at tom@tomalrich.com. Please keep in mind that
if you’re a NERC entity, Tom Alrich LLC can help you with NERC CIP issues or
challenges like what is discussed in this post – especially on compliance with
CIP-013. To discuss this, you can email me at the same address.
No comments:
Post a Comment