Tuesday, May 21, 2019

Our RSA panel – recording available!



I must confess that, at least two months after it was available, I just listened today to the recording of the panel that I was on at the RSA conference in early March this year. Our title was “Supply chain security for critical energy infrastructure” We had all agreed afterwards that it went very well, and guess what…I can now confirm it went very well!

The panel members were the same ones as the panel I was on in 2018: Dr. Art Conklin of the University of Houston (O&G security expert), Marc Sachs, former NERC CISO and head of the E-ISAC and me. What was different was that our moderator in 2018, Mark Weatherford, had to bow out and was replaced this year by Sharla Artz, VP of Government Affairs, Policy & Cybersecurity of UTC.

Last year, we were told by the conference that some reviews pointed out that we agreed with each other too much, so it made the session kind of boring. Even though we didn’t consciously try to pick fights with each other, there was lots of disagreement (friendly of course). But more importantly, I think the content is very good, both in the panelists’ discussions and the Q&A afterwards (where we had some really good questions). You may want to listen to the recording: there are a lot of good points about supply chain security, CIP-013 and cyber regulation in general.

Plus a lot of humor. Marc had had neck surgery recently because – as he said – he’d jumped out of too many airplanes when he was in the service, so he was wearing a neck brace. There were various jokes that the real story was that we’d gotten into a fight at a bar the night before, when we met to discuss the panel (that’s patently not true. We didn’t meet in a bar) - although I helpfully pointed out to Marc afterwards that the next time he jumps out of an airplane, he should wear a parachute! He thanked me for this good advice, but said his doctor says no more jumping out of airplanes.

My favorite part (which I didn't remember until I listened to the recording) was around 15:30 in the recording, when Art told a great story about risk management. He said that the security people at DoD had wanted to spend a lot of money (and since we're talking about DoD, I assume this is a whole lot of money) on some sort of widget that would solve some security problems for one part of the organization.

When they went to the higher levels of DoD to get the funding, they were asked whether there was some way in which DoD could spend the same amount of money - or even less - and mitigate a greater amount of risk. The security people answered "Sure, we could upgrade the whole Department to Windows 10 and finally get rid of all the old versions that are hanging around, causing security nightmares." But they were told "Oh no, we can't do that. It would be too hard."

So DoD went with the widget solution and spent more money mitigating less overall risk, because it was easier for them to do. This is a great example of why any security program should start with a risk assessment, and focus resources on the threats that pose the most risk; it is only by doing this that the entity can be assured of getting the most bang for their buck, in terms of total risk mitigated. And guess what! Not only is this the best way to comply with CIP-013, you're actually required to do this by R1.1!

All four of us are hoping we’ll be chosen to do the panel again next year, and that we’ll all be able to participate again. I think the group has developed a great collaboration style, so that the discussion is both very entertaining and very informative.


Any opinions expressed in this blog post are strictly mine and are not necessarily shared by any of the clients of Tom Alrich LLC.

If you would like to comment on what you have read here, I would love to hear from you. Please email me at tom@tomalrich.com. Please keep in mind that if you’re a NERC entity, Tom Alrich LLC can help you with NERC CIP issues or challenges like what is discussed in this post – especially on compliance with CIP-013. To discuss this, you can email me at the same address.

No comments:

Post a Comment