A few words from Tim Roxey

Anybody who has been at all involved in cybersecurity for the US electric power industry for more than just the last two years knows who Tim Roxey is – and if you don’t know (or you’d like an update on things you didn’t know about Tim – which includes me), see his bio at the end of this post.

Today I received this email from Tim, regarding the post I put up yesterday. He agreed to let me publish it. He’s adding some real perspective on my assertion (which I admit I’m revising now) that our definition of critical infrastructure needs to be expanded to include much more than asset owners in what are traditionally called CI industries – e.g. electric power, oil & gas, etc. It especially needs to include the providers of software and services whose compromise might lead to serious consequences – which could never be adequately redressed through purely legal means – to important government agencies (including agencies involved with national security) and CI industries.

It is refreshing to see the folks are opening up to some concepts like those you mention here. Although I'm in my retirement years, I do still have interests in this issue.

Many years ago, having been involved in many exercises and actual incident responses, I realized that the concept of "what is important" or even "Risk" was not well understood. As automation swept through the industrial control surfaces of the BPS, several trite phrases came to my mind. For instance, if some automation is good, more is likely better, and if more is better, then too much is not enough.

But specific to this issue is realizing that societally significant dependencies were not a thing when these industrial systems were developed.

I made a statement to Mikey (Assante) while working on the first draft of the NIPP (National Infrastructure Protection Plan) that this CIKR (Critical Infrastructure and Key Resources) stuff we were struggling to craft defenses for was far more significant than the owners and operators sometimes realized. 

Imagine the owner's surprise when they learned of a significant defense critical dependency (DCEI – Defense Critical Energy Infrastructure) for their system. Imagine the surprise when an electricity sector owner/operator (AOO – Asset Owner/Operator) learned of some load put onto the grid by a new commercial development adding in a hospital complex (sector-sector interdependencies).

Now imagine the surprise on the adversary’s face as they read that Colonial had shutdown their entire pipeline. HC BFFs we only wanted money.

There were just so many more of these examples that we used the expression: “No one ever told us that all of this would be critical infrastructure, or we would have built it differently.”

Today we have advanced adversaries, exploiting the seams in our systems that we don't even know exist (critical interdependencies), using capabilities only dreamt of in nightmares (for example, an AI-assisted attack). 

So I do stick to my sentiment -  "Had we known then how dependent our society would become on {Insert Thingy} today; we would have designed {Inserted Thingy} differently." Or words to that effect. Complexity, which was once fun, has become our collective nemesis.

Tim’s Bio:

Mr. Roxey has 30 years of nuclear industry experience and over 50 years of computer-related experience. Tim was formerly VP and Chief Security Officer of NERC, and Senior Director of the E-ISAC.

Following each attack against the Ukrainian power systems, Tim spent time in-country, deconstructing physical and cyber-attacks against the Ukrainian electrical grid as part of a public-private sector response team. As part of Tim's fifth trip in-country, The US Embassy in Kyiv asked Mr. Roxey to present his findings and recommendations to the Ukrainian Parliament (their RADA).

As President of Eclectic Technologies, Tim helps advance Grid security by designing simplified, physics-based attack surface disrupters such as the one recently marketed for defense against an asynchronous attack (Aurora is the example). One US-based utility is presently deploying these devices.

Any opinions expressed in this blog post are strictly mine and are not necessarily shared by any of the clients of Tom Alrich LLC. Nor are they shared by the National Technology and Information Administration’s Software Component Transparency Initiative, for which I volunteer. If you would like to comment on what you have read here, I would love to hear from you. Please email me at tom@tomalrich.com.