On August 1, I put up a post
describing an email conversation I’d had with Tim Roxey, former VP and CISO of
NERC, and someone whose words are always very interesting, but sometimes
(sometimes!?) hard to understand. Fortunately, a number of people in the NERC
security world agree that whatever words he does utter are worth pondering,
since Tim doesn’t spout off just because he’s trying to fill up a page, as some
unscrupulous bloggers have been known to do.
I’ll let you read that post, but
one of its most interesting features was when Tim described a trip to Whole
Foods:
I was
in Whole Foods couple of weeks ago. Heavy storms moving in but I was in
underground parking.
I’m pushing about my cart when an announcement comes over the
speakers. Please all shoppers stop shopping. We have lost our cash registers
due to lightening in the areas.
Me thinks. I have cash. I’m good.
Me thinks wrongly. Somehow the Point Of Sale device can’t
process the sales in cash cuz the credit side is down.
Harumph. No, it was the people and a branch point in their
processing that broke.
We are so dependent on our “usual processes” that we fail to see
the alternatives.
Colonial failed as well.
If you are CIKR then this is Wrong. Be CIKR AND operate as such.
Last week, I received an email
from Sam Chanoski of Idaho National Laboratories, who is someone I’ve known a
long time and have a lot of respect for. He worked for NERC for eight years
(including working with Tim, of course), the last 2 ½ of which were with the E-ISAC.
During his period there, he was in the middle of almost everything the E-ISAC
was doing at the time. After a stint at ABB, he joined INL last year.
Sam’s email to me focused on the
above passage from my post (which was quoted pretty much verbatim from Tim’s
email. Yes, Tim really writes that way!).
I may be able to help a little with
some Tim-terpretation from Tim Roxey’s earlier response. He’s saying the same
thing allegorically with his supermarket that can’t take his cash, that I’ve
posited elsewhere: in any organization with a consequential mission, there are
likely to be dependencies built into “normal” accomplishment of their critical
functions – and while the people who implement these processes on technologies
every day largely understand many of them, the organization as a whole is often
blind to most of these critical dependencies.
Rooting out these dependencies and
forcing the organization to appreciate them for the risks they present is the
start of how we become more resilient to whatever life and the bad people throw
our way, in whatever failure-of-our-imagination ways we experience it next,
with the people, processes and technologies we have today.
For the PPT we need for tomorrow,
that’s where something like Cyber-Informed Engineering (CIE) might come in, to
help us imagine, design, procure, build, operate, and maintain the energy
systems of tomorrow with cybersecurity inextricably part of the DNA as much as
safety is today. Even though CIE slightly predates the similarly named
Consequence-driven Cyber-informed Engineering (CCE), it’s definitely less well
known and less mature, but ultimately a lot more broadly applicable I think
– https://inl.gov/cie/ is where we are now, with the
next major parts coming out likely next summer when the national strategy on
CIE is (hopefully publicly) published according to FY20 NDAA Section 5726.
Noe of this is easy or fast or
pleasant but it is necessary – as Gloria Steinem said, “the truth will set you
free, but first it will p___ you off.” (Note: Since this is a family blog, I
can’t quote Gloria exactly)
Sam makes a great point, and I
must admit I didn’t see it when I wrote the previous post on what Tim said (now
I do, though): People who work within a system day by day are probably the
least able to tell you exactly how it works. They especially can’t tell you
what’s needed in the way of “exogenous inputs” (as we used to say when I was
working for an econometric modeling company, back in the days when people
believed that computers were wonderful devices, rather than the instruments of
the devil himself, as we all know to be the case nowadays). So the everyday
workers need to have someone come in on occasion and tell them how their system
really operates. That way, they can be prepared when one of those dependencies
is lost.
Any opinions expressed in this
blog post are strictly mine and are not necessarily shared by any of the
clients of Tom Alrich LLC. Nor
are they shared by the National Technology and Information Administration’s
Software Component Transparency Initiative, for which I volunteer as co-leader
of the Energy SBOM Proof of Concept. If you would
like to comment on what you have read here, I would love to hear from you.
Please email me at tom@tomalrich.com.
Quoting Tim, Sam and Gloria Steinem in the same post is a very high degree of difficulty dive, even for a scrupulous veteran such as yourself, Tom. Thoroughly enjoyable and a message worth promulgating to boot. ab
ReplyDeleteThanks, Andy. I wanted to include Dilbert in this, but just couldn't figure out a way to add him...He has a lot to say on the subject of organizational dysfunction.
ReplyDelete