Sam Chanoski is a Certified Tim Roxey Interpreter (CTRI)

On August 1, I put up a post describing an email conversation I’d had with Tim Roxey, former VP and CISO of NERC, and someone whose words are always very interesting, but sometimes (sometimes!?) hard to understand. Fortunately, a number of people in the NERC security world agree that whatever words he does utter are worth pondering, since Tim doesn’t spout off just because he’s trying to fill up a page, as some unscrupulous bloggers have been known to do.

I’ll let you read that post, but one of its most interesting features was when Tim described a trip to Whole Foods:

I was in Whole Foods couple of weeks ago. Heavy storms moving in but I was in underground parking. 

 

I’m pushing about my cart when an announcement comes over the speakers. Please all shoppers stop shopping. We have lost our cash registers due to lightening in the areas. 

 

Me thinks. I have cash. I’m good. 

 

Me thinks wrongly. Somehow the Point Of Sale device can’t process the sales in cash cuz the credit side is down. 

 

Harumph. No, it was the people and a branch  point in their processing that broke. 

 

We are so dependent on our “usual processes” that we fail to see the alternatives. 

 

Colonial failed as well. 

 

If you are CIKR then this is Wrong. Be CIKR AND operate as such.

Last week, I received an email from Sam Chanoski of Idaho National Laboratories, who is someone I’ve known a long time and have a lot of respect for. He worked for NERC for eight years (including working with Tim, of course), the last 2 ½ of which were with the E-ISAC. During his period there, he was in the middle of almost everything the E-ISAC was doing at the time. After a stint at ABB, he joined INL last year.

Sam’s email to me focused on the above passage from my post (which was quoted pretty much verbatim from Tim’s email. Yes, Tim really writes that way!).

I may be able to help a little with some Tim-terpretation from Tim Roxey’s earlier response. He’s saying the same thing allegorically with his supermarket that can’t take his cash, that I’ve posited elsewhere: in any organization with a consequential mission, there are likely to be dependencies built into “normal” accomplishment of their critical functions – and while the people who implement these processes on technologies every day largely understand many of them, the organization as a whole is often blind to most of these critical dependencies.

Rooting out these dependencies and forcing the organization to appreciate them for the risks they present is the start of how we become more resilient to whatever life and the bad people throw our way, in whatever failure-of-our-imagination ways we experience it next, with the people, processes and technologies we have today. 

For the PPT we need for tomorrow, that’s where something like Cyber-Informed Engineering (CIE) might come in, to help us imagine, design, procure, build, operate, and maintain the energy systems of tomorrow with cybersecurity inextricably part of the DNA as much as safety is today. Even though CIE slightly predates the similarly named Consequence-driven Cyber-informed Engineering (CCE), it’s definitely less well known and less mature, but ultimately a lot more broadly applicable I think – https://inl.gov/cie/ is where we are now, with the next major parts coming out likely next summer when the national strategy on CIE is (hopefully publicly) published according to FY20 NDAA Section 5726. 

Noe of this is easy or fast or pleasant but it is necessary – as Gloria Steinem said, “the truth will set you free, but first it will p___ you off.” (Note: Since this is a family blog, I can’t quote Gloria exactly)

Sam makes a great point, and I must admit I didn’t see it when I wrote the previous post on what Tim said (now I do, though): People who work within a system day by day are probably the least able to tell you exactly how it works. They especially can’t tell you what’s needed in the way of “exogenous inputs” (as we used to say when I was working for an econometric modeling company, back in the days when people believed that computers were wonderful devices, rather than the instruments of the devil himself, as we all know to be the case nowadays). So the everyday workers need to have someone come in on occasion and tell them how their system really operates. That way, they can be prepared when one of those dependencies is lost.

Any opinions expressed in this blog post are strictly mine and are not necessarily shared by any of the clients of Tom Alrich LLC. Nor are they shared by the National Technology and Information Administration’s Software Component Transparency Initiative, for which I volunteer as co-leader of the Energy SBOM Proof of Concept. If you would like to comment on what you have read here, I would love to hear from you. Please email me at tom@tomalrich.com.