“I always use the example of I’m going to make a regulation today. I’m going to make a regulation that if you ride your bike to work or anywhere, you must lock your bike to a provided bike rack with a U-lock or a cable lock or something like that. You walk outside, and you realize that you’ve locked the frame to the rack, and there’s nothing left but a frame. So you’re compliant, but you were not secure. So there’s this big difference, frankly, just this massive rift between compliant and secure.”

That’s Patrick Miller, a critical infrastructure security and regulatory advisor, a former (or, as he says, “recovering”) regulator and the managing partner at Archer International. He’s also a co-founder of BEER-ISAC, a critical infrastructure-specific version of I Am The Cavalry, which you can learn all about in Episode 2 of this podcast.

(Subscribe to Hack the Plant on Spotify or Apple, by RSS feed or search for it wherever you listen to podcasts.)

Transcript:

Joshua Corman:

Our dependence on connected technology is growing faster than our ability to secure it, especially in areas affecting public safety and human life.

Bryson Bort:

I’m Bryson Bort. And this is Hack the Plant. Electricity, finance, transportation, our water supply. We take these critical infrastructure systems for granted, but they’re all becoming increasingly dependent on the internet to function. Every day I ask and look for answers to the questions. Does our connectivity leave us more vulnerable to attacks by our enemies? I’m a senior fellow at the R street Institute and the co-founder of the nonprofit ICS Village, educating people on critical infrastructure security with hands-on examples, not just nerd stuff. I founded GRIMM in 2013, a consultancy that works the front lines of these problems every day for clients all over the world.

P.W. Singer:

It’s playing out in Israel right now, where hackers have been going after Israeli water systems. Again, not to steal information from them, but to change the setting on the chemicals in Israeli water.

Bryson Bort:

Each month, I’m going to walk you through my world of hackers, insiders and government working on the front lines of cybersecurity and public safety to protect the systems you rely upon every day.

P.W. Singer:

If you think that the small town water authorities and the mom and pop size companies have better cybersecurity in the US than the Israelis do, I’ve really, really bad news for you.

Bryson Bort:

An attack on our critical infrastructure, the degradation to the point that they can no longer support us, means that we go back to the Stone Age, literally overnight.

Joshua Corman:

If we think the government’s going to solve it for us, we’re wrong. We have to help them.

Bryson Bort:

This is not a podcast for the faint of heart. If you want to meet those protecting the world and what problems keep them up at night, then this is the podcast for you.

Bryson Bort:

I’m Bryson Bort and this is Hack the Plant.

For today’s episode, I’m joined by another legend in the space and a good friend, as well as one of the co-founders of the BEER-ISAC, Patrick Miller.  Patrick is a Critical Infrastructure Security and Regulatory Advisor, a former (or, as he says, “recovering” regulator), and the managing partner at Archer International.

We’re here today to talk about how to keep critical infrastructure secure.

Patrick works with a community of former regulators to consult on critical infrastructure- inspiring an operational approach to an industry trying to balance regulation, service, and security.

Patrick Miller

There’s this big difference, frankly, just this massive rift between compliant and secure…I’m going to make a regulation that if you ride your bike to work or anywhere, you must lock your bike to a provided bike rack with a U-lock or a cable lock or something like that. You walk outside, and you realize that you’ve locked the frame to the rack, and there’s nothing left but a frame. So you’re compliant, but you were not secure. So with my company, what we try to do is help organizations do both, which is an insanely difficult challenge, but it’s helping them understand that the regulation is basically the floor, not the ceiling.

Bryson Bort:

I invited Patrick to join the podcast following our conversation in Episode 2 with Josh Corman of I am the Calvary – about why to love hackers – because the cavalry isn’t coming to save us.

BEER ISAC is a play on “ISAC”, an Information Sharing and Analysis Center where experts in verticals (finance, automotive, etc) share intelligence on attackers. The BEER-ISAC is a critical infrastructure-specific version of I Am the Cavalry –  a community of hackers, cyber experts, and regulators who are focused on improving critical infrastructure security.

Today, we discuss why BEER-ISAC was founded, challenges to our critical infrastructure – and what a regulatory approach should look like.

Bryson Bort:

How are you doing today, Patrick?

Patrick Miller: 

I’m doing well, Bryson, and thanks for having me.

Bryson Bort:

Why don’t you give a quick introduction of who you are and what you do?

Patrick Miller:

Sure, sure. Currently, I’m a managing partner at Archer International. We do basically consulting, OT, ICS, cybersecurity, physical security, and a very strong regulatory focus, just because most of us are ex-regulators, or I like to say recovering regulators.

So that and then history in various utilities, both electric and water and gas, even some municipal stuff, transportation and wastewater in the Pacific Northwest. Then, before that, long history in telecom, old school telecom guy. Used to wear pole spikes and a butt set and a hardhat and climb poles.

Bryson Bort:

Well, I imagine it was more than hardhats that helped bring that transition from telecom into industrial control systems. What made that happen? When did you make that jump?

Patrick Miller:

Yeah, it was right around the college window. I’m old. So I started with the early computers. I had the green screen stuff, TRS-80 and onward from there, but just got into the computing space and started … In the telecom world, it went from a lot of standard copper to ripping out the old KSUs and DSUs and putting in a bunch of the smaller digital systems. Everything got from what used to be insanely massive cabling down to much smaller, and you just moved into the digital world. I kind of grew from that hardware, old school space into the more I guess logical or cyberspace and began building things like data centers and getting into all the environmentals and the electrical and understanding how all of that fits together and just really fell in love with it. So it kind of grew naturally over time.

Bryson Bort:

So at your current company, Archer, walk us through a day in the life.

Patrick Miller:

A day in the life? Wow. Like I said, most of the stuff we do is really around the nexus of regulation and security, because those two things really don’t … They don’t fit well. It’s really hard to regulate security. It’s not like regulating to an engineering specification, like your products won’t catch fire and kill people, that kind of thing. It’s more of an attitude, and there isn’t a state where you are secure, right? It’s this kind of never-ending fluctuation of attacker tactics and vulnerability position and all this great stuff.

Patrick Miller:

So from having been a former regulator and even authored some of the regulations that are in place now, not just in the US, but in other countries, it’s a challenging thing to do to try to prescribe action. But you can’t give them the right attitude, right? It’s usually if they have to do it as a regulation, they don’t want to.

So there’s always this interesting mix of … I always use the example of I’m going to make a regulation today. I’m going to make a regulation that if you ride your bike to work or anywhere, you must lock your bike to a provided bike rack with a U-lock or a cable lock or something like that. You walk outside, and you realize that you’ve locked the frame to the rack, and there’s nothing left but a frame. So you’re compliant, but you were not secure. So there’s this big difference, frankly, just this massive rift between compliant and secure.

Patrick Miller:

So with my company, what we try to do is help organizations do both, which is an insanely difficult challenge, but it’s helping them understand that the regulation is basically the floor, not the ceiling. You have to at least do that much, but what are all the other really positive incentives to just having a more secure attitude, right? I mean, it’s going to help you with insurance. It’s going to help you with loss prevention and all of these other real business things that aren’t just security blinky lights that make you feel better because you bought some more security widgets.

So the day in the life is I deal with executives from, I say, the boots to the suits. I deal with the operational folks, trying to help them change perspectives, and then deal with the executives, trying to figure out where they’re going to get the money and changing other executives’ minds on the mindset of why this is good for the business. So it’s full range. There isn’t really just a “I go turn this knob or twist this wrench.”

Bryson Bort:

Yeah. In my experience, there are two kinds of companies, and it doesn’t matter the technical products, the implementations, or even how smart or how good the staff is at that company. It comes down to the leadership. There are the companies where leadership takes information, cybersecurity seriously and those that don’t, and that is the biggest delineation that I’ve seen between performance, in my experience.

Patrick Miller:

Yeah, I would echo exactly. It’s really hard to lead up, and a lot of the SMEs are your subject matter experts that are doing this day-to-day. They don’t want to have to deal with breaches. They don’t want to deal with all that nonsense. They just want to do their job. So most of them really do want to be secure and are willing to do steps here and there to be more secure, and there are some that quite frankly just don’t care, but most of them do.

At the executive level, usually it is a mindset thing. I’ve actually been asked by some executives, “Quantify the risk for me from a compliance perspective. If I don’t comply, is it going to cost me more in penalties than it would cost me to spend on the security that would be required to meet the minimum bar?” I was just floored. I mean, first of all, that’s completely unethical. Second of all, you’re not even willing to do the bare minimum, and third, you really just don’t care whether you have any security issues whatsoever. You’re just worried about how much you have to spend, and you’re willing to spend the bare minimum to get by.

So that’s kind of that opposite end of the spectrum, and then, of course, I’ve seen other organizations that are more than happy to go well above and beyond, because they know it’s the right thing for their business. Some have even taken it so far as to … In some of the industrial control system spaces, they’re actually using it now as a product differentiator, where in the past, it was never really a consideration. But if the leadership doesn’t get it, I totally agree. If the leadership is not on board, the horse goes where the head goes. So that’s just a guarantee.

Bryson Bort:

Well, and critical infrastructure is, I think, even more challenging in that regard. The example that I like to use is if you’re looking at an electric utility, certainly there are electric utilities that are large, cover multiple states, and have a significant rate base. Then there’s the tiny little utility that has a rate base of a few thousand, and they’re regulated in how much revenue they can drive, what they can charge. So they really are working with a limited pie, and so where do you see that balance, and how do you get beyond that? Because that’s inherently your hands are tied behind your back with what you can, in fact, be able to invest in.

Patrick Miller:

Yeah. It’s a really interesting one. That one requires a bit of explanation. So the electric world is my home. That’s where I came from, primarily. The difference is, for example, some of the small ones, there’s a different model for different types of utilities. The first one I’ll talk about is called a cooperative, and they’re actually owned by the customer. So the customer is an owner. If the company makes X amount of profit over a certain amount, then a dividend comes back to the rate payer, right? They own the company. So they have a stake in the organization directly.

What I’ve seen in a lot of cases is that the cooperatives are actually really forward-thinking, and they make a major effort to be secure, because it’s got a direct impact to them, not just from an electricity standpoint, from a dollars and cents standpoint. So those organizations I have found to be probably some of my favorites to work with, frankly. Then there’s the municipalities, which, in some cases, can be very large, for example, LA or San Antonio. These are some of the largest municipalities that are utilities out there, and they’re a completely different model, where you’ve got publicly elected city commissioners. That’s effectively their board, and they will not raise rates, because the public basically will vote them out of office or they won’t get reelected next time.

Patrick Miller:

So they’re very tightly strung in terms of how much they can spend. Usually, the rest of the city, the electric utility, the water utility, whatever utility the city runs, those are most likely the cash cows for the rest of the city, because everyone pays their electric bill or pays their water bill, or they go without the service, right? So they’re guaranteed sources of income for the rest of the city. So, typically, the utility in the city gets milked dry by all of the other municipal government needs. So they’re often trying to do the best with what they’ve got and can be very challenged to make real progress in a lot of ways.

Then you have your big investor-owned utilities, which can be multi-state, multinational. Those organizations have typically some board of directors, and they really are shareholder-focused. What is the profit the organization gets? I actually had a chance to ask Warren Buffett why he bought PacificCorp when he bought them from MidAmerican Energy. I said, “Utilities, especially for an investor utility, they’ve got a guaranteed rate of return, but it’s only so much. You might make between 8, at the max 14%, because your profit’s regulated,” as you mentioned. He said, “You don’t buy them to get rich. You buy them to stay rich,” because they are basically a guaranteed source of at least this much income. So that’s where … Since they are on a utility of that scale, of that size, I mean, some of them are Fortune 200, Fortune 100 companies, as you can imagine, even one more percent can mean a significant amount of additional income.

Patrick Miller:

So those organizations, usually, they have a tendency to have a more mature security organization, because they have more money behind them. For example, look at what happened recently with PG&E, in terms of them having to admit a manslaughter charge, pleading guilty to a manslaughter charge. That can hit your stock price very significantly.

So given the fact that they’re so publicly facing and stock prices can have a real influence on them, a big cyber attack on the power system that causes lawsuits or loss of life, that’s a big risk. So they have a tendency to be a little bit more mature, a little more I guess well-equipped in some cases, but they can also be so big and so siloed that the right and left hand don’t talk to each other, which creates different challenges.

Bryson Bort:

Well, that brings us right into questions about policy and policymakers. So, first of all, if you had your druthers, you had your choice, what would be the first thing that you would ask from the regulators, from the policymakers to try to solve some of this?

Patrick Miller:

Yeah, I get this question a lot. I struggle with it, but I guess I’m going to be a heretic. I think regulation should be lightweight, and I think it should be in areas that give us additional value beyond just making sure that, in this case, for example, the lights stay on, right? I have this longstanding beef with the fact that we’re spending enormous amounts of money on security, and we’re expecting things to get better. Even organizations that have spent just sick amounts of money and have amazingly brilliant people doing great things, and they still get hacked. These are the issues that we’re facing.

So from an electric or even from a just regulatory perspective, whether it’s electric utilities or just critical infrastructure, whatever you want to pick, water, gas, you name it, what I would love to see is something that gives us some additional value. I hate to go down this path, but it’s something like a data breach, incentive and regulation, because what we’re doing now is we’re basing a lot of our decisions on, frankly, just guessing and little bits of threat intel we can get and various things like honeypots and security research. We’re trying to cobble together this picture of what is working and what isn’t working, where we can actually spend money on real … I hate to use the term return on investment for security, but higher security value for the effort that you’re putting into it.

Patrick Miller:

What we don’t have is actuarial data, and that’s just something no one has been able to come up with enough of it, really. We’re working with kind of bits and pieces. So I use the example of healthcare. We know that if Patrick eats steak and drinks whiskey and has really terrible exercise habits, I could probably die by 40, just from all of these standard things. We don’t know that just because we’re guessing. We know that because we’ve got, in some cases, thousands of years of actuarial data on human dietary habits and healthcare habits. But that’s real data we can base I guess more effective and better decisions on.

We just don’t have anything like that in the cybersecurity space, especially in the critical infrastructure space, just because no one talks about this stuff. Usually, it’s immediately … Whether it’s classified or it’s sequestered somehow, we don’t get a lot of that real data out of these things.

So I would say that if there was something like you must provide some standard security steps, and in the event that there is a breach, when there is a breach, then you must be completely forthcoming with as much forensics as you can get and provide that information. Then if you don’t, you would get penalized, but that not only helps the organizations trying to achieve a certain minimum, because they’re going to get penalized if they can’t provide this data, right? If they weren’t even able to provide the forensics, that’s a problem. But something along those lines. I don’t have a perfect “It must be these steps,” but, to me, we need better data on what is working and what isn’t in order to make the situation better versus just throwing more security stuff at it and hoping that that works.

Well, that heterogeneity, that mishmash of different things through accretion, on one hand, does make it a lot more difficult for an attacker to be able to work through the attack path. On the other hand, it sounds like that is one of the leading causes, which you described, to human error and misconfiguration, which we see all too often.

Bryson Bort:

Yeah. The way I like to think about that is we don’t need more paperwork from the government. What we need are resources, right? In this case, this could be an example of something that CSA or DOE across as federal government, helping support that data sharing, part of that ties into legal questions about liabilities, which is the oft-cited excuse to why folks don’t want to share that kind of data and open the kimono to what’s happening. As you said, we all suffer as a result of being in that boat with everybody, keeping things too close hold.

Patrick Miller:

Right. Yeah, I totally agree. There’s not a need for more paperwork. I think, in a lot of cases, that administrative burden is what everyone complains about. CSA and DOE could be very instrumental in getting the information shared, protecting the information as good as it can be, and there’s always the liability issue. Most organizations, if they’re breached or if they’re hacked, they don’t want that out there in the public, obviously. But I think if it’s a requirement for everybody, then it’s not so much just a “You got breached, and now you have to admit it.”

It’s going to be challenging for the first organizations that have to go through it, but I think if you look at organizations like [inaudible 00:20:22] and others that have been very transparent, very open in the process, their stock actually went up. So it’s not about what happens. It’s about how you handle it, and I think with I guess targeted or focused regulations with assistance from additional non-regulatory government agencies, like CSA and DOE, both of them have very limited capacity for any kind of regulation. They could really be seen as helping organizations and useful for that information-sharing side of it, the incentive piece, even guidance and direct assistance, in some cases.

Patrick Miller:

But yeah, the organizations that end up getting breached and have to disclose it, if it could be done in that open, collaborative, transparent way, the first ones are going to have to go through some heartburn, but after a while, it will become commonplace, and it will demonstrate that you’ve got the capacity to not only weather this, in some cases, but provide the forensics so that everybody else benefits at the same time.

Like I said, I think there are ways to craft regulation that aren’t just paperwork-focused and that do generate more direct value and enable those other parts, like CSA and DOE, to provide more assistance in the process.

Bryson Bort:

Well, I think that’s the closest to your druthers or wish that you’re going to get.

Patrick Miller:

Yeah.

Bryson Bort:

So now that you’ve waved your magic wand, let’s look into the crystal ball. What’s your five-year prediction for one good thing and one bad thing that’s going to happen in critical infrastructure?

Patrick Miller:

I think one good thing is we’re going to see … I hate to use the word digital transformation, because it’s so overused, and it’s just a marketing buzzword, but we’re seeing a lot more … I mean, you can’t buy anything now that’s analog. Everything is digital, and everything’s creating a data stream. We’re going to see a lot of the critical infrastructure spaces, the industrial spaces recognize some of the value of data and not just the product that they’re making or the energy they’re pushing in the wire or water in the pipe or gas in the pipe. But it’s the data about the process will be worth, in some cases, enough to supplement or even, in some cases, possibly worth more than the actual product itself.

So the value of that data is going to drive, I think, security in a different way. Traditionally, it’s always been just isolate them as much as you can, right? The famous quote-unquote air gap always shows up, which just doesn’t exist. There’s always been just a drive to isolate it, and then hopefully we can protect it that way. But I think as we drive more and more digital pieces in there and really push to get that data, we’re going to end up with a more secure model, just because we have to secure it now, because money is at play. Money has always been at play, but it’s in a different way now. It’s going to touch different areas of the business, and, overall, you’re going to have more of an enterprise- and executive-level perspective on keeping those financial streams flowing.

Patrick Miller:

So I think that there’ll be some additional incentives there with the digitization of our world to actually give us some benefit from the security perspective. So I’m one of the few people that believes that this may actually be a good thing. There’ll be all kinds of new business models that spring up, from whether it’s the data analytics piece or the storage, because if everything creates a data stream, are you really prepared to store all of that, and, really, could you analyze all of it? So there’ll be some interesting new niche businesses that stand up on the storage or analytics components of all of this.

So I think that’s going to be really interesting, and what was just OT is going to look a lot more like IT. It’s all just T, here in the near future. So that’s my positive prediction is I think the situation may actually get certainly more challenging, but I think it will actually get better. It’ll get more attention, which is a good thing.

The negative prediction or a bad thing, I guess, is we’re probably going to see some sort of a legit cyber attack, or even worst case, blended, both physical and cyber attack, on some kind of infrastructure or multiple infrastructures at once, just because that that’s an awesome impact for any organization that desires such. I would say that probably within five years, someone will succeed on the next level up, at least. I think what we saw in Ukraine, of course, distribution-level blackout, thank God they could go back to manual, but I think we’ll see something like that as well, possibly with either a cyber and physical component or a multi-infrastructure component.

Bryson Bort:

All right. So in the bad news front, you’re predicting that there will be an attack. Why haven’t we seen an attack in the US already?

Patrick Miller:

Well, I mean, we haven’t seen anything like that in the US because we’re pretty transparent and we’re pretty public in the US, despite the fact that most people would like to keep these things secret. I work with a lot of utilities. You’d see something if it had already happened. I know there are some, at least, news articles that say that Russia and China are all up in our grid. That’s just not the case, from what I’ve seen firsthand, and I’ve touched a lot of utilities across North America, both as a regulator and as a consultant. So I’ve seen behind the wall, so to speak, the real thing going on there. We would see something like that if it were valid.

I’m sure there are some instances where we’ve had corporate-side concerns and that kind of thing, but all the way to command and control into an actual power system, I would be surprised if that were actually true. So I think we haven’t seen it yet because, A, they haven’t gotten that far, B, America has always been pretty clear about the fact that if you attack our infrastructure, we’re probably going to have a pretty heavy response. So there may be what we call a kinetic response to something like that.

Patrick Miller:

I think the hard part may be attribution, but we’re also getting better at that, and we’re not perfect at it, by any means, but we’re getting better. So I think it’s just that there’s a pretty heavy consequences to doing something like that, especially on a large scale, right? I think that’s the question, is if it were something small-scale, would it result in that? Maybe not, but if it was something large-scale, then it would be a very, very different kind of response.

I’ve got to be honest. Having seen the way the North American grid works, taking all of the grid out at once is just not … I hate to say impossible, but it’s extremely improbable.

Bryson Bort:

So what kinds of malicious activity have you seen? Is there any particular case, anonymized, sanitized of course, that you could share with us?

Patrick Miller:

Honestly, all the stuff I’ve seen has been either ransomware on the corporate side or through the external Internet-facing infrastructure, in some cases, or they’ve gotten into customer front ends. There’s been very few situations where someone has made it to a control system. In any case that I’ve seen where a control system has been accessed by an outside party, in some cases, we couldn’t even determine if it was malicious or accidental, because these were just accidentally … We’ll put accidentally in air quotes, maybe by an engineer that needed to access it, put on the Internet directly, and there weren’t any protections in place.

So I haven’t seen a case where an attacker has gotten through all of the layers of your standard defenses, whether they’re good or bad, all the way into a control system and taken control of it. I’ve only seen situations where something was inadvertently, we’ll say, connected to the Internet, and then it was accessed. Even in that case, or I guess in those cases, there was only some of them that we could even allude to the fact that it was intentionally malicious versus accident.

Patrick Miller:

So there’s just not a lot of it out there. Many of your bigger organizations that would have a large footprint for a large impact, they’re all running network anomaly tools, the bigger names. They would see something interesting, in most cases, unless your attacker is profoundly sophisticated. It’s hard, given the number of … I mean, any one of these big utilities has been built by merger and accretion over the past 50 to 100 years, and they’re not talking about some homogenous suite of technologies. It’s this crazy, insane mishmash of different things. So your attackers would have to be an expert in everything, which is just not … Like I say, it’s very improbable.

Bryson Bort:

Well, that heterogeneity, that mishmash of different things through accretion, on one hand, does make it a lot more difficult for an attacker to be able to work through the attack path. On the other hand, it sounds like that is one of the leading causes, which you described, to human error and misconfiguration, which we see all too often.

Patrick Miller:

Yeah, yeah. I would say it’s as big a benefit as it is a detraction, and to be 100% genuine and honest, I’ve seen more human accidents, human mistakes, and things like backhoes and squirrels cause more outages than any attackers by far, orders of magnitude, in terms of difference.

Bryson Bort:

So what about the independent research community, colloquially known as hackers? What do you think that they bring to the table, and who are they?

Patrick Miller:

I know quite a few of them, at least the ones that are, I would say, not the criminal hackers. Criminal hackers, obviously a different discussion. But the folks doing the research that are trying to help, that’s great. I think they’re doing great stuff. There’s not enough of them, and they’re not well-resourced enough. Most organizations, not all, but most organizations are struggling to get better at responding to their vulnerability reports and flaws or bugs they’ve found in their platforms.

So I would certainly encourage them to keep at it, know that there’s a lot of people behind you. We are all working to get through to the vendors, to help them understand what to do with these notices when they come in and how to handle this in the right way. Many organizations, like I say, are struggling to get better. Some are way ahead of the curve, and others try to take you to court if you send them something like that, because they think you’re trying to extort them, which is silly.

Patrick Miller:

So I think it’s a good thing, and there’s so much technology out there. There’s just not enough time to pay them for their work. I think there’s some people who are on the fence about bug bounties, whether that’s a good thing or not, and even things like [inaudible 00:31:47], which I think is fantastic. I watched the last one at S4 for the industrial control systems. That was awesome. We need more of that stuff.

But I think it’s a good thing. I think it’s only going to benefit us in the long term to have as many possible independent eyes on this as we possibly can. Deep down at heart, I’m a scientist, and I think that scientific peer review is what’s gotten us advanced throughout the years in very real ways, and this is effectively kind of the same thing, just in our world.

Bryson Bort:

There’s strength in numbers, and the community can only be as strong as its ability to pull together, which leads us to the BEER-ISAC. What is the BEER-ISAC, why did you name it that, and what was the catalyst for you helping to create it?

Patrick Miller:

That’s funny. You are one of the coin-carrying members of the BEER-ISAC. BEER-ISAC was-

Bryson Bort:

084.

Patrick Miller:

Nice. I was onstage at S4 again. I think it was 2016. I’ve been within the NERC sphere around what then was ES-ISAC, now E-ISAC. I’ve worked with the water ISAC.

Bryson Bort:

S4 is the annual mecca, conference, for ICS practitioners in the United States. NERC is the North American Electric Reliability Corporation, its mission is to assure the effective and efficient reduction of risks to the reliability and security of the electric grid. The E-ISAC is the Electric ISAC, providing shared threat intelligence on the latest threats to the grid.

Patrick Miller:

I’ve been around various different types of certs, international certs. I was ranting about information sharing and threat intelligence, and, frankly, just kind of bitching about the fact that we have this crazy mix of different ways we share information, and we have to wait for the kind of uber-validated, slow-moving methods that we get with a lot of the ISACs that most people complain about, or, frankly, they take too long and when I finally get it, there’s no real value to me. All it does is validate what I already knew.

But there’s still some value in that, right? It’s been validated by an authoritative body thoroughly. Okay. That’s good. Somewhat that bleeding edge tip upfront that’s got a lower degree of confidence, but they get earlier warning, right? It’s going to take a mix of that.

Patrick Miller:

So I was saying, basically, what I’ve seen and where I get most value in terms of information sharing is, I guess, structures that are like the social media platforms, like Twitter, Facebook, or whatever. I hate to use those, but they’re the small circles of trust of people that you know, and information can move through those because of the trust relationships between the humans.

So you’ve got the situation where stuff like you’ll find out about an earthquake faster through Twitter than you’ll feel it travel through the ground. That’s an interesting fact. It’s real. But that’s how if you use those organizations in addition to the other existing structures, that can be tremendously valuable.

Patrick Miller:

So the pitch was basically all of those are good. You still need them, but you need to build your human network, and you need to find as many people you can align with and figure out if you trust them and why you trust them. You’ve really got to work on that human side of things, and I’ve joked about the fact that what we really need is something like a beer ISAC, where we all get together over beers and share war stories and make friends and then share information.

As more or less kind of an off the cuff joke, literally made it up as I’m pacing around onstage, by the time I got offstage, somebody had created a BEER-ISAC Twitter account, and it kind of took on a life of its own. Now I guess we’ve made some challenge coins for it. We hold various different meetings at any event, and anybody can hold a BEER-ISAC meeting. It doesn’t take a coin or anything like that. What we’re doing is giving a name to that human networking component, whether it’s over coffee or beer or whatever, just building that human network to get that information flow happening in that way in addition to all the other structures that you have, because it’s got as much or more value than some of the other official channels.

Patrick Miller:

So that’s kind of the BEER-ISAC in a nutshell. It’s not really any one organization or any one thing. It’s just a name for what we were already doing.

Bryson Bort:

Isn’t it funny how ideas like that start to take on a life of their own? You have all of these electrons, these experts’ electrons, bouncing around and setting off electricity of ideas and how it’s splintered across … It’s now international. I believe that we’ve also created sub-chapters in other countries all around industrial control systems and critical infrastructure.

Patrick Miller:

Yeah. Yeah, it’s really taken on a life of its own. It’s fantastic to see. I mean, yeah, I definitely don’t want to take credit for it. I get credit for joking about the fact that we should give it a name.

I’ll take credit for helping to buy the beer and whiskey to get them all together so that they can share ideas.

Bryson Bort:

All right. Well, Patrick, it has been a fantastic podcast, and we thank you for joining us today.

Patrick Miller:

Thank you. Anytime, man. Anytime.

Bryson Bort:

Thank you for listening to Hack the Plant, a podcast of the R Street Institute and ICS Village nonprofit. Subscribe to the podcast and share it with your friends, even better. Rate and review us on Apple Podcasts so we can reach even more listeners. Tell us what you thought about it and who we should interview next by finding us on Twitter at RSI, or at ICS_Village. Finally, if you want to know more about R Street or ICS Village, visit rstreet.org, or icsvillage.com. I’m your host, Bryson Bort. Thank you to executive producer Tyler Lowe of Phaedo Creative, creative producer William Gray, and editor, Dominic Sterritt of Sterritt Production.