Well I managed to find my way to the EnergySec summit down here in Bronco Land. What strikes me as interesting is the fact that years into this process (as in years since Urgent Action 1200 first came into being), we are still largely talking about the same issues, concepts and concerns. In other words, a large amount of education and clarification still needs to happen in this space as people are still struggling to get their heads around the practical application of these controls. Now I am not trying to suggest I have it all figured out or that there is a silver bullet out there, but I can’t help but feel that too many people are making this way more complicated than it needs to be.
In my book it is simple. We have to protect critical infrastructure in order to allow it to do that which it is engineered to do. That means protection from any and all potential sources of disruption. If you look at regulations like NERC CIP or best practice standards like ISA99 or the NIST 800 series, you will notice that the end goal is a sustainable program. Not a project, not a one-time hurdle to overcome and ride off into the sunset. It is the establishment of a program to help provide the best possible chance of keeping your facility up and running! And let’s stop couching protests in language about likelihood of terrorist attack. Yes the threats are real, but the likelihood of someone on the inside inadvertently launching something is much greater. (See today’s earlier blog on most likely threat vectors.) If you don’t believe me, log in to hear what McAfee has to say about it via the NPRA on their “You can’t stop stupid” webcast. Very fitting title!
Nonetheless the EnergySec summit is interesting and there are some very smart speakers up there. Too bad it is a message that has been delivered many many times before.