Joe shares his overall thoughts on the ACS conference

Overall ACS Conference Observations After a grueling week, I had a chance to collect my thoughts and have the following observations: - The attendees felt the Conference was a major success and want it to continue. - People will come if they think there is information of value. Despite the plethora of conferences including PCSF being 3 weeks away and Black Hat being the same week, there were almost 100 attendees representing 9 countries. Industries present included water, electric transmission, distribution, and generation, nuclear power, wind power, pipelines, and chemicals. In the area of vendor-dominated conferences, less than 20% of the attendees were vendors. - Almost every presentation stimulated significant discussions – people were not sitting on their hands.  The information exchange was detailed and addressed real incidents. - There is still an erroneous feeling that each industry is unique and that information from one does not apply to the other. I have some thoughts on how to combat that problem and will do so at the 2009 Conference in Washington DC. - There were a number of federal organizations present – NRC, FERC (and NERC), Pacific Northwest National Lab (nuclear), Idaho National Lab (renewables), Argonne National Lab, DOD, and the FBI. However, despite Congressman Langevin’s plea for cooperation, the following organizations did not attend even thought the information was of direct interest: o DHS (NCSD or S&T) o DOE (headquarters and labs working on security) o EEI (Edison Electric Institute) o Leadership from the NERC CIPC o EPRI o NEI (Nuclear Energy Institute) o INPO (Institute for Nuclear Power Operations) o EPA o AWWA (American Water Works Association) o API (American Petroleum Institute) o NPRA (National Petroleum Refinery Association) Since the information will not be made public, these organizations have simply missed out. - Information sharing is a dismal failure. An interesting example was how many end-user attendees from multiple industries had not been informed about Aurora. Ironically, they knew more from CNN than from DHS or their own organizations. - The FBI gave a presentation unfortunately demonstrating how out-of-touch they are with industry and how far we need to go to have a meaningful working relationship. FBI’s focus is criminal prosecution which means a close hold on all information - “cone of silence”. Industry needs enough information to defend itself. Actions are now being taken to help close the gap. - Planning is starting on the 2009 Conference. Hopefully, all organizations will participate. Joe Weiss

What are your comments?

Join the discussion today. Login Here.

Comments

  • Joe,

    I am thrilled your conference was good. You worked very hard and we are all greatful for your efforts. It was a good time. You have to ask yourself why those organizations were not there? I am guessing that they were busy and could not go. Were the items and topic in your event important? For sure. Were they so important and new and never-discissed-before that these major organizations had to come? Maybe not. It is all about perspective. Maybe we can assume that much of the material that was advertised for you event (if you can call it advertsing - you really didnt say much in the marketing materials) did not demand their presence? I can imagine alot of people and organizations that could not invest in a conference where the aganda was ethereal and rather 'undefined'. I remember seeing many postings about 'more info at the confernce' when people asked about more info and what to expect. I thought the event was good even though I had a hard time deciding if I was going based on the lack of clarity of content.

    I also do not understand your issue about this Aurora thing (and I apologize, I may have missed something). I would assume that at least some of the non-US countries had to learn about it from CNN (or you or web or something). Moreover, how is it a DHS/DoE failure when they are to pass info to asset owners via State/Local/ISAC entities for them to do the outreach? Isnt that the process that was set-up? Here, we get our information from the ISAC (who we trust) and they get it from DHS. That model has worked fine for us, and for many many others, but I am hearing stories about other not-so-successful communications from the ISAC down. Yes, the model is broken but I think you have the wrong culprit??

    I would guess that the real reasons why your attendees didnt get any Aurora info prior to the CNN event is: (1)a large majority of your attendees were either not invested in the cyber security issue when Aurora came out and didnt care, (2)were not impacted by the issue so they did not need to be alerted, (3) did not get the info becasue their ISAC or governing body didn't give it to them,(4) could not be told as they are not a US entity, (5) are a vendor in an unrelated sector and really had no right knowing, and (6) don't care.

    I talked with alot of people while at your event (many blog and newsfeed chats as well out there) and they fall into category 2,3, and 4. I have no real insight to Aurora (not my secvtor) but would assume it was an issue that not everyone needed to hear about. So some people made choices as to who needed to know and told their responsible organizations/ISACs. Then the ISACs failed or somthing broke.

    I think the information sharing model is fine, it is the participants at the lower levels that need some help moving the information to the stakeholders. Being mad as DHS or DoE for not telling every single end user in the world about security issues may not be the right approach.

    Thanks Joe, and great work!

    Reply

RSS feed for comments on this page | RSS feed for all comments