Friday, October 14, 2011

What We Really Want Is A Hot Meal, Good Health, And Electricity

Those of you that know me are perhaps aware that I have have spent large portions of my life working in 3 somewhat distinct areas: Food Service, Health Care Security, and Smart Grid Security.  All 3 disciplines have taught me a few things that I carry with me every day.

I am no longer in the Food Service industry...thank God!  If any of you have ever watched Hell's Kitchen on TV, trust is not far from reality.  Working in high technology means better pay, less heavy lifting, and weekends and holidays off (more or less).

Still, I learned some things in the Food Service industry that serve as valuable lessons to this very day.  One thing I learned is that regardless of how hard you work, you are inevitably judged for the last good (or bad) deed you accomplished, often irrespective of your history.  Memories are short, and you always have an opportunity to either redeem yourself, or fall flat on your face.  The choice is yours.

Another thing I learned about the Food Service industry is that they have 2 objectives:

  1. Make Food
  2. Get Paid For The Food
Hey!  What can I say?  I am nothing if I am not perceptive.

As it turns out, this carries over into both the Health Care and Energy industries.  The Health Care industry wants to deliver health and get paid for it.  The Energy industry wants to deliver energy and get paid for it.

We can apply this logic to just about any industry we choose, as it turns out :-)

Okay, so I am here to talk about security.  What does all of this have to do with security?

As it turns out, security is essentially about safety (or perhaps safety is really about security).  The two go hand in hand...and perhaps can be conflated in some (if not all) cases.

So let's go back to my life in foodservice for a moment.  Having spent many years working as a chef in restaurants, I noticed a few things about safety that were recurring themes.  One was that every single restaurant I worked in had a fire safety system installed by a competent installer, and (most importantly), the fires safety system itself was built by a competent manufacturer.  After this was done, the fire inspector would perform an inspection and make sure it satisfied the requirements for fire safety, and the fire inspector would periodically return to make sure all was in order.  Eventually, we saw the arrival of the National Fire Protection Association's Certified Fire Protection Specialist Certification Program, which is ANSI accredited.  Additionally, UL has a program in place for approval of fire safety systems (e.g. sprinklers) in use today.

Having worked in a restaurant where the fire safety system has triggered, I have to admit that it is very effective.  However, in retrospect, the fact that I find most interesting is that not one restaurant, hotel, or resort (and I worked for some big resorts) had any staff on board who was responsible for the design, implementation, and maintenance of the fire safety system.

They simply hired someone to put on in, got it inspected, and then went on with the business of making and serving food.  I have to say, it works splendidly.

Imagine that!

So let's take this back to the Health Care and Energy industries for a moment.  We need to understand that what we have to do in the security world is get to that point where health care and utility staffs can focus as much of their time as possible on delivering what they are in the business of delivering.  We are currently living in an environment where we have place nearly all the burden for securing health care and energy systems on those who are ill suited for the job.  Sure, they are getting hiring staff to help get them up to speed, and reaching out to professionals, but is this necessarily the desired end state.

I fully realize that the food service industry is not saddled with the enormous burden of protecting their network stack from intrusion, and that no level of cyber attack is likely to mess with the integrity of their signature dish covered with delicious BĂ©arnaise sauce.  Yet the threat of fire is very real, generally quite devastating, and ever present.  Nonetheless, we have managed to create a management system that is both extremely effective and extraordinarily simple to live with.

...and let's look at the health care industry for a moment.

We are all familiar with the FDA (the Food and Drug Administration).  Hospitals use health care equipment and use drugs that are FDA approved...and absolutely do not use any health care equipment or drugs that are not FDA approved. least they better not...or face stiff fines and immediate shutdown (believe me, the FDA is hardcore about their rules).  Although it is a US organization, FDA approval is so highly regarded globally that most nations accept FDA approval as a "green light" for use in their own countries.  Health care providers do not have to manage staff to ascertain the safety in using FDA approved products.  They simply stick with the FDA approved products and (ostensibly) use them to deliver good health care.

I fully believe that we will eventually come to terms with cyber security issues, as we have come to terms with fire, and as we have come to terms with "snake oil" health care solutions of the past.  As Paul Kocher of Cryptography Research indicate during his excellent keynote at my Smart Grid Security Summit this past month, security today is still struggling with the same "snake oil" issues that health care had to deal with in the past.  As we continue to move forward with addressing cyber security issues, we all need to keep in mind that a lot of what we hear is going to be "snake oil", and we should look towards how other safety issues have been addressed in the past, and perhaps learn some valuable lessons. I'm hungry.

Monday, October 10, 2011

Upcoming Event: Amphion Medical Forum

I have been invited to moderate a panel at the Amphion Medical Forum on November 3rd, 2011 in Minneapolis, Minnesota.  This fantastic event features security experts who specialize in studying, understanding, testing, and addressing security issues related to connected medical devices.

What you may or may not know is that nearly every piece of medical equipment that collects and records data today (heart monitors, X-Ray machines, MRIs, IV Monitors...and the list goes on and on) has a communications stack of some built in, or will have one soon.  Recent demonstrations at Blackhat, for example, have re-awakened our consciousness to the seriousness of security issues surrounding medical devices (if this attack in 2008 was not enough).

If this is of interest to you, join me at the Amphion Medical Forum on November 3rd, where you will have an opportunity to listen to some of the most brilliant minds in the world of medical device security, as well as meet them face to face.

Oh...and by the way...IT'S FREE !

See you there!

Mike Ahmadi

P.S. To guarantee yourself an invitation, use priority code "GraniteKey"

My Sally Field Moment

My third Smart Grid Security Summit has drawn to a close.  This past week in San Diego was a seminal event in my life as a conference chairman.  For the last 3 weeks I have been working out a hundred plus details that no amount of advance preparation ever prepares you for.  Anyone who has ever put on a conference is keenly aware of that.  For those who have not, I would describe it as something akin to the excitement of the descent from the peak of a roller coaster coupled with the fact that you decided to finish you children's corn dogs.

When I stated the Smart Grid Security Summit my intention was to build my network and get some like-minded people together to chat about what was, and continues to be, an important topic.  We had around 100 people show up, and 1 sponsor (SAIC).  We were so proud of that event, and I still harbor fierce loyalty for those who helped make that event what it was.  We knew we had something, and built on it.  The second event was held in Knoxville in early 2011, and we had around 10 times the sponsorship, and double the attendance.  Most importantly, we had asset owners coming to the event to both participate as speakers and join the crowd of attendees.  We were sure we had something of value at this point.  Let's face it, Knoxville is a really nice place, but it is certainly not a "conference boondoggle" location.  People showed up because they had a thirst for knowledge and because they wanted to communicate with people who understand what they need, and we delivered that.

The third event say us partner with the Energy Sector Security Consortium (EnergySec), and we were blessed with lots of great sponsorship, and perhaps the finest selection of speakers and attendees to date (although that is a tough call, since both of our other events had fantastic speakers and attendees).  It just seems to keep getting better and better as time goes by.  I tried to take the time to speak to everyone I ran into at this event, with around 15 sponsors and around 250 attendees, but found myself nearly overwhelmed by the outpouring of interest in the event, the massive amount of networking going on, the fantastic sessions, and the constant outpouring of love from all who took the time to come up to me and tell me what a fantastic event our little conference has grown into.

I cannot help thinking about that famous Sally Field moment, when she accepted the Oscar for her starring role in the 1984 drama "Places In The Heart".  She took the stage after receiving the Oscar and gushed "I haven't had an orthodox career, and I've wanted more than anything to have your respect. The first time I didn't feel it, but this time I feel it, and I can't deny the fact that you like me, right now, you like me!"

Peer acceptance is what we all crave in our careers, regardless of what we may think or say about the subject.  I am humbled by everyone's acceptance and love, and will continue to deliver the quality you have all come to expect.

Kindest Regards,

Mike Ahmadi
Conference Chairman