Effective information sharing about vulnerabilities, security incidents and other security issues is a hard problem. Most owner/operators are reluctant to share anything that could make them look bad or worse, but these same asset owners see the benefit of receiving information from their peers. So everyone wants to receive the info, but not share any info.
There have been research efforts inside and outside the control system space, including at S4, on how to anonymize information to eliminate the risk to the sharer, but these anonymization schemes get very complex and even then are not perfect. There are also issues with information sharing to a government organization or regulatory body regarding what disclosure means and potential affects. But is the perfect the enemy of the good?
Recently I received a demo of the EnergySec, an organization whose members are from the Energy sector, information sharing portal. They have taken a practical approach.
- Membership is limited and member are vetted to some degree. So it is a closed group of people with a need to know.
- There are rules on how the information can and cannot be used, but there is a recognition that is only as good as its members good intentions
- The anonymization is not perfect. You send in the information so EnergySec knows where it comes from, but this is not put on the portal if you choose certain anonymization options. So if someone logs in or gains access to the portal they will only see it as an anonymous post. However someone with access to EnergySec logs or traffic flow could find out. Again, not perfect but good. I should note that most of the information on the portal was not anonymously sourced. Anonymity is an option.
- Because this is a private, non-profit group it avoids the concerns people have turning this type of information over to the government or a regulatory agency like NERC.
I really like the “let’s do something now, even if it is not perfect” approach. A quick look through the different posting areas and topics saw that a small number of people posted most of the messages. This is typical. The real value will be if members create the sense of community and feeling of trust that fosters true sharing.
EnergySec started in the Pacific Northwest, and this is still reflected in their membership, but they are now getting members from across the US. If I was a US energy sector owner/operator I would join.