Guest author Sean McBride is the Director of Analysis and Co-founder of Critical Intelligence, a company that provides Cyber Situational Awareness and Threat Intelligence services for Industrial Control System Owner/Operators, Vendors and Government stakeholders.
One simplified explanation for the differing views of Dale Peterson and Bryan Owen, as seen in the comments here and here is based on simple economic analysis.
Bryan represents the security function of a highly successful software company. His position directly benefited from the subsidies the US government made available to the private sector through the INL. The INL-OSIsoft story, I know from several conversations with Bryan, is quite compelling. I wish the details were publicly available to serve as an example for how to work security into the product lifecycle – even when the process can be painful.
On the other hand, Dale represents a highly-specialized consulting firm whose thought leadership has publicly and credibly pushed for improvement over much of the past decade. His firm must compete under market forces to land every client. As such, government subsidies through the INL are irksome as his potential clientele turns there, obviously attracted by taxpayer help and good PR.
From a business perspective, if I were in OSIsoft shoes, NOT going to INL is a mistake. However, I have a hard time believing that a firm like OSIsoft, with a security leader as sharp as Bryan Owen leading the way, could not have found a similar (and in some cases superior) quality of assistance in the private market space.
Hence, the deeper issue I see in Dale’s repeated and sometimes stinging analyses is a request for leadership at some level (Ms. Menna, Mr. Weatherford, Mr. King, Mr. Lieberman, Ms. Collins, Mr. Schmidt) to address the questions:
- If cyber security of critical infrastructure is as critical as we like to make it sound, isn’t it time to start a competitive process that encourages ICS-security innovation?
- Doesn’t the near-decade-long “INL owns this space” mentality risk shutting the door on fresh approaches to ICS-security?
- Are non-competitive contracts, vendor subsidies, and non-disclosure agreements providing the daylight necessary to gauge real progress?
- Isn’t there some OMB guidance about National Labs competing with industry?
Can someone with direction-setting authority consciously consider those issues – before the next budget cycle – please?
Image by Rennett Stowe