EnergySec experienced an unhappy holiday season last December as a significant number of the employees were let go, reduced their hours, deferred pay or shifted to unpaid volunteer status. These were people at all levels of the organization from the CEO, who included himself on the list, on down. Basically this unique, ground-up information sharing organization serving the electric sector had its legs cut out. The reason, they lost the government funding to keep a large part of the team working.
This is ironic and nonsensical given the US Government’s focus on improved information sharing as a key to making progress on critical infrastructure ICS security.
A bit of background …
EnergySec is one of the oldest, if not the oldest, ICS security information sharing organization. It began as an informal group of people in the Pacific Northwest electric sector sharing information between friends. After a few years they began putting on an annual conference that was known for bringing in the highest percentage of owner/operator attendees outside of a user group. Still the work was done by a team of volunteers with minimal structure.
What made and makes EnergySec unique as compared to other information sharing organizations is the utility members provide most of the information that is shared and drive the organization. The growth was organic, built on trust. It was not something you were obligated to join; it was something that many chose to join and share information with. It was bottom-up, not top-down.
In 2010, the Department of Energy (DoE) took action required by Congress to create a private sector information sharing organization in the electric sector, and to provide funding to help make it happen. EnergySec was one of two winners. It transitioned from a volunteer effort to a 501.3c non-profit with funding and employees. In fact they build quite an impressive team that you’ve probably seen at ICS security events. The Department of Energy funded effort in EnergySec was called NESCO. Since NESCO was the EnergySec’s major funding source, EnergySec really became NESCO.
One of the challenges of the DoE funding was the cost share. This is actually common with DoE funding, and I think a good idea. If industry is not willing to support a project, then perhaps it is not worth government funding. The NESCO/EnergySec cost share requirement started small and increased over a 3 – 4 year period, after which NESCO was suppose to be self-sustaining with industry funding.
NESCO had more than 20 several projects with industry committed cost share funding denied by DoE. I haven’t seen the list of projects, and perhaps DoE was correct in denying many of these. However, it seems unfair for DoE to both require an industry cost share and then deny NESCO projects that industry finds worth funding.
Which brings us to last December, an unhappy time for EnergySec. They were behind on the cost share part of the funding, which allowed or forced (I’m not sure which) the DoE to stop their share of funding until the cost share was met. Funding may resume this summer, in a large part due to the volunteer labor being considered cost share, but the damage is done.
EnergySec experienced a common business challenge of relying so much on one big customer. They did not have enough alternate customers or reserves to continue to meet the current payroll when the big customer pulled their business. They would be foolish to make this mistake again. The cost share will become more onerous, the projects that can generate the most cost share are not supported by the customer, and the customer/partner has proven unreliable. Even if the DoE funding resumes, smart business dictates that NESCO can’t be considered a priority for EnergySec.
Loyal readers will know I believe info sharing is a small side issue until we get basic security controls in place. But the US Government believes info sharing is a key and high priority component of securing ICS. It is incongruous that the Executive Order and most proposed legislation would focus on information sharing, and the USG would simultaneously not find a funding mechanism for EnergySec/NESCO. Any funding required to keep the NESCO team and effort going would have been small money compared to what will be spent standing up another effort.
EnergySec/NESCO probably made numerous mistakes over the last three years, and they may need some new strategies and tactics to meet the US Government’s goals. However if information sharing is important, the US Government had a good team and an information sharing organization with a large volunteer membership in what most would say is the most important critical infrastructure sector. How do you walk away from that if information sharing is important?
—–
EnergySec has put a brave face on this problem and released a video yesterday with the CEO handover from Patrick Miller to Stephen Parker. They assert that the TAC and other programs are self sustaining, if smaller. Many a small business, including Digital Bond, have had these business downturn issues. Sometimes they even lead to better and smarter business. Losing your job at Christmastime is unpleasant, but the ICS security business is booming and that talent will find a lot of opportunity.
Full Disclosure – Digital Bond has received DoE research funding in the past. They have funded Bandolier Security Audit Files and other research tools that have been integrated into multiple security products. Our experience with DoE has been fantastic, and their research dollars have resulted in our technology being used to audit the security of ICS prior to deployment. A case can be made that DoE tying research funding to Roadmap Goals has provided the best ROI of research funding in ICSsec area.
Image by dbrekke