Europe, Regulation and AI with Patrick Miller

Show Notes

Patrick Miller has OT cybersecurity experience as an asset owner, PacificCorp. As a regulator and one of the first NERC CIP auditors with WECC. As a community organizer creating and leading EnergySec and the BeerISAC. And as an entrepreneur creating and leading a number of consulting practices. He is currently the Founder of Ampyx Cyber.

In this episode Patrick and Dale discuss:

• Why Patrick changed the company name and selected Talinn as the location for the new European office.
• The major differences in approaches to OT cybersecurity and risk management between Europe and the US. (more than just regulatory differences)
• What has the EU learned or improved on regulation from NERC CIP.
• What is the current state of NERC CIP regulatory risk? Are the regulated entities understanding and meeting the standards’ requirements?
• The challenge of slow NERC CIP modifications, eg virtualization and cloud.
• Bad standard & good regulator v. good standard & bad regulator.
• Should water follow the NERC CIP model as recommended by AWWA?
• How Patrick is dealing with AI.

 Links

• Ampyx Cyber: https://ampyxcyber.com
• Patrick’s Critical Assets Podcast: https://amperesec.com/podcast
• Subscribe to Dale’s ICS Security Friday News & Notes: https://friday.dale-peterson.com/signup
• Advertise on Unsolicited Response: https://dale-peterson.com/advertising/

Transcript

SUMMARY KEYWORDS

regulation, company, cip, running, ai, europe, regulator, utility, cra, systems, audit, vendors, cloud, guess, faster, ampere, control, country, front, assets 

Dale Peterson  00:10

Hi, I’m Dale Peterson and welcome to another episode of The Unsolicited Response show. My guest this episode hardly needs an introduction, so I’ll give him a long one. It’s Patrick Miller. For those of you that don’t know, Patrick has done just about everything. He worked at with an asset owner, Pacific Corp. He was a regulator for with whack, regulate or regulating and auditing NERC CIP way at the beginning days, a community organizer, both Energy Sec, and beer I sack, and very much an entrepreneur, having started multiple consulting companies in this field, and until I guess, maybe a month or so ago, I would have said, you are the CEO of Ampere… Ampere Industrial Security, but I saw that you changed the name of the company, you are now CEO and Founder of Ampyx Cyber. So first, welcome to the show, and maybe I’ll start with the question, why the name change?

Patrick Miller  01:09

Thank you for having me on the show, and thank you for the kind introduction, the name change. I’ve started the European branch as well, because there’s a fair bit of stuff going on in Europe and I seem to get tagged with everything regulatory in the world. So there’s some CRA and miss two things that are happening in Europe. I’ve got some clients over there as well. So I wanted to start a European brand to the company that the consulting firm, and the name Ampere was- the Europeans are a little more strict on their namings. So you can’t even operate in even in the technology space at all. So I ended up running into a conflict with the name there. So I basically had to come up with a new brand for the global organization for both the US and the European operations, and we have some business in South America as well, but there wasn’t any issue there, but it was basically to get a unified global brand.

Dale Peterson  01:59

Okay, so it wasn’t it wasn’t an issue like, you know, the famous Nova example in Mexico, the-

Patrick Miller  02:05

No

Dale Peterson  02:06

It wasn’t like that, it was just, uh, you were stepping on someone else’s name, and you would have been a bunch of, a bunch of hassle to try to keep it I guess.

Patrick Miller  02:15

Yeah, yeah. It’s just basically when you’re registering with your name in Europe as a new business, it just won’t even let you register if the name already exists under some other brand that’s got anything in the tech space at all. So even if you’re not doing, like, if you’re like service-oriented versus product-oriented, if it’s tech at all, it just won’t even let you get the name. Like, I just, I didn’t even have the option to use the name there.

Dale Peterson  02:36

Well, and you alluded to the second thing I wanted to ask you, you in this announcement, you announced that you’re opening a branch in Tallinn, Estonia.

Patrick Miller  02:44

Yeah.

Dale Peterson  02:45

And I’m familiar with Tallinn, mainly from the Tallinn manual on cyber, or international law related to cybersecurity, but it’s kind of an odd place. It’s kinda, you know, maybe if you were servicing Russia and some other countries, Belarus and that, it’s makes sense, but you’re kind of on the edge there. Why did you pick Tallinn?

Patrick Miller  03:05

Yeah, and it’s quite the opposite, believe it or not. They’re not very friendly with Russia and Belarus.

Dale Peterson  03:10

No, no, I know that.

Patrick Miller  03:12

Yeah.

Dale Peterson  03:13

But the proximity wise, I mean, geographically.

Patrick Miller  03:16

Yeah, in terms of geographics. The primary reason was, I done some research, probably six, eight months worth of research in terms of where to start a European business. And there’s like six countries that kind of rise to the top out of all of them in terms of the ease to run a company without living in the country that you’re starting it in, Estonia was by far the easiest to work want to work with, they have a digital residency platform where you go through some basic background screening and some biometrics that you give, and you get a digital residency card, and you use that to operate your entire business remotely. So as far as a kind of ease of operations, efficiency, in cost, and a lot of ways in terms of the tax base and all those other things. It’s extremely easy to do it. So as an EU resident, I can just pretty much operate as though I’m in the country to do anything I need.

Dale Peterson  04:08

So that makes sense. So it wasn’t so much that- that’s closest to where your customers are, or something of that nature. Okay, it makes sense.

Patrick Miller  04:16

Well, they-

Dale Peterson  04:17

and certainly-

Patrick Miller  04:17

They are in the EU,

Dale Peterson  04:19

Yeah

Patrick Miller  04:20

Since, yeah, since they’re in the EU, I can take Euros, so it’s not as though I have to deal with a different currency. I can deal with anybody in the entire European Union and just get the VAT tax and standard currency across banks. So, just trying to just in the ease of business operations, it was orders of magnitude better than any other option

Dale Peterson  04:37

Now you have my curiosity piqued. Was it difficult?

Patrick Miller  04:42

No

Dale Peterson  04:42

Did you did you essentially hire someone over there to do it all for you, or were you able to navigate it yourself?

Patrick Miller  04:49

No, it was very easy. The longest process is going through the uh, getting the E-residency. So once you’ve got the E-residency and you get your card and you go to a site, where they basically interview you and you, (they) give you some biometrics to track who you are. Basically, most of this is to combat money theft, and fraud, and those kinds of things. So that’s the primary reason for that. Once that was done, it was probably less than 20 minutes to have the company up and running. It was really easy. Yeah.

Dale Peterson  05:19

I looked at an interview that you did about two years ago, in April 2022, with SISE, and and you were describing Ampere, then and you said, it’s a small boutique, boutique firm, that’s what I want to keep it with. I want to keep it that way as much as I possibly can. Boy, I can’t read here. And you were saying that it was a small boutique firm, you want to keep it a small boutique firm. Now you’re now you’re a global, global firm, and has your goals changed, or was that just a moment in time where you are tired of dealing with a lot of things,

Patrick Miller  05:56

um, maybe a little of both. I still want to keep it a boutique firm, and I’ve run, I’ve run big firms, and I’ve run some successful firms. The more the bigger the company is, the more the company is making the more complex things get in so many ways. At this stage, I’ve run enough companies and sold enough companies and been part of enough startups that I don’t really want to do that again. But I do want to keep this to a manageable size. I mean, for me, it’s more of a lifestyle company. And I want to know, all my people, I want to know their spouses, I want to know the kids birthdays, I don’t want it to get so big that that dynamic is gone. So I’ll do whatever it takes to keep it at that level, which is typically between the 20 and 30 person state. So once we hit that size, I’m just going to find ways to manage that and keep it at that space.

Dale Peterson  06:46

Okay, well, and that’s that was what you said two years ago. So you’re consistent then. So that boutique firm, in your mind is still a 20 to 30 person firm is still a boutique firm, but it’s kind of pushing at the edges, right? Where are you in more? You need more management, logistics infrastructure once you get much bigger than that. Okay, cool.

Patrick Miller  07:05

Yeah, yeah. And I lose connection with the people at that point. So that that is the biggest part for me. Yeah. Okay.

Dale Peterson  07:13

I’m going to take a little advantage of the fact that you’re interested in Europe, you’re opening an office in Europe. Certainly, I want to talk about the cyber resilience act, and that But before we dive into regulation, someone who deals like myself who deals mainly in the US, what would you say are one of the maybe one or two top differences in how Europe is addressing OT, cybersecurity and cyber risk Escom as compared to what US is doing outside of the regulatory approach?

Patrick Miller  07:46

Okay, outside of regulation? That’s difficult one deal. I think the a lot of the European vendors have kind of picked up some traction in terms of responding faster. And the reality is, it’s not like there’s a lot of us vendors for our OT systems, a lot of them are not US based companies. So we don’t have much to compare to here to say, Oh, well, the US ot companies do it differently than the other ones. So given that, I think that you know, your, your larger ot vendors out of Europe, they’ve gone through the hard part of figuring out what it means to get vulnerability disclosures, right? What it means to get patching, right, how to keep the customers happy with respect to security, differentiators in cost and those kinds of things as well. They’re not all coming back and say, Oh, you’re the first company that asked me this, it’ll be a million dollars. Like that was a path a long time ago, when you ask for security features. Now it’s, it’s more common to just have it bundled in over time. And things like seat belts become just part of the vehicle and, you know, crumple zones, and all those other things just kind of get built in. So they’re getting better and better at it. But it’s not like there’s a lot of comparison to US companies, because there’s just not a lot of OT companies that are based in the US. So, in general, I think they’re getting it better.

Dale Peterson  09:00

How about more on the asset owner side, for example? Are you seeing the same sectors? Kind of leading the way? Is it is it electric? Are you seeing more manufacturing or rail emphasis over there any sort of difference in terms of the asset owner side?

Patrick Miller  09:18

Europe is definitely rail. There’s a lot of rail in Europe and there’s a lot of they’ve got, you know, regulations, there’s, oh, 507 there’s, there’s a lot more passenger rail, so it’s not just cargo rail in the US was not nearly as much. So with the the human element edit in, it gets a lot more feedback loop from the humans that are participating in the process and can be impacted by the process to those that are regulating or managing the process as well. In general, the companies I think, have a different mindset. They are certainly capitalist companies where they are there to make money, but they have more of a European feel on I guess, that maybe taking care of Have the people are taking care of the systems in a different way. It’s just a different mindset. It’s not as run to fail, that I’ve seen that it is as it is in the US, it’s a little more well managed. Things are thought for a little more in advance. And I’m even seeing some really proactive behaviors from some companies where I see more reactive behaviors from companies in the US, or, frankly, North America, or even the Western Hemisphere that are our side of it anyway. Yeah. And

Dale Peterson  10:29

I wonder if the obviously you have the EU, you have a lot of these regulations that are EU regulations, but your your time on a number of different countries here who are then responsible for turning those into laws and such? How much difference are you seeing country to country over there?

Patrick Miller  10:48

Yeah, the way most of the EU stuff works, it is. There’s a base level that is operated at the entire union level, and it feels a lot like it doesn’t need us. Some countries go above and beyond that, they’re not allowed to go below it. But you can go above and beyond. And each country will kind of add their things as they see fit, depending upon where they want to add emphasis or just keep it at the European minimum. Where there gets to be differential, it can be challenging, like in the US where you’ve got California going certain directions, or New York going different directions, or Texas and Florida going different directions. So it creates kind of interstate challenges with uniformity. But that’s the same thing. Everywhere else. It’s not like this is unique to the US or even Europe for that matter. You get the same thing in South America, from this country’s there. But there’s a base minimum. And then you can go above and beyond that. I think the biggest difference, though, is in the enforcement mechanisms. So what you have to do can basically be roughly similar with some variation. But how you get penalized for what you do can look different. So the enforcement structure will look different in one country from the other. So who audits you who enforces the regulation will look different on a country to country basis. So that may be more of a challenge for uniformity than actually what you have to do is what happens if you don’t?

Dale Peterson  12:04

One, and then that will probably also affect the security posture might differ by country because country companies are reactive. If they say I this, this is how I’m going to be audited, then they do certain things. And if it’s if it’s something else, they do other things. So interesting. That is your auditors. I could see how that could drive it. Yeah, makes sense. Yeah. Well, let’s let’s talk about a little bit now, you mentioned and as to the cyber resilience act, CRA is the one that’s gotten my attention the most. As someone who’s been involved with NERC CIP, from the very beginning. Is there something they’re doing better in the CRA than what NERC CIP did in the early years to have a did they you see that they looked and they said, We’re going to do it different and better, and not make the same mistakes?

Patrick Miller  13:00

Yeah, I mean, we started NERC CIP, more than 20 years ago. So I would hope they got something better between 20 years ago. And now. And even you know, it took us virtualization standards for NERC CIP. We started talking about those 10 years ago. And they went into a project and officially in 2016, and they got past this week, it took eight years from starting a project to get virtualization past eight years. So what has happened in virtualization in eight years? A lot. mean, a lot. So it’s really difficult, especially with the structures around how nervous it was built to keep up to pace with innovation. And hackers are always faster than laws. So I think what Europe has done is they’ve seen what the US did, and a lot of countries have seen what we did a lot of people modeled some of their regulations after things like Nixon, most of South America, for example, is adopted Nursey of wholesale, other than like the SIP to kind of inclusion stuff. With that, I think even Taiwan as well. So I think what Europe did is they leapfrogged us, they took some of the best ideas and best approaches and found out where they are the most effectively placed, and then applied it there. So for example, we’re just now getting to the point where we’re holding boards accountable, roughly Not really, but roughly we’re getting closer and closer inching thereby, these unique kind of backdoor mechanisms like holding a CISO personally accountable and then figuring out did they or did they not lie to their board? Was the board even asking the right questions, so there still isn’t some direct path to get to that level to influence them. In in in Europe, for example, under the is to meet the fines are serious, you can you can like remove board members, you can directly affect the way the board behaves for practices that are either deceptive or irresponsible. So I think they’ve learned a lot from where we’re trying to go and where they’re just going straight without waiting to get there. Can Let’s be particularly onerous and restrictive. We’ll see. I mean, we’ll see how this ultimately pans out, we’re just now looking at, you know, this, this new change. And we’ll see how it gets implemented, it’s likely going to be bumpy coming out of the gate, which is to be expected, I think they’ll probably handle it well and refine it and normalize things over time. But it sends a clear message that, you know, if you’re an owner of the company, and you’re a director of the company, you need to take cybersecurity seriously. And it’s, it’s squarely centered on those important critical infrastructure areas, with some very serious penalties like 2%, and you know, 10 million euros, those are those aren’t that’s, that’s small money. That’s what the NSA is to. And for CRA in in a similar way. For example, we’ve done various different ways to try to regulate supply chain. In the US the only real supply chain regulation, that’s definitely regulation is NERC, CIP, 13. And it was really kind of an end runs to regulate the vendors by using the utilities. So the utility is on the hook for how the vendor behaves, which is, you know, okay, we gotta do something, maybe something is better than nothing. But this is a really painful way to get where we really want to be in versus you know, where we shouldn’t be that kind of thing. So in the use era, for example, it’s got this recursive check, you check one level, they check the next level. And the level is just keep everybody gets keep, you basically have kind of this bidirectional bilateral checking to keep the system in check. So it has, it has some interesting and creative ways to, to keep that regulation, I guess, in line and a little bit easier to manage, I’m going to try to eat the whole supply chain elephant all at once everybody gets a piece of it. So to shoulder that type of regulation makes it a little bit easier.

Dale Peterson  16:42

Now, is the CRA is it aimed more at the vendors or the asset owners? Because I Yeah, that’s what I thought. So I guess that is that is a completely different approach that we don’t really have a vendor. Well, the closest we have is FDA, right? FDA, if you want to get something a medical device approved, you have to get it FDA approved. It’s not a very high bar, but it’s at least a vendor bar. interested? Yeah. And do they have do they envision having something like an ER Oh, like Nurik, something that sits between the law and the enforce or the audits and enforcement, it’s

Patrick Miller  17:21

going to be country, by country specific how they enforce it is going to be decided on each country. So it’ll look a lot more like Canada’s version of NERC CIP and the US version of nursing in Canada, it’s enforced province by province, and they kind of have some different paces and different enforcement methods and that kind of thing, even to a roughly common set of regulations.

Dale Peterson  17:43

And what about speed? You mentioned, you gave that great example with virtualization how long it took before, before it went from an idea that everyone admitted was needed to realization? Is the CRA? Or is the EU regulations in general? Are they moving faster? Do you expect results and changes to go in a matter of years as opposed to 5678 years?

Patrick Miller  18:10

Yeah, I do think they’ll move faster. I think somehow the EU is able to make decisions faster. And a lot of ways. You know, I don’t really have a reason for why, but yet they seem to decide to move a little faster than the US. I also think that catalysts like having the Russia Ukrainian, Russia, Ukraine war, literally on their border, can have a tendency to make you think about accelerating certain things in different ways. We don’t have that. Yeah.

Dale Peterson  18:40

Well, and I think it’s just maybe the American heritage as sort of a knee jerk reaction, though, when you say regulation, there’s, there’s a certain percentage of Americans and I must admit, I’m a little bit in that camp as well. I kind of like, you know, that’s because there’s just an anticipation that it’s going to be done poorly, and it’s going to cause me pain. Whereas I think Europe is a little more regulation friendlier, quite a bit more regulation friendly, as a as kind of a cultural thing. Well, let’s bounce back to NERC CIP. Where are we now? I mean, have we reached kind of a steady state with rare changes where maybe to put it as an opening question? Are most organizations that are covered under NERC CIP? Are they doing a good job at complying with the current NERC CIP regulations? So when the auditors go in, they they tend to find little or nothing or only minor things? Do they does the bulk electric system have regulatory risk under control?

Patrick Miller  19:50

I do think in general, it has normalized we we’ve gotten to a place where most of that risk is managed, in a reasonable way and sit did move the needle and it’s not a bad low bar is not going to keep you terrorists proof or nation state proof. But it does definitely increase the barrier and raise their cost to attack you. There are still companies that we come across that still don’t get it on occasion. So there’s still some who that surprised me with their their level of misunderstanding. But by and large, it has the needle has been moved, that baseline is said there is a new normal, it is pretty challenging to do something to one of those companies, like I say they’re not they’re not perfect, and they’re not, you know, absolutely adversary proof. But it is much, much more difficult to do anything in the electric sector, which is one of the reasons I think we haven’t seen, you know, a high level of penetration by adversaries into that sector. There’s volt typhoon and all these discussions around China’s all up in our grid. There are there, is that actually into the control systems of these companies? Or is it in some corporate environment? We don’t have a lot of details on these things.

Dale Peterson  21:05

I was gonna ask you something about that later, later on. So let’s just jump to that. Now. How do you react when you see all these heads of government security agencies standing in front of or sitting in front of Congress and saying, the electric grid is at great risk and attackers are in the system’s ready to take us down at a at a moment of their choosing? How do you react when you hear that when you watch those things?

Patrick Miller  21:35

Not I don’t react. It’s not something I, I would expect that for any qualified country of this size. This is table stakes. Yes, you should try to penetrate those areas for all the reasons that they mentioned, the level of penetration and the level of capability. If they even did something small in some small utility, somewhere American would still freak out. So just that’s the nature of America, right. But the chance of them actually having a very significant sizeable single company, or even regional impact is pretty low. And it’s not just because these companies are like super cyber experts, you know, like I say, adversary proof. It’s because most utilities, especially electric utilities, they operate from an all hazards approach. They don’t care what the hazard is, they’re going to operate that system and keep it up and running. And I’ve seen several folks in from control center that failed, literally run out and grab car batteries out of their vehicle, rack them up and get a DC power operation, running to fix a failed ups in like 20 minutes means so you’re talking about something that I think it’s it’s almost impossible to understand how complex the grid is, first of all, it’s not one grid. And it’s other things that go into the the physical construct of you can’t really just take out America’s power system, front to back like coast to coast. There’s just a lot in there that is really, really misunderstood. And really swirling around and a lot of fear, uncertainty, and doubt. And again, should just be kind of expected that a nation state like China would probably want to do something like this, at least to some level.

Dale Peterson  23:10

Yeah, as would probably America.

Patrick Miller  23:14

In fact, if we’re not, I’m ashamed. Really.

Dale Peterson  23:17

Yeah, you want to have the capability, but I’m a little surprised, and maybe there’s just no win and win in it for them. But I’m a little surprised that the utility industry doesn’t push back on this more. They kind of just they, you know, if you pull them aside and ask them, they might say, Yeah, I don’t think it’s that bad. But they don’t have like, I don’t see ei with a publicity effort to educate American Congress about the reliability numbers on the grid and the almost zero cyber impact on the grid over the last 20 years. They just, I see almost no response publicly on that one. Do you have any idea why that is?

Patrick Miller  24:03

They do when you drag them in front of committee, they’ll they’ll tell you about all their stats, and they’re happy to advocate for all the things that the EI SEC is doing and that the sector is doing statistics on what are the reportable incidents and all of these things. So in the right audience, or in the right forum, they will basically megaphone these stats, just not in this kind of public fun setting or fear, uncertainty and down setting. Most of the times the utilities don’t say anything about anything at all. They’re particularly tight lipped. So unless you drag them in front of the committee and ask them to showcase what they’re doing. They’re just not going to say anything. And some of it is that they’re just notoriously close to the vest, keep things quiet, don’t don’t drop them off. Don’t make any waves. But the other part of that is there’s also by advertising that you’re super secure. You’re also in some cases inviting Oh, yeah. So like when Larry Ellison called Oracle unbreakable. I mean, that was one of the biggest mistakes could have ever done. Yeah. So to go out and do that also seems to kind of invite things as well. There’s a lot of dynamics in there. But in the right situation, they’re happy to give you the statistics. Yeah, we

Dale Peterson  25:11

had an I can’t believe his name escapes me. But there’s a gentleman from Southern Company who for a long time was the kind of the electric utility spokesman and then it, he retired, it went to Bill Furman and Berkshire Hathaway Energy. Who was nice enough to come to us for a couple of years ago. Now he’s moved on from there. Is there a new one? Is there like a new person who is the spokesman for her spokesperson for energy now?

Patrick Miller  25:40

Not that I’ve seen? Yeah, we don’t have kind of a, you know, a face. You know, the, the what is it figureheads, so to speak for the security motions going on? I haven’t seen anybody step into those shoes just yet. I do expect it’ll be somebody I mean, at some point. Because we it’s a non official. Yes, yeah. Officials kind of slide into like,

Dale Peterson  26:02

this person gets, you know, becomes the chair of the EI sack gets on all these government committees, committees like the cyberspace solarium commission, and all these sorts of things. But I haven’t seen the next one. So I’m curious.

Patrick Miller  26:17

I have I have a few that in mind that I would have liked to be that person. But I will see if they if they if it happens to them?

Dale Peterson  26:23

Yeah, I think I think the two that have done it to date have done a good job. I, I always kind of wonder why it’s just one if there might not be more strength in numbers, but it seems like for the last 10 years or so there’s there’s just kind of been an agreement that this person if someone needs to talk to the government, it’s this person who’s the front person. Let’s go back to Newark SIP one last question on that. Cloud. That’s what I’m when I’m reading, you know, people who write about NERC CIP yourself and others, it’s like, hey, it just doesn’t work with the cloud. You can’t, you can’t comply or it’s very difficult to get the services you want. And feel confident you’re complying with NERC CIP. And there’s some efforts going on. I understand now to try to address that. Is there a solution we should accept it or expect in the next one or two years? Or is this another five year? Effort? Yeah,

Patrick Miller  27:22

we got some good progress. Recently, in January, we enacted a couple of standards, sip four, seven, and 11. That came out. With those changes, what they’ve done is basically kind of written in the allowability, to put at least the data in the cloud. So operations in the clouds still in question. But data in the cloud now is pretty much allowed based on kind of this, bring your own key and provisioned access model that is now available under SIP four and sip 11, the changes that we’re just putting in January, we did resolve much of the, I guess, restrictions around that. So you can put Pcsi, or the sensitive information about your subsystems in the cloud now in a way that would be compliant. That is that’s that was the goal. And that seems to be the what happened. First operations in the cloud still in question. And the virtualization standards go a long way, the ones that just got adopted this week. The way it works is the utilities write the regulation, the proposed regulation, and then submit it to the entire utility base, and then they vote on it and determine if they like it or not, this one is gone. This is it’s six rounds to go through the vote process and get shut down and get voted shut down. So it finally passed this time, and the numbers look pretty good. They’re all above 80%. And sometimes they were like in the 20%, just slammed terribly. So it actually it didn’t take a stopping it did a really good job and passed the gauntlet this time. So now that it’s been approved by the it’s written by the industry, now it’s approved by the industry goes to the next board for approval, which is traditionally a rubber stamp, the board’s not going to go against the industry that wrote it and voted for it. And then it goes to for approval. So there’s a long path in front of this still, from the regulatory process. And there was an implementation window after focus groups. But even given that this stuff in the virtualization standards get us closer. Is it perfect to do operations in the cloud? Not yet, there’s still some sticky issues, even with the latest draft, but given that I think we’re we’re at least into the place where we can stay operations in the cloud without someone freaking out, you know, and running out of the room with your hair on fire, or you know, getting into a shouting match. I have it’s never ever going to happen not on my watch with my cold dead fingers. So it’s it’s we’re closer and closer and closer. Yeah. Is it perfect? And are we there yet? I don’t want to say we’re there. I want to say we’re approaching the ability to get there.

Dale Peterson  29:51

Okay, okay. Well, that’s good to hear. And, and I think Electric is always one of the toughest sectors just given the speed that everything happened and much Different than water, or even manufacturing, because of the uptime requirements and the speed and such. But I can see and I’ve talked to a number of acid owners this way that kind of have this. Some of them have us cloud. Oh, no, never. And like, Wouldn’t it be nice to have a backup or a tertiary control center in the cloud? You know, so if something doesn’t happen, if you lose this thing, boy, you can spin that up. And if and if it goes down, and you know, if all the power’s out in the west coast, you can spin one up in Atlanta, and boom, you’re running it. So I think there’s some huge uptime, reliability benefits, even even if you just use it as a backup in case your on prem stops working. So I really am looking forward to seeing that. But I can understand the difficulty from a regulatory standpoint of figuring out how you deal with that.

Patrick Miller  30:56

Yeah, and even dealing with things like is, is the entire cloud operations solely in US soil. Because at that point, remember, if it leaves you a soil, the regulations have no control over it. So like if you try to operate a registered us power company, from another country than FERC has no jurisdiction on that. So they just don’t allow it, period. They just won’t let you register. It makes sense. If even for smaller organizations, I do see, I’ve got a couple of small clients that right now they are literally running on protection. That’s it, they’ve got no skater. They’ve got no, you know, no real visibility. They’re just running on protection, no digital file recorders. They know when there’s an outage because someone calls in and says I’m out of power. Yeah, that’s pretty much it. No outage management platform. Because all of those things take expensive IT resources and expensive IT assets, like humans and assets. So they’re all the smaller ones are looking at ways to do this in the cloud, because they can basically buy an instance with a bunch of their buddies and get, you know, get this at a fraction of the cost, I mean, way, way, way cheaper than buying a bunch of servers and workstations and building a data center and hiring the people to manage them. And a lot of these are in rural areas where there’s not a lot of IT resources available. So for them to have like a patched, managed, well maintained, learning environment that may or may occasionally go down when you know, GCP or Amazon has a hiccup. They’re okay with it. But before that, I was wondering purely on protection, I don’t even have visibility. So they’ll pay that small fraction to get the visibility and SCADA and ons and everything else over their environment, at literally pennies on the dollar in comparison. So their ability to be overall long term more reliable shoots through the roof and comparison.

Dale Peterson  32:38

Well, now I’m afraid to read another quote from you since I did such a bad job reading last time. But I really found this to be instructive and interesting. I’d like to have you elaborated on it. You said you can have the crappiest standard in the hands of a really good regulator and it makes all the difference. Or you can you can have the world’s best possible written standard in the hands of a crappy regulator and all bets are off. And I’m guessing some of that was your experience with whack just actually being the regulator. But how does that influence the way we should be doing regulation? are we worrying too much about the front side the documents and not enough about the regulators who are doing the work? Because I have a little bit of experience with this in some of the financial regulations like gramm leach Bliley, and some of the others that had almost no instruction. They were terrible regulations. They were just broad goals that somehow the regulatory committee had this community had to say, this is how we’re going to audit and tell whether you’re compliant with this broad thing. So it really resonated with me, but I’m just wondering how much effort we spend on the regulatory side?

Patrick Miller  33:57

Yeah, I think it really depends on the regulation. But when regulating tech in particular, it moves so fast. So the pace of innovation, the pace of adversary behavior, change, all of these things are so fast, and writing regulation in that space is insanely challenging. Running a future proof regulation that isn’t useless by the time you get done banging the gavel that makes it effective is it’s almost impossible. So that’s part of the reason. The other part is you’ve got a situation where the regulators that are doing the auditing, for example, there’s no there’s no requirements on their level of expertise or knowledge or capabilities. So you’ve got to have a license to be a barber to drive a car. But there’s no specifications whatsoever for who is auditing your company against NERC CIP, which is effectively keeping the power on and safe for X number of people in the footprint of that specific utility or the entire region for that matter. So I think we’ve got a lot of time oranges in that, if you write a very specific regulation, it’s actually easier to comply to because you can go to the letter of the law, you’ve got a lot of prescription, and you also know how to game but to get around those very prescriptive methods by simply tweaking a few things to get around it. So they don’t like writing prescriptive regulations, there’s a different, there’s a balance in there of just enough prescriptions, and it’s difficult to gain, you don’t have unintended consequences. One of the examples is in the SIP damages a 1500 megawatt threshold for generation. And a lot of plants will just basically come in and separate the control systems so that it’s two systems that are under 1500 To separate the plant, or you’ve got a lot of 74 megawatt threshold wind parks and solar parks, because the registration threshold is 75. Okay, some things are going to be on the boundary anyway. But I think the the fact that when you write the regulation, if you write it vague and future proof, you put almost all the way on the auditors or the enforcement mechanism, as its called. It that’s there’s a difficult balance there. Because you can write it prescriptive and immediately have it be useless because everything is innovating so fast. Or you can write it’s so vague, that says these are general goals. And the auditors have to be educated enough and have to understand the systems enough to know when you’re getting it right, then you’re putting all the trust on that audit side, somewhere in there, there’s a balance, there really isn’t anything perfect, it’s going to take us some attempts to figure this out. But right now, as it currently stands, there’s no real credential, or license or skill set necessary to audit the substance from a regulatory perspective, it can be anyone.

Dale Peterson  36:35

Oh, and I think if you look at the direction that the US appears to be going it, it appears to be going more specific requirements. Very detailed, you know, here’s the list of the 40 controls that are like the 38 critical controls that you need to do. And then you audit those as opposed to a risk based approach that’s a little bit broader. Maybe just one last regulatory question. I I was chuckling when I saw Aw, wha the American Water and Wastewater Association, I think, anyway, so why big, big water organ industry organization, was suggesting that they should follow the NERC CIP model that they should have, have like EPA, the FERC, and come up with an era Oh, and they actually wrote this in a report, they did a study, they wrote this in a report and submitted it to Congress, see you shaking your head that you don’t think that’s the right approach, you shouldn’t have that middle person in between, you don’t think?

Patrick Miller  37:42

I don’t think it’s necessary anymore. I do think when, for example, the SIP standards came out, the only way we were going to get a regulation is we let the industry right. And kind of live with what they wrote and put some buffers between the regulator and the industry and kind of have some, just some space to breathe. Because it was the first industry to get regulated like that. I think at this point, we’re 20 years past. I mean, that’s a long time, even in utility time, that’s a long time. And that’s the depreciation of some of our assets. We’ve recovered our investment even on some of these assets in that window. So I think given what we know, now, it’s probably best to pick something uniform. And this is some of the things I like about like the cybersecurity strategy, for example, and actually talks about the elephant in the room of software liability. I mean, we’ve been dancing around this tree for forever, right. And even in the EULA, it says Not for use in critical applications, but we still use it in critical applications and have some expectation otherwise, but the software liability component, but more importantly, the alignment of some minimum set of expectations across infrastructures, which is what the CPGs were originally started for. They take an interesting path. They’re not perfect by any stretch, but the concept was, what are the common measurements between the control systems of electric gas, water, wastewater and chemical? Okay, I mean, in a very general sense in a very oversimplified sense SCADA, SCADA, its flow control boxes on a belt on a pipe power on the line. It’s all flow control. And a lot of the control systems are same vendors, same tech, same a lot of the processes look really similar, just different things in the process in terms of what product comes out. When boards when insurance companies, when government agencies, state, federal whatever, ask where do we stand in our most critical infrastructures? The answers that come back are like, you know, cucumber, pineapple, watermelon, and they have to like translate what they’re saying because they measure all things differently. We need to pick some simple common measurement that we’re nowhere at least all doing the things we should be doing. So I’m actually a fan of the things that came out of the national security memorandum and the the National Cybersecurity strategy. So I do think those things can be tremendously useful, not just from can the government understand where we stand. But it’s do we need funding? Do we need regulation, insurance can use the same information boards want to know the same thing if I’m on a board, and I’ve got a gas and a water company, or gas and electric company, or electric and water, and I got two different metrics coming back, me, it’s confusing. I mean, it’s already confusing enough. But add that to it, it makes it even worse.

Dale Peterson  40:27

Well, in the in the few minutes we have left here, I just wanted to give you a chance, if there was something you were passionate about, that like something that sticks in your Craw, or something that you really want to promote more. You know, I think in the pre talk, we were talking about AI, but that’s, that’s, that’s a real buzzword thing. So if you say, Yeah, I’m gonna, I’m gonna have you say, Well, what, what the heck do you mean, but is there something that that kind of raises your blood pressure when you think about it, either from being excited or frustrated? In the broad OT, security and OT cyber risk sets?

Patrick Miller  41:05

Yeah, it is right now. It’s AI? Unfortunately, it because it’s so pervasive everywhere? And it’s what it will, it’s like saying jazz, right? What kind? Right? I mean, do you like that Kenny G style or like the Miles Davis style? And there’s a lot of different things about it that when people say it, all they know is that, you know, it’s this new thing, and they don’t really understand it. So what I would ask everyone is to take an extra five minutes, take a breath, slow down, understand the kind of AI that we’re talking about, or that you think you need? Is it going to, like transform literally everything? Yeah, no question. Is it going to do it the way you think? Absolutely not, it’s going to do it in ways you never thought of, it’s going to do it in some ways that were, you know, backward, painful. There are going to be some massive data breaches and spills are going to be some very embarrassing things that come along the way. But I think part of that is on us, because we we really didn’t try to take a few extra minutes to understand it. It’s very cool. It’s a buzzword, but it’s also an enormous amount of hype. Because I mean, it’s done. I mean, I expect when they go to RSA this year, every single booth, I’m going to count the number of booths that don’t have the words AI or something similar along the lines, just to see what the kind of include versus exclude is. But we’ve been using AI, basically, machine learning and algorithms in control systems since control systems. I mean, this is nothing new in our space, right, this is not a new thing. What is new is the fact that we’ve got some generative generative AI capabilities. And we now have ways to aggregate multiple API’s using pre processing, and basically AI for AI. So that becomes a game changer in a lot of different ways. So I do expect that it’s going to make it a lot easier to do bad things. But at the same time, it’s going to make it a lot easier to do good things. I mean, just like anything else, you know, the spoon doesn’t make you go off your diet. That’s a tool as a tool as a tool. I really just see this as we used to build houses with hand tools. We used to build them out of straw. Now we build them with power tools, and we’re now 3d printing them. So it just makes things faster. That’s all it does. It speeds things up. We haven’t changed the laws of computing. We haven’t changed human behavior. Just take a breath, try to understand it a little more. Go read some on it. There’s some really good simplified primers, if that scares you. But just take a breath settle down. Yeah, it’s going to change a lot of things. But we can do this in a much more smart and controlled way versus just letting it run roughshod over a stochastic was super cool. or scary. Yeah,

Dale Peterson  43:40

and I would say that almost anything you’re doing you should ask the question, Will, can I do this better, faster, cheaper, with some sort of AI? And I will tell you, I’ve even looked at at doing shownotes for the unsolicited response show using AI certainly, thumbnail images using AI you know, things of that nature. So and in the content creation area. There’s there’s certainly a look at it and sometimes it works like I haven’t still found any show note generation that I’m satisfied with. I was just trying something last week and I wasn’t quite satisfied with it. It it more is travelogue then then insightful summary so far, but I’m guessing that if I look around more, I’ll find it. So I can see that. That that’s important. You see Ampyx doing AI Security Consulting?

Patrick Miller  44:42

Yeah, I already am. I build in when I’m building basically like Clippy for compliance.

Dale Peterson  44:51

Cool, cool. Yeah, I’ve seen some data. That makes perfect sense to me too, because I’ve seen some pretty impressive things about like bringing in documents and bringing in drawings and, and sorts of things, you know, they can tie everything together, there was even one presentation at S4 that was talking about bringing in network diagrams and, and using those to augment asset inventories and things of that nature. So there’s, there’s plenty of cool stuff out there. Well, Patrick, you’re very prolific. This the site is still it’s, it’s what site we have PatrickMiller.com, but where would they read your blog, for example? Yeah,

Patrick Miller  45:31

PatrickCMiller.com is my personal site, and then the company site is Ampyx, A-M-P-Y-X, Cyber.com (AmpyxCyber.com). And the company blog is there and I do a lot more blogging. I don’t blog on my personal site, I blog on the company site. So all the things that we’re doing there from the company-

Dale Peterson  45:46

You got a podcast now, right?

Patrick Miller  45:49

Critical Assets podcast, when I get time. And there’s something interesting that I get with, like, if I’m having a conversation with some peers, and we start ranting, like, oh, okay, we should just turn this into a podcast and we end up- something happens like that. So it’s kind of it’s hit or miss in terms of timing, but it’s always fun with some, some interesting people.

Dale Peterson  46:07

And frequent speaker at events, frequent attendee at events, and also, I guess, just as a last thing, if, if someone wants to follow you or reach out to you, where’s the best place? Are you more active on X, on LinkedIn? Where- Where’s the best place to find you?

Patrick Miller  46:21

Probably LinkedIn and Mastodon, but I’m Patrick C. Miller on all the platforms, I have an account on all of them. So, you can find me pretty much anywhere attached as Patrick C. Miller.

Dale Peterson  46:31

Okay, great. Well, Patrick, thank you for being on the show, and I look forward to reading your blogs and learning more about what’s going on in Europe.

Patrick Miller  46:39

Awesome. Thank you so much, Dale. Appreciate it.