We’ve had some great debates on the S4 stage. One of my favorites was a debate I had with Eric Byres entitled Is Eric Byres a SCADA Apologist or a SCADA Realist?.
The key to a good debate is to find an issue where a 10% – 25% minority of the audience has a strong opinion on each side of the issue and the middle is trying to sort it out.
We’ve identified two great debate topics with solid first drafts of the Resolve debate statements. Now we are on the hunt for debaters and polishing the statements.
Debate 1: CRA’s Effectiveness At Improving OT Cyber Security
Resolved: In 3 years CRA will have significantly increased the OT security posture and reduced OT cyber risk in the EU countries.
I’m looking forward to this as I’m so far away from Europe that I have little insight on this. What CRA is and what it requires is coming in to view. What is less clear is what impact it will have on the OT security posture and related cyber risk.
We likely will have to tweak this statement some, and I wonder if 3 years is too aggressive. Still if CRA is going to cause all this expense and impact to the vendors shouldn’t it have some significant impact in 3 years?
We could have a retrospective debate on this with NERC CIP. Few would have said it significantly increased security posture in its first three years, but many would say it has over a decade latter. I’d challenge this with “as compared to if NERC CIP hadn’t existed”?
Debate 2: Human In The Loop
Resolved: In the next 1 – 3 years AI will perform operational and management actions, without human approval, that could result in medium consequence incidents if incorrect.
This wouldn’t have been a hard no three years ago. What will the answer be three years from now? And will it be a data driven or emotional decision?
I look at the self-driving car issue. The statistics are clear the self driving cars are safer than human drivers. However most people don’t trust self driving car safety. This belief is stoked by accidents caused by self driving cars getting high media attention and human caused accidents being shrugged off.
The self driving car example is the mass population. Will executives and engineers in asset owners take a more data driven approach? If so what data would be required to accept no human in the loop?
In the early days of S4 2007 – 2013, when we were in the 60-seat case study rooms, the debates were more interactive and great fun. We had one person speak on each side of the issue for 5 minutes and then opened it up and had a free for all discussion in the room. Sample debate topics included “should AV / other automated prevention in be used in OT” and “should OT vulnerabilities be publicly disclosed” (something still debated by some).
The latter was in 2012 when we released our Project Basecamp vulnerabilities with Metasploit modules. I remember handing the microphone to a man from Siemens who said if a disclosed vulnerability resulted in death then the discloser (me) should be sent to prison. Very lively.
While we can’t do something like this with 1,100 attendees, we are going to try to replicate a group discussion in the S4x26 Birds of a Feather sessions for the manufacturing, electric, and oil & gas sectors.