S4x23 Trip Report
This year, the S4 event hosted by Dale Peterson (DigitalBond) was bigger than ever. New venue, new content, new challenges, new theme, and a new feel. Here’s a report of my experience with some bad, some good and some great things that happened…
Note that this isn’t a comprehensive conference debrief, just my opinions on some of the things that I saw. There was so much going on that I doubt any single person could see it all. If I left your favorite thing out please hit me through any of the e-methods and fill me in. I’d love to hear about it.
Let’s start with the bad stuff and get that over with…
Small utilities, small companies: too bad for you?
The second day main stage keynote was from a CEO of a very large investor-owned utility. His general message was that we’re doing ok, but we need to do better. To do better, we will need to spend more. Spending more requires rate increases and ultimately the customer will pay for the necessary security enhancements to face tomorrow’s threats. When asked, “what about those companies that can’t afford it (i.e., can’t increase their rates to customers)?” The message I got from his response was, too bad for you, and you might just need to be bought by the bigger entities. It left me feeling that our only path (in his opinion) is to do/buy more of the same and hope for a better result.
This was contrasted on the Unsolicited Response stage by Carter Manucy, Cybersecurity Director for a municipal utility group representing multiple small entities in Florida for the past 27 years. His message was a sincere thanks and support for everyone who is helping the smaller, underfunded segments. He praised those who create new security solutions for reasons other than profit. I echo Carter’s position on this, but I wanted to add a slightly different angle. Security should also be designed in such a way that it is easy enough for all to use. This goes for hardware and software. Complexity that requires 20 different security tools and a small army of professionals (or big outsourcing contract) to manage is untenable in the long run. This needs to change, and I am hopeful that we can simplify and streamline so we don’t leave the small to medium sized industrial businesses below the cybersecurity poverty line.
Looking for more leadership from DOE
I was underwhelmed by DOE’s message. I had high expectations that they would come with a showcase of great things that only they can do. Few government bodies have their incredible level of funding coupled with mind-blowing talent (e.g., National Labs). Instead, when Dale asked about successes, most of them sounded like things we have already done or even things that directly compete with private industry or other government departments. When asked about what they learned from their failures (or challenges), I didn’t get a sense that they felt they had any lessons learned or any failures. The conversation felt like Teflon, to be honest.
Don’t get me wrong. I really like many of the things DOE does. I have many friends in the department as well as in most of the National Labs. But I also expect them to solve the really hard problems - the kind of stuff private companies aren’t able to because they just can't afford to try and fail without going out of business. This is a good thing, and we should support DOE for experimenting, but we should also hold them accountable when they are not learning and adapting as part of the process and when it’s time to enhance/contribute to the existing wheel vs. make a new one.
Missing info on cyber insurance
Cyber insurance is such an issue right now that we needed better talks and maybe a panel. Some industrial organizations can't get cyber insurance. Those that can get it, don't want to pay for it because they don’t trust whether there will be a payout. It's very expensive. Everyone is confused. The insurance companies are seriously considering whether or not they will be offering cyber insurance. We should be having the hard conversations at places like S4 to get everyone at the table – or at least everyone’s perspective out in the open. All we got was a lesson on “what is cyber insurance?” which is too pedestrian for this audience. This isn’t a strike against the presenter, but rather a wish that Dale had taken the cyber insurance pulse a little more realistically.
Ok… enough of the bad stuff. Just some of the many good ideas…
Metrics are hard
Dale asked about metrics throughout the conference. He even had a “game show” about it. What I got out of it all, is no one had a good answer. You could even see people visibly squirm when responding to questions about metrics. This isn’t to say that all the metrics discussions were bad. Some were ok. But they weren’t great metrics discussions. They felt like “starter” issues. At this stage in ICS/OT cybersecurity, we should have better metrics. Who is doing this well and why don’t we know about it?
Dale is pretty good at seeing the next big thing. He saw the anomaly detection space, and SBOM. I hope the next one will be metrics. We need it, executive leadership needs it, the regulators and legislators need it, and cyber insurance needs it. I’m glad it was a topic and I think we need more of it.
SBOB, SBOB, you're my SBOB
I liked the concept of the SBOB in addition to SBOM. SBOB is Software Bill of Behaviors. What this tells me is that SBOM is gaining maturity and growing branches. I support ideas like this because it helps us get our arms around the growing software vulnerability proliferation with some degree of visibility. Most importantly, it shouldn’t just be an after-the-fact kind of visibility, but something that comes with the software from release.
There were times we didn’t know what was in our food, medicines, and other products. I see this as something similar to the allergens/intolerances addition to the ingredients list (SBOM). VEX (Vulnerability Exploitability eXchange) and even CSAF (Common Security Advisory Framework) are also additions that can be useful to those who are interested. Are these for everyone? No. But for those that want to know, these tools are giving us visibility and granularity in risk management and tactical response (e.g. Now, Next, Never patching model) that we’ve never seen before.
SBOM goes prime time
Dale has been investigating and reporting on SBOM for a while now. The space is now at a maturity point where it can be evaluated across the suite of different offerings with some level of comparability. Most of the SBOM players in the industrial segment were there, and they had a dedicated room to represent all-things-SBOM in the SBOM Pavilion.
The only reason this didn’t get put in the “great” section was that the SBOM Challenge was challenging in more ways than one. Like a previous Challenge at S4, this one was burdened with picking a winner. Even though that wasn’t the stated goal, it was still (unfortunately) the expectation and perception of those watching (and some participating). From what I gathered, they were all proven to be solid products that did what they say they will do, albeit a little differently for each. This isn’t a bad outcome. It proves that they’re “there” from a product maturity standpoint and we can rely on them to do the job we need them to do.
These are good things, but what were some of the special gems that stood out to me about S4x23?
Talks from the heart
There were many talks that were sincere, but there were a couple of very genuine talks that got my attention. I’ll start with the talk from Dave Batz. He opened with a personal story of some severe health challenges for people close to him and moved into a discussion on how we should “put our mask on first.” This is taken from the airplane safety announcement about the overhead oxygen masks, with the idea being that it’s more difficult to help anyone if you haven’t helped yourself first. In ICS/OT security, we are often characterized as passionate, dedicated, workaholic even. If we don’t do our jobs well, very bad things may happen to important stuff. This can lead to burnout and both physical and mental health issues. It was a sobering and necessary reminder that we can’t forget about self-care.
The next one was from Andy Bochman. His talk was on the intersection between industrial cybersecurity and climate change. There was the expected/obligatory Venn diagram, but it was so much more than that. The general message wasn’t the usual “you should be doing more” but rather how doing things slightly differently can have positive impacts in both directions. It was also delivered in a way that was so genuine, so direct, so sincere. I didn't understand these intersections before – how these seemingly different things could benefit each other – but I came away with a very clear understanding and a renewed motivation to assist both at the same time.
New people will save industrial cybersecurity
This year, S4 was capped at 1100 people, over 1/3 more attendees than last year. This is a significant increase, especially for ICS security. But the real surprise to me (more than the number of people attending) came when I was on the main stage presenting the BEER-ISAC Community Builder Award at the end of the conference. I asked all the first timers to raise their hand. It looked as though just under half of the audience had a hand in the air. Granted, it is an unscientific observation, but this is big. So big that I am more optimistic than ever.
One of the key reasons for my increased optimism about our future workforce in ICS/OT security was the number of younger people. I’m in my mid-50s, so when I say younger, I mean people in their 20s and 30s. My hope is that they will stay with us, get involved, and bring new ideas to our community. I see my replacements and I love it. I call on all the old-timers to be selfless and encouraging mentors to everyone.
Industrial cybersecurity needs us all
We don't have a lot of women in our field. It’s a terrible fact and it needs to change. It needs to change to a point where it’s just normal to have everyone at the event – women, men, all people from all places. This is critical for our advancement because we need all ideas and perspectives to find the best path forward. We haven’t solved all the problems yet, which means we need diversity in thinking. This comes with diversity of people, not just [ostensible] diversity of thought by the same people. It’s getting better but we still have a long way to go to be able to look around the room and see a balance of representation for everyone, without a demographic label.
That’s a wrap for S4x23. Still one of my favorite events of the year, and I highly recommend it. I know I didn’t touch on so many of the things I could have, but we only have so much time…
Roll credits
Massive thanks to Dale. Without him, this wouldn’t be possible. Dale’s unique approach to this conference is what makes it S4. Dale’s content curation, event message/theme management and very high production quality is unmatched by any other. It’s has become the “must-attend” event in ICS security. Some additional points worthy of appreciation: Women in ICS, Worthy Causes, CTF, SBOM pavilion/challenge, cabana sessions, and the always-awesome botanical garden reception.
Thanks to Liz Daley, her whole family, and the rest of the production team. They are the magic behind the scenes that make S4 feel seamless and perfect in its execution.
Thanks to the Worthy Causes: the ICS Village, Women in ICS Security, Control System Cyber Security Association International (CS)2AI, Industrial Control Systems Advisory Project ICS[AP], Common Weakness Enumeration CWE, and Rural Technology Fund were definitely worthy of getting a showcase at S4. More eyes on these great programs will help them reach more people in our field (and hopefully from outside our field as well). Check them out and see how you can get involved in your community through their efforts.
Lastly, the biggest thank you goes to everyone who attended. Our field needs you - all of you. We need you motivated, informed and connected to your peers. This event is one of the best ways to get all of those in one spot at one time.
I hope to see everyone again next year. If I didn’t get a chance to meet you, find me at the next event. I truly want to know all of you.
