How Securing the Power Grid is like Teaching Middle Schoolers
1. Some people just won’t care what you have to say
And sometimes, the person who doesn’t care to listen is the most important person who should be listening. As a teacher, there were students who didn’t think they needed to be in school. I had an 8th-grader tell me, straight up, that he already knew everything he needed to know. He didn’t pay attention in class, didn’t do any work, and crucially, his parents didn’t think his lack of effort in school (failing every class, including PE) was a problem. The dad was a dropout who worked as a logger, and since “his life was fine,” his kid’s education wasn’t important. Despite a number of caring, hard-working teachers at that school, there could be no progress until the child’s (or possibly the parents’) attitude changed.
Similarly, securing our power grid is important. But, unless there is buy-in from corporate leadership, any efforts that a security professional does will likely be insufficient and “band-aid” style fixing of problems.
2. Some people care too much
In teaching, these people are called “Helicopter Parents.” They are the ones who do their kid’s homework, believe that their child can do no wrong, and think that it’s their job as a parent to make sure their child is successful and doesn’t encounter any difficulties in life. I had one student whose mom was on the school board. He did very little work, and when the first report cards came out, he was failing the class. Mom didn’t like that. One teacher, who had taught at the school for over 30 years, said to just change the grade to a “D,” because it wasn’t worth the hassle to deal with the mother. He said he had done that several years prior with the student’s older brother, who Mom had also tried to “protect” in the same way. Another teacher told me that the same older brother was currently in jail on serious charges, after never having to deal with the consequences of his actions while growing up. By caring so much about short-term effects of something like a failing grade, the mom had set him up for failure in the long-term.
When it comes to the power grid, I think the people who care too much are those who think we can protect the electric system from 100% of the threats, 100% of the time. That’s just not a realistic goal, and ignores the “Best Practices” of risk management planning. A similar problem case are those who think that their issue is the only important issue. For example, Senator xxxxxx from Texas had his “pet issue” of electromagnetic pulse weapons. By wearing blinders and expecting industry to follow his ideas, it leads to things like him saying that the electric industry’s actions in the area of EMP weapons should be considered treason. That kind of hyperbole actually hurts your cause, because it leads to industry discounting any any legitimate concerns you have or points you do make.
3. Some people are doing really cool stuff with technology
Technology can make school more engaging for students. I’ve known students who the main reason they enjoyed school was because they were able to be a part of a robotics club. And there are teachers who use technology in their classrooms every day to make school more engaging for students. Likewise, there are some cool projects and tools which can be used by industry to help make organizations more secure. A lot of them, like OpenNSM, are even open source projects which are developed by volunteers, and can be implemented at little to no cost.
4. Money Helps
There’s a reason thousands of teachers are using things like [find name of the crowd source site I used to use] to raise money for their classrooms. It requires money to provide the art supplies which can inspire some kids to be better students, or to provide experiences which make learning more fun and hands-on, like the awesome Outdoor School program in Oregon. In the same way, some security projects just can’t get done without spending some money. For example, the Cyber Threat Alliance is a great project being done by some large security vendors. It requires the vendors to be willing not only to question their business model, but also to be willing to give their employees the leeway to spend time on a project with no direct impact on their bottom line.
5. But, Money Isn’t Everything.
There are some schools doing great things with almost no money. They exist in the inner city and the rural world. And they are proof that things can be accomplished with hard work and commitment, even when the funds might not be there. Likewise, it doesn’t necessarily take money to improve a security program. Maybe somebody will give up an hour of lunch to give a short talk to employees about how to be safe online, or how to make their home wifi network secure. There are little things that can be done, which cost little or no money, which can have a large, cumulative effect on security.
6. It Takes Teamwork
Every great teacher I’ve known has given credit to other people. Whether it’s a principal who creates a great culture at a school, aides who have the patience and skills to work with the hardest students and assist the teacher, previous teachers who have helped cultivate a love of learning in the students, or parents who provide a home environment conducive to learning, there is always someone who has helped to make it possible to connect and have a productive relationship with students.
A security department, working by itself, will not be able to ensure an organization is adequately protected. They will need to work with executives and normal users, work with their vendors, and, yes, even work with their regulators in order to be as successful as possible.
7. Most Important: Dedication is What Leads to Success
There’s a tradition at the Cedar Ridge Outdoor School that (some) leaders will lick banana slugs. I did it when my group was doing a post-activity question/quiz time, an a game called “Stump the Leader.” I said that if my group could beat the leaders at the game, then I would lick a slug. After one of the leaders threw the game, I had to pay up on my bet. It’s the kind of stunt that makes learning and playing an educational game fun for the students. And I wasn’t alone in it, either, as three of us teachers or leaders licked the same slug (I lucked out and got the middle section, I felt sorry for the lady who got the tail).
Dedication will help make a team, department, organization, or industry successful. By being dedicated enough to teach others about security, you can help make your peers more secure in their computing habits. By having the dedication to chase down that alert you think might be a false positive, but you’re just not sure, you can find the evidence which allows an adversary to be discovered. By coming in at 3:00am because all hell has broken loose, you can help make things right. And, by being dedicated enough to craft to be willing to learn, even on your own time (we all do it), you’re helping to build the capacity for your organization to respond to new challenges.
Note: This post is based on a 5-minute “Lightning Talk” I gave at the 2015 TCIPG Sumer School. The Summer School is put on every other year, in the Chicago area, and I could not recommend it more. If you are a cybersecurity person wanting to learn more about the power grid, or an electrical/power engineer wanting to learn more about cybersecurity, then you should make a point of attending the next session. The grant money for “TCIPG” recently ran out earlier this year, but the organization is continuing under the Cyber Resilient Energy Delivery Consortium (CREDC) name.