In this episode, Patrick Miller, Founder of Ampere Industrial Security, discusses what utilities and other industrial companies need to consider when it comes to the goldmines of data they're collecting from their machines and customers. He also explains why security and privacy needs to be incorporated in these operations by design.
Spotify: https://open.spotify.com/show/5UDKiGLlzxhiGnd6FtvEnm
Stitcher: https://www.stitcher.com/podcast/the-tripwire-cybersecurity-podcast
RSS: https://tripwire.libsyn.com/rss
YouTube: https://www.youtube.com/playlist?list=PLgTfY3TXF9YKE9pUKp57pGSTaapTLpvC3
Tim Erlin: On the latest Tripwire cybersecurity podcast, I had the opportunity to speak with Patrick Miller, who is the CEO of Ampere, Industrial Security and the founder of EnergySec. Patrick, how long have you been in the industry?
Patrick Miller: I have been in the industry for over 30 years. It has been so long that I have stopped counting anymore at this point.
TE: When we talk about IT security, as opposed to the industrial side of things, there certainly are some folks with experience that goes a bit beyond 20 years, but when you start getting past 20 years, you can start asking the question of whether there was really an industry to be a part of. With the industrial sector, though, a much longer tenure exists. Most interesting is the marriage between security and reliability, which creates a longer tail for the industrial side of things than the IT side.
PM: Yeah, I agree. It even goes back into the fact that the safety aspect has been around in the industrial side, and it was supported by security, so the industrial area has had to keep a security mindset for a considerable amount of time.
TE: Yeah. That's quite true. The conversation that I want to have today began with an earlier conversation that you and I were having about a historical pattern that occurred in the telecom industry. I would love to begin by setting the stage so that we can get on to the core of the conversation. Can you describe that pattern that we were talking about?
PM: Sure. Some of us remember back in the early days, the telecom industry was entirely different than we know it today. For example, we paid extra for a private line versus a party line, and features like call-waiting and caller ID cost extra, as well. The cost of a phone call was measured by the distance between the two phones, so what was then considered a long-distance call cost outrageous amounts. Today, a person can travel all across North America with a mobile phone with unlimited bandwidth and no long distance fees and no matter what country they are in.
But if you take inflation, it's roughly the same in terms of what it is for the percent of your income for your phone technology. It is not that the telecom companies suddenly became super-efficient or got really good at what they did, delivering all of these new services at roughly no additional costs. The reality is that they are making money in other ways. They are making the money by essentially harvesting lots of data. Some of it is customer data, and a lot of it is just general usage data patterns, and they're selling all of that data. Many have said that data is the new oil, and some have also said that data is the new toxic waste. I'm sure it's a little of both, but the fact is, it’s very evident that data is worth money. If it wasn't, then ransoms in ransomware attacks wouldn't be as big as they are to get your data back. So, the reality is that the telecom companies are getting additional income. They're supporting the revenue stream of providing a telecom service through selling the data that they generate by providing that service.
TE: Effectively, we're talking about a transformation in the telecom industry from generating revenue by selling services to consumers to bringing in a secondary, or perhaps a new primary, revenue stream of collecting, marketing, and selling the data of those consumers. It's a fascinating transition to think about.
PM: It's not like it happened overnight. They didn't flip a switch and start doing this. It was a low and slow growth. As consumers now, we don't really think about it. It's not something you think about when you use your phone for all the things that you do. You don't think about all of those little bits of data that you're leaving behind, that somebody else is picking up and selling. And the telecom companies didn't really need to ask for permission from anybody because it happened so slowly over time that there were little tiny bits of permission that were given away over such a long period of time that we ended up where we are now. But for somebody else, for example, to pick this market up, it would look very different because they don't have that history.
TE: The interesting part about this is not only the history of telecom and data selling, data marketing; it's where you see that pattern starting to repeat itself today. And that's what really caught my interest here. Where have you noticed this pattern showing up again?
PM: For other businesses that have similar business models where they provide some sort of service and provide a utility-like service, it makes sense to possibly do something similar to offset the revenue stream. So, no one wants to pay more for any of their electric bills, gas bills, or water bills. In order for the utilities to continue to provide service, and as the service, expectations, and dependencies grow in those services, they do need to raise rates. Do they need to make crazy amounts of profit? Of course not. That's where regulation sets in and keeps them in check. It's the revenue side where the change is going to happen.
TE: In the cybersecurity space, there's a perception that industrial cybersecurity is really challenged. It's really about trying to secure legacy technology that's been connected to a network that probably wasn't designed to be connected to the network. Some of this technology is very old, yet as consumers, we're asking these utilities to modernize. In some cases, they have to just to continue providing the service. But in many cases, we're pushing them to modernize, to deliver cleaner energy, and that modernization means that we're introducing new technologies into those environments, as well. It's not industrial cybersecurity; it’s also about securing legacy technologies. It's that mixture of the new that's coming in, as well. Isn't that right?
PM: Yeah, absolutely. And this is a completely separate challenge. In the industrial security space, you end up having to secure that refrigerator-sized Remote Terminal Unit (RTU), which is an old piece of equipment. At the same time, you have to secure the little bitty, tiny thing the size of an iPhone, which does the work of 20 or 30 of those other older units. The breadth of time and the span of technology that anyone in ICS security is dealing with right now is quite mind-blowing. And that's been a risk identified in multiple cases—maintaining the old with the new.
It's not like you can just go through and rip and replace all the old stuff. In some cases, that would mean taking what's called an unscheduled outage and translating that into a loss of power for a moment while you do these things. Nobody wants an outage.
These actions have to be done carefully and methodically over time. And as you introduce new technologies and take away old technologies, things don't always go the way they're planned. So it's just so painstaking and so slow, but it's intentionally slow. It's not like they're just slow and they're dragging their feet. While you're doing this transformation, your job is basically to maintain security for this incredible historical legacy of technology all the way up to tomorrow's brand new widget.
TE: The consumer can't expect a utility to deliver the same level of service while simultaneously implementing new technologies at the same cost, right? There are cost efficiencies to be gained, but it's not going to be a perfect flat line in terms of efficiency and cost. There are going to be costs that have to be passed along or paid for in some way. I want people to keep in mind the economic problem that's created by the desire for newer, better utilities and delivery of those services. That's the dynamic that we're talking about here. There's the data component, as well, but that also ties into the economic problem, which is also important.
PM: Yeah, and that's what's driving the look at that data. Traditionally, that data would be used for just managing the system, managing it more efficiently, getting better at your maintenance cycles, and having fewer and shorter outages. You can do greater event analysis and understand the root cause for why problems happened. All of that is still there. It's still going to happen, and it's going to happen in new and more creative ways. At the same time, they're sitting on a lot of raw data, and they need to figure out how to actually turn that into the goldmine.
As a utility, you're not designed to hold all that data. There are not many utilities that are prepared to take in all of the sensing data and all the telemetry that they're receiving from all the digital devices, so it is now being shipped off and stored in the cloud. There are new companies that are starting up, and their whole business model is to mine through that data for valuable information using artificial intelligence and machine learning along with tried and true methods—all in this mix to create information products that may be useful and maybe sold to other parties.
TE: Let's talk about who those first customers are. I think there's something there that resonates with me as a product manager. If I've put out a product and I have a customer who's collecting a whole bunch of data from that product, I want to know what it is. It's going to help me produce a better product down the road. I think that's a very natural response to have as a vendor.
PM: Yes. The best example I can give will go back to the electric utility. The transformers that sit on power poles last a long time. Sometimes they last 20 years. If one fails, you lose power for a while. What we're finding is that we now have enough data about how our system is operating where we can see why our transformers are failing faster in certain conditions and why they're living longer under other conditions. If I'm the transformer manufacturer, I can now get data about how my transformers are operating in the field, and I can make a better transformer to operate under varying conditions. And if I can make my product last an additional 30 years, I can charge that much more for it.
The utilities’ goal is safe, reliable power. The last thing they want is a transformer to fail. So they're going to buy that product because it's got a longer life, it's got a longer depreciation, and it'll yield better maintenance. They're going to have to attend to it a lot less, which is just less liability. All of that fits their business model. It's a win-win on both sides. The transformer manufacturer rarely gets to see the transformer data at all. Usually, they only receive failed transformers to repair without the accompanying data to show the environmental conditions that may have contributed to the failure. So, that's just one example of taking some of that useful operational data that's sitting in your repository, mining it, and selling that information back to the transformer manufacturers.
TE: That's a pretty innocuous example, and it makes perfect sense. When we extend that model, when we start thinking about the other industrial systems that might produce sensing data, that's where I think it starts getting interesting. The transformer doesn't have any personally identifiable data certainly, and it's really an aggregate for whatever area it's serving,
PM: Right. It's not customer data. It makes everyone uncomfortable when we start talking about customer data. But, telecom has been doing this for years, and it's at least some achievable corollary model that will work in a similar fashion for other industries. All they have to do is go to whatever legislative body they're trying to convince and say, “Telecom's doing it.” Then, it becomes a different discussion.
TE: They don't have to do that until it becomes a problem, either, because at this point, nobody would look twice at that existing scenario of the transformer data. Is there concern to be generated? At what point does it become a practice that, as a consumer, we should be concerned about?
PM: Yeah, it's definitely concerning. It’s something that has to be done carefully, and I think there's a way to do it that allows for privacy. What I don't want is for a company to start down this path and then try to reverse engineer privacy onto the model that they've already chosen. That would certainly be frustrating and less than successful. There are ways to get aggregate data from areas versus individual homes or individual meters.
TE: That example of the meter is excellent because the meter data can be narrowed down to a particular property—probably a house. That kind of thing.
PM: Right, and if we could look at this more or less as an aggregation, if we can aggregate enough and obfuscate enough to get enough assurance that it's going to be anonymous, then we can probably get to a place where we can start looking at using that as a revenue stream. I don't have all the answers, and that's part of what my call to the industry is. Let's figure this out, come up with some interesting ideas, and suggest them before they just start barreling down this path when someone smells the money at the other end of the trail.
TE: As you pointed out, there's a strong tradition of adding privacy after the fact, and we all know it's not the best path to take. When you think about where the technology is progressing, what are the kinds of data that is most interesting and most concerning that may be coming to market in the next five years?
PM: We're getting finer and finer degrees of discrimination in sensing our environment. The goal is to be able to understand your equipment and flow control. The better you can become at understanding, managing, and seeing where there are problems with the flow as well as being able to fix those problems in ways that are faster and that don't require human operation, the less your liability. The biggest liability for most of these organizations is having to get a human involved in the process, so the more they can automate that, the better things get. The type of data that I see us getting to in the near future a lot more is a self-healing mechanism—a system that understands itself well enough to be able to take some automatic actions to a certain degree.
Obviously, you don't want to automate everything since you can automate a catastrophe, but to a certain degree and for under certain conditions, it will self-heal.
TE: I can't help thinking about how valuable that kind of change in the technology can be in the face of climate change. The ability for utilities to actually adapt to the environment is becoming more and more important. So far, I see all positives,
PM: Yeah. The negative side is the human behavior aspect. Many would argue that we're in a surveillance state as it is. We're already using all kinds of different technologies to try to triangulate more data about what humans do or don't do in unique and creative ways. Some of these developments are great, and some of them have some very obviously terrible and horrifying downsides. As we get deeper into the ability to monitor everything so that you can look at the water, the gas, the power, and everything else that's happening at someone's location, you can pretty much map a very clear picture of a person's day-to-day activities. That becomes frightening to most people, so before we head down that path with yet another industry, that's where I think we need to be able to get them to tap the brakes. The challenges for myself and my industrial security peers is that we are going to have to basically pick up speed, and we're going to have to catch up with where the industry is going right now with their desires and their expectations. And we're going to have to sync up alongside with them and work to put some privacy under these things before you start moving down this road too fast.
TE: Yeah. If you take the alternate path of not building privacy in to start with, eventually you're going to run into the legislative requirement to add privacy after the fact, which is usually more expensive and not as effective.
PM: Yes. And if we can get some norms around this early on, we'll be, better off. I look at things like facial recognition, and we're already using it in places where it is causing entire states to basically ban it. Yet, at the same time, the federal government is using it deeper in certain areas, and certain states are using it for unique and creative surveillance techniques. So we ended up with this kind of patchwork and hodgepodge of where it's frightening and where it's not frightening. Those initial norm-setting behaviors or protocols and practices that we start out with can deter some of more deleterious intentions. But right now, it won’t happen until we get enough people to step in and demand that we get some of these things built-in now.
TE: Yeah, and I hope that you and I are both in a position in five years to come back and have the same conversation about how successful the industry was at building privacy in to start with.
PM: Right. An ideal outcome is to have privacy and security. We started this conversation around trying to secure that breadth of historical technology, not only from the industrial security perspective but also from the enterprise security side. This gets different now that we're shifting all this data off to some cloud instance, and we have to think about what it looks like in terms of where those information products go for information classification and the handling of that data. That's something that a lot of these companies are not experts at. So this is a new field for them that is tangentially tied to industrial control systems security but not really. Because of that security gap, their security landscape and attack surface is now just going to explode, as well.
TE: Patrick, I want to thank you for the time. I think it's a super interesting conversation. I don't think we explored all of the possible angles here, as is usually the case. But it definitely interesting to hear your thoughts, and I truly appreciate the time you spent discussing these important topics.
PM: Thanks for having me.
