A Utility Got Hacked!

Well…Not Really…It was just a laptop…but is was CLOSE

Actually…that attempt not even as bad as it has been in the past…

As it turns out that was just sensationalism BUT it did remind me of a story when I worked for a major utility that had been hacked.  As it turns out, utilities get attacked almost constantly and the PLAN for overcoming attacks is to build the EXACT same system as a backup…

Right, so here is how THAT conversation went:

Me: “So…errr…if you build the EXACT same system won’t it just be hacked with the same attack?!?”

Mr. Utility Man: “Probably”

Me: “Ummm…doesn’t that sound like a bad plan?”

Mr. Utility Man: “Not my problem, my job is XYZ, not stupid security”

Guess what?  He was 100% correct.  He spent YEARS learning more about his specialty than I will ever know about my field and he was incredibly smart about HIS field and yet there he was, stuck building an exact duplicate of an existing system to fall back upon in case of a hack.  The best part was that the fallback for the PLAN is nothing – literally – blackouts, chaos, the Dark Ages.

Awesome Sauce.

I will never forget that conversation for two reasons – first the incredible ineptitude that pervades our critical infrastructure when it comes to security.  The second was the unbelievable skill when it came to the SERVICE these same people provide when it came to energy.  In the first case, security, it was all product based – implement this static system, widget or stop-gap – but in the second is was a service based on tools.  Within their expertise, these same people – who a minute ago I contemplated beating with a sledgehammer – transformed into amazing engineers fluidly responding to an array of issues, working with their tools (physical and digital) to effortlessly resolve complex challenges that quickly fried my brain.

Whenever I see truly competent solutions in the world, the story is always the same – skilled people leveraging tools in a services-oriented approach.  Whenever I see ineffective, struggling or otherwise poor efforts, I always see a plethora of products and very little in terms of true expertise.  Do you know what I see when it comes to security?

LOTS and LOTS of products.

LOTS and LOTS of problems.

Hmmmm….I wonder if there is any connection?!?

Seriously, there needs to be a change of seismic, epic, titanic proportions – a move from used car salesmen pushing already-obsolete products to a services model.  Security is NOT static, it is always changing and solutions will ALWAYS CHANGE.  Customers need a service that takes on this challenge and responsibility, a provider that handles the issues, resolves the problems and gets security out of the way.

The idea that services (leveraging superior tools) are superior for rapidly changing situations will always be better than static products is not rocket science (which is a service BTW)!