Disconnect: Defunding EnergySec/NESCO & Promoting Info Sharing

NESCOEnergySec experienced an unhappy holiday season last December as a significant number of the employees were let go, reduced their hours, deferred pay or shifted to unpaid volunteer status. These were people at all levels of the organization from the CEO, who included himself on the list, on down. Basically this unique, ground-up information sharing organization serving the electric sector had its legs cut out. The reason, they lost the government funding to keep a large part of the team working.

This is ironic and nonsensical given the US Government’s focus on improved information sharing as a key to making progress on critical infrastructure ICS security.

A bit of background …

EnergySec is one of the oldest, if not the oldest, ICS security information sharing organization. It began as an informal group of people in the Pacific Northwest electric sector sharing information between friends. After a few years they began putting on an annual conference that was known for bringing in the highest percentage of owner/operator attendees outside of a user group. Still the work was done by a team of volunteers with minimal structure.

What made and makes EnergySec unique as compared to other information sharing organizations is the utility members provide most of the information that is shared and drive the organization. The growth was organic, built on trust. It was not something you were obligated to join; it was something that many chose to join and share information with. It was bottom-up, not top-down.

In 2010, the Department of Energy (DoE) took action required by Congress to create a private sector information sharing organization in the electric sector, and to provide funding to help make it happen. EnergySec was one of two winners. It transitioned from a volunteer effort to a 501.3c non-profit with funding and employees. In fact they build quite an impressive team that you’ve probably seen at ICS security events. The Department of Energy funded effort in EnergySec was called NESCO. Since NESCO was the EnergySec’s major funding source, EnergySec really became NESCO.

One of the challenges of the DoE funding was the cost share. This is actually common with DoE funding, and I think a good idea. If industry is not willing to support a project, then perhaps it is not worth government funding. The NESCO/EnergySec cost share requirement started small and increased over a 3 – 4 year period, after which NESCO was suppose to be self-sustaining with industry funding.

NESCO had more than 20 several projects with industry committed cost share funding denied by DoE. I haven’t seen the list of projects, and perhaps DoE was correct in denying many of these. However, it seems unfair for DoE to both require an industry cost share and then deny NESCO projects that industry finds worth funding.

Which brings us to last December, an unhappy time for EnergySec. They were behind on the cost share part of the funding, which allowed or forced (I’m not sure which) the DoE to stop their share of funding until the cost share was met. Funding may resume this summer, in a large part due to the volunteer labor being considered cost share, but the damage is done.

EnergySec experienced a common business challenge of relying so much on one big customer. They did not have enough alternate customers or reserves to continue to meet the current payroll when the big customer pulled their business. They would be foolish to make this mistake again. The cost share will become more onerous, the projects that can generate the most cost share are not supported by the customer, and the customer/partner has proven unreliable. Even if the DoE funding resumes, smart business dictates that NESCO can’t be considered a priority for EnergySec.

Loyal readers will know I believe info sharing is a small side issue until we get basic security controls in place. But the US Government believes info sharing is a key and high priority component of securing ICS. It is incongruous that the Executive Order and most proposed legislation would focus on information sharing, and the USG would simultaneously not find a funding mechanism for EnergySec/NESCO. Any funding required to keep the NESCO team and effort going would have been small money compared to what will be spent standing up another effort.

EnergySec/NESCO probably made numerous mistakes over the last three years, and they may need some new strategies and tactics to meet the US Government’s goals. However if information sharing is important, the US Government had a good team and an information sharing organization with a large volunteer membership in what most would say is the most important critical infrastructure sector. How do you walk away from that if information sharing is important?

—–

EnergySec has put a brave face on this problem and released a video yesterday with the CEO handover from Patrick Miller to Stephen Parker. They assert that the TAC and other programs are self sustaining, if smaller. Many a small business, including Digital Bond, have had these business downturn issues. Sometimes they even lead to better and smarter business. Losing your job at Christmastime is unpleasant, but the ICS security business is booming and that talent will find a lot of opportunity.

Full Disclosure – Digital Bond has received DoE research funding in the past. They have funded Bandolier Security Audit Files and other research tools that have been integrated into multiple security products. Our experience with DoE has been fantastic, and their research dollars have resulted in our technology being used to audit the security of ICS prior to deployment. A case can be made that DoE tying research funding to Roadmap Goals has provided the best ROI of research funding in ICSsec area.

Image by dbrekke

1 comment to Disconnect: Defunding EnergySec/NESCO & Promoting Info Sharing

  • meh

    It seems DOE didn’t really do their homework for this effort overall. The initial split of the DOE funding between EPRI and NESCO just didn’t make sense. Someone even tell me what EPRI is doing or has done? Someone? More paper? Crickets?

    From my perspective, DOE immediately realized their poor decision and began to backtrack and withhold support for the NESCO effort, in effect, leading to this ending. The Energy sector, and the Electric sector certainly have some overlapping efforts and priorities. There is an Electric Sector ISAC, funded by utilities (I don’t think the funding is voluntary), and there is EnergySec/NESCO. Did we need the two organizations? Maybe, maybe not. Could it have been coordinated better? Probably. Then tie in ICS-CERT. Again, very similar operating spaces and missions. Really? 3 organizations that are that similar? Since no one owns all of those particular spaces (sectors), I guess we couldn’t expect common sense to prevail and ensure that the 3 organizations had distinct missions. Yes, I saw something at one point that tried to lay out differences, but in the end, there were just too many commonalities. So much so, that many of the folks in industry that I spoke with said, where do we go? ES-ISAC? EnergySec? ICS-CERT? There is still a lot of confusion around this.

    Yes, ICS-CERT for vuln coordination. ES-ISAC for sector specific threats or events. EnergySec to share information with peers. ICS-CERT, well, they want everything from owner/operators and the other orgs. All 3 of the orgs reach out directly to the owner/operators. Hello….it’s too much! Most organizations don’t have teams dedicated to information sharing, so hearing many similar messages from 3 different orgs make it even tougher. Now they have to aggregate/correlate and filter the messaging, and duplicate what they send out.

    Some of this goes back to the need for an ICS-CERT. Ok, we already have a CERT. They can, and did do they job of handling ICS vulns. We can get sector specific information from ES-ISAC (assuming the electric sector). The grassroots effort of EnergySec? It sounded like it filled a hole to start with. Now information is flying everywhere. If NERC didn’t operate ES-ISAC (yes, I know about the paper firewall), it’s doubtful EnergySec/NESCO would have even gotten off the ground (save the fact that it’s Energy vs. Electric). The hesitation to share information with the ES-ISAC has hurt them, and probably still does.

    I also get the feeling that some of the above orgs are touting their success a little too much, to the detriment of the industry. ICS-CERT has no intention of giving up some of its space to an EnergySec, because it’s been successful for ICS-CERT. And believe me, that success is huge for a generally failing DHS cyber effort. Same for ES-ISAC. It is now claiming some successes. You think they want to give up any of that to an EnergySec? In the end, I think some egos are getting in the way of moving the sectors forward, instead, building empires to the detriment of industry.

Leave a Reply