Why we started RSTCON
TL;DR
- Offensive effects on Critical Industries are catastrophic
- Nation-states are now targeting critical industries with effects on the civilian populace
- Critical industries need to engage with cutting-edge research not because they can stop the attacks but to develop countermeasures
WHAT DO? Either develop in-house research reading and effect planning teams or engage with existing groups. Read below for information, suggestions, and personal enjoyment.
Article
Security as a field is a game of one-upmanship. The Monarch of cult classic The Venture Bros would say the offensive and defensive sides of the house have “been engaged in a deadly game of cat and also-cat for years” (The Venture Brothers, S1E3). The offensive and research-minded ilk have fundamental advantages. I personally enjoy these advantages and don’t generally feel like sharing; it would be giving away the game. Similar to The Monarch in “The Saphrax Protocol,” however, many of us have ethical limits. Compromise of critical industries, especially by the particularly pernicious nation-state actors that would target them, have the potential to severely impact the civilian populace supported by the targeted organization. In the last three years, I have spent personal time exploring technologies within critical industries like manufacturing, logistics & transportation, power & energy, oil & gas, utilities, and beyond. I have seen the earnest and dogged efforts of the defensive security varietal as they seek to drag their organizations and industries, kicking and screaming, up to snuff with security practices. They have succeeded in raising the floor and can, in many cases, prevent or mitigate impacts from criminal enterprise. Another step is needed; we have seen critical industries fall in the cross-hairs of nation-state actors. Critical industries will not be able to stop these sophisticated and determined adversaries, but by being aware of what advanced research and high-level adversaries are examining, they can forecast and devise mitigation plans surrounding the failure of those systems. Whether enterprise-grade or cartoonishly simple, these plans must be informed. This means either building an internal program of engineers and scientists consuming papers from academic journals or engaging a forum of experts.