From S4 to LEVEL ZER0 with a stop for BEER along the way

This past week I attended the first Level Zero conference at the Georgia Tech Convention Center in Atlanta, Georgia. It was convenient for me to have this kind of gathering in my back yard, but what I couldn’t get over was how fun it was to be among the brightest leading minds of the control systems security space - globally recognized names, long experienced pros, up-and-coming emergent talent, and bright-eyed newcomers all sharing perspectives, insights, questions, and grooving out on being among “our people.”

The conference is the brainchild of Derek Harp of (CS)²AI - the Control Systems Cyber Security Association International, and while they have not published official numbers, I would guess there were a few hundred people in person with more attending virtually - an excellent showing for a first-year conference focused on control systems security.

A handful of Level Zero attendees had also been with me at the first SCADA Security Scientific Symposium, a.k.a. the ”S4” conference hosted by Dale Peterson and Digital Bond in 2007. The attendance for that conference was somewhere around two dozen total, and I found myself reflecting on the differences in approach and how our community has grown in the time since.

From the beginning, Dale set out to build a curated, high-end conference focused on bleeding-edge research. This is not an attempt to speak for Dale - this statement comes as much or more from publicly stated marketing material as it does from conversations I’ve had with him. He created a brand to draw the brightest minds the world had to offer in control systems security and showcased research that played an outsized role in shaping the space into what it is today.

Over the years Dale turned S4 into quite the spectacle, complete with acrobats twirling around elevated hoops over a pool, mind-stretching research redefining the boundaries of our technical space, s’mores cooked over a flaming Death Star sculpture, and an array of other sensational curiosities for its attendees now numbering well into the 4 digits. But even more than the impressive growth or the wealth of knowledge I’ve gained from going, what I found most compelling was the community that formed along the way.

Much like many other conferences, S4 had informal and unofficial after-parties. The particulars of the conference hotel configuration prompted the biggest and most central of S4 post-session parties to organically form in an unattended outdoor bar area. Circles of new and old friends would gather, make connections, and extend the greater network over adult beverages, cigars, and whatever else made for a laid-back, good-natured party with vintage South Beach hotel music playing in the background at the pool.

Good times.

The format of S4 had enabled something different, though. Because it was focused on control systems security, it brought together multiple industries - a lot of them being critical infrastructure: electric power, water, healthcare, transportation, oil& gas, etc. People from industries that otherwise never would have had much prompt to find or meet one another found commonality. We were purpose-driven.This was not just a random group of people in sales. We were the sysadmins of the technology underpinning modern society - the under-appreciated defenders of everything the developed world takes for granted.

We saw each other for who we were.

Without even thinking about it, we all put this informal networking to productive use. When we heard about something that might be of interest or assistance to a friend, we reached out to them. We bridged management structures. We bridged industries. We bridged societies. We knew who needed to know stuff, and if we didn’t, our extended network knew. This wasn’t a conscious group decision or any kind of agreement. It just happened. It was as natural and imperative to us as breathing. Information found where it needed to go.

In contrast, companies, governments, institutions, and other formal organizations all have deliberately formed communication channels complete with rules, protocols, and management expectations. Information sharing within these orgs also happens informally, but it is generally incidental and less essential than the channels that are officially sanctioned. If informally-shared content becomes essential or valuable, most organizations formalize distribution of the information.

When entire industries realize they have common interests and can benefit from sharing information, they formalize those channels as well. In the US, these are called Information Sharing and Analysis Centers, or ISACs. Some are more active and effective than others, but there are individual ISACs for most of the industries in critical infrastructure.

Going up one more level, one might assume bridging information across industries to be the role of government. And the US government does have functions serving this purpose. But even my close govvy friends would tell you government can struggle at efficiency and speed.

So, our informal network of like-minded souls had found yet another purpose: helping each other serve our individual purposes by quickly and effectively sharing essential information. We were a grass-roots, undesignated, yet astoundingly effective ISAC of sorts.

In 2016 we got a name.

At that year’s S4 conference, Dale asked Patrick Miller to speak about information sharing. And in retrospect it is easy to see all the energy in the clouds converging from different directions. Patrick had started and run some information-sharing forums before and was a natural hyper-connector. He had been deeply involved in the only set of cybersecurity regulations in our space, and they applied to the sector that had the biggest presence - the electric power sector - he knew a LOT of people. And he had turned himself into a self-admitted bot, aggregating and redistributing industrial control systems security news to whoever wanted to subscribe. Dale also knew that controversy was effective marketing, and was never shy about inviting fun stuff on stage.

Every Patrick presentation I’ve seen has been entertaining, and this was no different. He roasted himself right along with the rest of us for all the failings of our formal info-sharing forums, and there were plenty. And in a spur-of-the-moment, on-stage joke, he said the most effective mechanism of sharing information he’d seen was at the bar, so we might as well call it BEER-ISAC.

Lightning struck, the seas parted, the planets aligned, and BEER-ISAC had a Twitter handle and a Slack channel before Patrick got off stage.

Since then, BEER-ISAC has taken on a life of its own, which is worthy of a whole other article. But the relevant bit is that it has become a group of control systems security leaders who have demonstrated commitment to the growth, education, and betterment of the broader community of practitioners.

This ethos is precisely what I found at Level Zero.

From the “OG” speakers and attendees all the way down to the Georgia Tech students checking out some new niche, we all geeked out on the vibe. Everyone had ready access to an unparalleled depth and breadth of knowledge and experience without pretense. Been doing this for decades? Sweet! What would you like to add, and oh, do you know this person over here? … First time learning what ICS does? Awesome! Here’s some ideas for getting started, and where would you like to go next?

Both Derek and Dale should be commended for orchestrating great conference experiences. I attended and spoke at more small conferences than I could count back in the smart grid security days, and have a definite appreciation for the crazy list of things that can cause significant distraction or just flat-out go wrong - especially the first time you try to run a show. Both conferences are notable in my memory for the complete absence of any weirdness. It takes an enormous amount of discipline and effort to pull that off.

And mad props to Patrick for being the community superconductor, along with many other prominent BEER-ISAC leaders in figuring out how to channel the best of everyone’s energy into consistent welcoming growth through gentle nudges at just the right time and place. It takes wisdom to understand how a herd of cats might hiss at a heavy hand but be drawn to the occasional light touch.

I am grateful to have witnessed the emergence of the control systems security community as it lives today. None of us own it alone - not Dale, not Derek, not Patrick …Instead, every practitioner out there collectively owns it together. And that is precisely what should give us optimism for the future.