Critical Infrastructure: The Cloud loves me, The Cloud loves me not

move this thanks Kevin um I'm Brian my co-presenter today is Mike Jarvis we're both from osisoft and I want to first thank you for you know a nice spring day in the basement I know you could uh be upstairs and looking out the windows and stuff but uh here we're going to talk about critical infrastructure the cloud loves me the cloud Loves Me Not and uh way I'd like to open the talk a little bit is first to say critical infrastructure means a lot of things to a lot of different people and uh for the government for instance I forget it's uh over a dozen critical sectors uh they've identified to me banking isn't all that

critical I mean yeah I like to be able to get to my money when I need it but no one's going to die if I don't get to my bank account so that's kind of what we're focused on in our talk is we're taking critical maybe a little bit narrower than us than the government does we're we're talking about things like things that can cause fatalities or cause the lights to go out things that people really really depend on for uh for their daily lives um and the way we've organized the talk is into uh really three scenarios and and honestly we didn't expect this many people this morning so I said oh let's try to spice it up so we we're

going to have a debate kind of style and uh Mike Mike's job isn't uh his day job isn't security his job actually is to build a cloud product uh that our company makes and he's actually going to have to argue against it so it should be really fun when he does that um but we're going to take turns on on that so the person uh arguing uh against Cloud a real really in favor of status quo is going to wear the safety vest right he's he's like he's like whoa I'm not sure about this Cloud stuff uh maybe we shouldn't slow down and and take some time at that and uh and the other person will will argue the other

side and so that's how how we've got things structured for you this morning um and I'll I will do the obligatory uh company introduction slide here so who the heck is osisoft um we're a company over the East Bay about 1100 employees and one of the reasons I wanted to be at bsides a security manager is to engage this community we do serve critical infrastructure sectors that's what we're all about we've been in business for 35 years we're heavily reg recruiting so that's my pitch my security team needs you um and on this Cloud stuff there's there's no there's no one answer is the right answer what you'll find is that we're very much uh uh it's it's very

situational so um the way we're going to score the debate is uh whoever says the word cloud too many times loses so Kelly is going to help us keep track of that but help her keep track of us so if one of us uses the word cloud be sure it gets uh marked up there um and uh and with that uh yeah the critical infrastructure factors that we deal in power oil and gas chemicals metals mining pulp paper Pharma even your data centers are on there so these are the things that uh something goes wrong in power that's self-explanatory but uh in Pharma that's one of our scenarios you're going to notice that's kind of

important right so uh let's uh with no further Ado I will Dawn the safety jacket first you can hang on that

all right to to get us warmed up um I'll introduce scenario one scenario one is our natural gas system right and and to kind of get people warmed up and into it um um I'll I'll introduce the the system at the top you can't read that font sorry so so at the top of the natural gas system this font's super small so just call it out we got the producing Wells right the gas comes out of the ground somewhere and has to get cleaned up because it's got a lot of sulfur uh gas in it that would erode pipes and stuff then it gets compressed so it can be transmitted through the pipelines and uh goes to things like power plants

right so here you got one critical infrastructure sector feeding uh to another and then uh uh you know that there's these lines are all over the place right the geography is is immense we got pipelines from Canada all the way down to the US and uh it's it's geographically really hard to secure so uh then there's storage which is a cool thing electricity can't store very well but the equivalent of a dam for um natural gas is underground storage this is like a Salt Cave that's been uh um uh salt Dome I should say under the Earth or other kind of uh fissures in the earth that they have figured out you can use as a storage tank if you will and then

um then there's the distribution system that we're familiar with for commercial industry for uh consumers a lot of uh lot of uh places in the country do use gas uh right at the residential level even so uh the it's immense right a large large amount of our nation depends on the natural gas system uh did I miss any of the big things here physically remote that's a tough one and uh this uh this issue where the industry is not only does it Supply fuel but it consumes electricity right so you got this symbiotic relationship so we'll get into that in the scenario here uh all right next slide so to do this we uh try to get you going

here with some uh memes and uh for the natural gas system um you know if if you're a Die Hard fan there was the arch villain there Thomas Gabriel that the line I liked was uh you know Bruce Willis had really pissed him off right and CU he just killed his girlfriend or something and uh he said ah you know how can we take him out how much gas should I send to the power plant send it all you know so now that's that's a contrived scenario right how can it's you know artistic uh Liberties were taken there to send all the gas to one station uh isn't really all that feasible but anyway it was it was a

movie but if someone could get in to the skated control system and send the signals to control valves uh that would be kind of bad right you could you could definitely turn the gas off you could potentially cause a line to over pressurize um you can cause a line to over pressurize by opening it too right so having having these uh valves at the right positions is very very important so the idea of um a data plane and a control plane for operating the grid uh operating the transmission system for natural gas is very important so why would we ever want to use the cloud for something like this why would we ever do that it's just kind

of crazy right to put control signals uh through public infrastructure this is uh this seems like a recipe for disaster as a as a security guy I think uh we we really need to avoid that maybe you know I don't think you can avoid it with a law uh maybe uh maybe there's some other way we can avoid it but at the other hand it might be it might be too late so with that I've used my my minute for uh this first piece and I'll turn it over to Mike to argue why we have to use the cloud thanks Brian uh as Brian said I'm the product manager for a lot of our Cloud products at

ooft uh and what I do is I I talk to our customers and try to convince them into buying our into our our cloud vision and starting to use some of our Cloud software um so I talk to customers like Brian and you know the the oil and gas guys will say no we can never put our skated control signals in the cloud um but when I speak to them uh some of the the arguments I have against that are what kind of uptime did you have with your uh private infrastructure uh with somebody like Amazon or Azure I can get three9 that's something like 45 minutes of downtime per month uh if I look at

some of our on-prem customers who want to keep everything internal and use their own it shops to manage everything uh they'll have downtimes over a weekend and that'll be down for 3 Days that's much longer than any 45 minute outage that I would ever have from some kind of public Cloud infrastructure uh so there's a lot more uptime and that I see that as a very big Advantage uh the meme that I have here are the is the polar vortex um can you guys hear me okay now now it's better [Music] all right so we'll uh we'll try to make sure everybody can hear us here is that is that better uh so the the meme that I

have here is the polar vortex uh and this is designed to talk about the great success that uh the they had in the state of West Virginia where they had the The Very extreme cold outage uh and the polar vortex and the Arctic blast was coming through the the Northeast and they needed a lot of communication between all of the gas suppliers and the gas consumers and using that public infrastructure it was a great success because they could keep the the gas generators on and they could keep the Northeast warm so that businesses can operate and so that uh everyone here can go to work uh as uh you know I'm I'm a San Francisco resident so we're not

usually worried about keeping the heat on uh it's usually pretty moderate here uh but in places like the Northeast uh that can be a very big problem and you need to be able to make sure that the the homes are warm and that the commercial side is able to uh to keep the uh the lights on uh so for some of these reasons uh that's why I think the skated control signals would be just fine moving to the cloud um from all the advantages that they have in those [Music] scenarios all right so another part of the natural gas system isn't just the control plane there's a lot of data right we're in this era of pervasive

sensing so with pervasive sensing uh we're looking at things like is is the pipeline leaking is it vibrating is it moving where I used to live up state of Washington they had land slides so you need pervasive sensing all across that pipeline that spans from Canada all the way uh to the US so how how do how is that done well it's it's wireless Right Wireless is the way to do that you don't uh uh take a pipeline that was built way before the internet even existed and uh expect it to have wired infrastructure for this kind of telemetry so as a hacker what can I do with that certainly this technology uh could can be jammed

and would that really be a problem for vibration and so on not really I think what I would do as an attackers I would try to see if I could use that Telemetry signal to get from it's non-operational data but could I get from a non-operational network into an operational Network could I find a way to penetrate their defenses and I could come in from a place on the pipeline where they're not they don't have cameras they don't have anything I can just kind of be in the you know really well hidden and try to find a way into their system what do you say to that so for these pipelines that are very distributed uh that's a lot of uh

routers and switches and different things that you're going to need to be able to maintain and with the the up time that your team had last year you had a a three-day outage uh do you really want them to put in all the time and effort that it takes to instrument all along this Pipeline with their private infrastructure and how sensitive are those signals it's uh not something in the the pipeline that needs to be immediate uh a lot of these things are items that are very slow moving slow changing and it's simply t data so I would argue how important is that data to you and a lot of that is uh data that

uh may not be critical in a second byc uh uh data [Music]

points all right so another feature you'll find in the natural gas system is that these these systems are so critical that they're are control centers and the control centers are geographically redundant right so so um maybe uh there's something up in Northern California and another control center in Southern California for instance so when I'm thinking about how those control centers might rely on a cloud I'm going May if they communicate with each other across a public Cloud isn't that a Place whereas a a new place that I can get in and think about think about what I could do as uh as a hacker in control center not just a compressor station but all of them now we're

talking Die Hard four baby I can I can move that gas [Music] right all right so now you want to take that existing team with their low up time right they were down for the weekends and you want them to build not one data center but you want them to build two data centers for you it's going to have the same weaknesses across the board and it's going to have the the same kind of problems that a a single data center would have uh you might have some advantages if it's in Northern California and Southern California being geographically distributed uh wouldn't be affected by the same kind of natural disaster but a lot of that could also be

handled by the public Cloud uh if you look at somebody like Azure uh they have two data centers and lots of regions um you can also go pairing from east coast to West Coast uh so Not only would it be across Northern California and Southern California um you can go across continents across the US and around the world using the public Cloud uh and using your your existing staff I would argue that there must be something that they would be better at you know if you're going to look at this from a business decision um do you want your existing it team to spend twice the amount of time to build a redundant data center that you could do as easily in

the cloud by turning on another switch uh I would argue that this would be a great reason to go to the cloud he just said Cloud again I think we have another one here uh in the in the gas system and the gas system is really important right so I mentioned this in the introduction the gas transmission system in particular those compressor stations really really need power right compressors don't run by themselves uh there's no hamster wheel SO gas system needs electricity the power plants need the gas to make the electricity we got this symbiotic relationship why don't we do away with that uh and uh because that's forced us to rely on the cloud in my view and I think we

should you know do things like have generators and fuel cells and um we can't really if we have these systems coupled so closely uh it only takes one of them to go down maybe as a hacker I can I can get into the natural gas control system from uh from a power plant so I want to limit my attack points and and say hey let's let's not have so many ways in to the gas [Music] system well if you're limiting all of these ways into the gas system then it looks like you're going to have some uh way to communicate to your end suppliers so we're looking at this connection from our gas consumers uh to the power plant

and if you want some sort of private connection then are you going to set up a a separate VPN for each connection you're going to have a separate router a separate switch for each uh uh end consumer that you have what happens when you go up to a 100 of these power plants and consumers you're going to have a 100 routers sitting in a rack each with their own software and remember you just built that redundant data center um so all your people who are managing th those redundant data centers uh what if they forget to upgrade the the software and the BIOS on all those routers uh all of a sudden everything is going to be

out of date and are you going to argue that that is going to be more secure than the cloud offering uh here here I am losing again um but the the cloud offering is going to be maintained by somebody else and I'm hoping that somebody else whether it be AWS or if it's somebody like Microsoft Azure uh they're much more Progressive about installing these new patches and updates than your existing it team may be uh especially if they're spending all of your time with these redundant data centers and worrying about uh the new technology as it comes up uh with the cloud that's one way to Outsource a lot of this so that you can allow your team to focus on what

they're good at uh and I would argue that the the it teams that we have today are going to be much more valuable um in a different type of role than simply managing VPN connections and managing the the software updates on routers and switches all right the this is the last piece on the gas pipeline and uh ultimately with a lot of critical infrastructure when the chips are down it's it's the crews it's the service Crews that keep this thing going keep it from cascading down and what I'm thinking is in the old days the mainus crews didn't have you know their iPhone with them they weren't they weren't relying on that they had radios right

that's that's how the dispatch Crews uh dispatch them and if they're relying on something like their iPhone or Google Maps to find where they're going that just doesn't seem really good to me I think think they should have the towers along the pipelines so they always have radio contacts so these guys know exactly where they're going they're not relying on public infrastructure to communicate and dispatch those service Crews and uh you know I get it that that's there seemed like there's some advantages there but in the end uh when things are really going haywire can you depend on that to be there I would argue that these maintenance crews are already out in the field and

everyone here just like the maintenance crew probably has a a smartphone in their pocket and we're connected up to Google Maps and if we want our our maintenance Crews to have the information that they need then the rest of the public should have that as well so this is more of the the open source idea where everybody has access to the information that they need not just the maintenance Crews because it's not just them that are going to be affect affected by any kind of outage uh these maintenance Crews should have the same level of support that our public uh infrastructure would have uh and also these uh maintenance crews are out in the field how are they going to be

maintaining separate connections between each radio tower uh are you going to use your existing it Force again um who's managing these redundant data centers and they're doing other things with these uh separate vpns for all the connections to the gas consumers uh and now they have another thing on their plate which could be very easily replaced by the cloud infrastructure uh this is outsourcing but it's Outsourcing for the public good so that uh instead of maintaining all of these things in a private sense if we move this to more of the public Cloud then everybody benefits not just the maintenance Crews um and these maintenance Crews may have a higher level of priority H but everybody

needs access to this type of information I have aot this for youday so I I forgot about this but imagine that these guys are relying on public infrastructure to be dispatched wouldn't it be great if you're if you're really an advanced adversary to send those guys on a red herring you know get them have a decoy event send them way over to the other side of uh nowhere and then and then execute the real Attack what do you say to that yeah so that's tough that that's why he's the security expert I'm uh I'm just the product guy all right we're g to switch to safety vest [Music]

okay all right so in this next scenario I get to to take the uh naysayer to the cloud uh so this is a lot this is what a lot of my customers will tell me and I always try to uh convince them into using the cloud so this is kind of an opposite of uh of what I normally do and all I have to say is what some of my customers tell me all the time uh even though I'm hoping that they're wrong and we're trying to sell them that they're wrong so uh it's it's starting to work as well uh so this scenario number two is part of the pharmaceutical contract Manufacturing and the idea is that these

contract manufacturing companies are receiving very sensitive information about making an active ingredient and the active ingredient might be for some of the big farma companies like fizer or somebody like Johnson and Johnson who need just a little bit of this active ingredient and they don't have or they don't want to invest in the specialty vessels that would be required to make this specialty active ingredient so this is very common across the board for a lot of pharmaceutical companies and these are a lot of the companies that I work with all the time now what a contract manufacturer would do is they would have separate trains set up throughout their manufacturing plant and these trains are kind of like building

blocks they can switch out vessels uh and the vessels would be uh these skids that are specified from the the parent company somebody like a fizer or Johnson and Johnson so at any snapshot in time uh I might have train number one would be running a proprietary active ingredient from the uh contract manufacturing company that they're making from uh some of their early research uh while train number two could be in a different configuration and this would be making the active ingredient for a third party uh train number three might be in a cleaning cycle so this is one contract manufacturing company and they're making lots of different things now in train number two they need to be

able to share this data about making the active ingredient for the third party and that third party could be held to uh various FDA regulations uh and we're going to walk through uh some of these scenarios and we'll try to identify if we should be using the cloud or an on- premise solution for some of the the ideas here [Music] so in the first scenario we want to decide if we want to be storing and analyzing data and information directly from the skids so the skids would be the vessels that are part of this train uh which are part of making that active ingredient that drug and the meme that we have here is the Chinese tainted Hein that uh came

out a few years ago and the idea is that uh if I'm a a Pharma company or or a contract manufacturer I want to do all of this inform all of this information processing and storing the information and analyzing the big data on premise I've always done it on premise it doesn't make sense to put this stuff in the cloud I just I want to be you know just normal want to wear my my safety vest uh it should be the the gray hair up here uh this the safety vest but it's nice to take the other side every once in a while uh so the you know some of the the main ideas are that uh myself

the contract manufacturer company I need to keep accurate copies of this information and if I put it into the cloud I I don't know I'm not really comfortable with that I don't really know what that means I'm not used to doing that uh and many of these pressures and temperatures would be uh very tightly regulated by your third party uh they would need to uh look at a vessel and say that the temperature never exceeded 40° centigrate at uh while we're making this active ingredient if it extends that for any period per of time then that active ingredient might be garbage you'd have to throw it out so for these reasons uh I want to be able to keep this

information inside of my premise I don't want any kind of connection up to the cloud uh that's not even part of my vocabulary right now all right so um the only choice is for one company to be in charge of the the whole thing I mean that's the alternative he's he's trying to force me into right so we have this environment where we need to use these um um third party manufacturers uh to to make this active ingredient and the failure here for the Hein uh they just didn't give us the data that's that's would be my my [Music] rebuttal now the next piece is this FDA validation of software updates and with our on-prem software uh I have a

separate uh scenario uh a separate set of servers for my production servers and my test servers and I get new software from my vendors I put it on the test system I test it for a series of months I fill out 400 pages of paperwork and then maybe eventually I would upgrade my production servers that's how I've done it for the last 10 15 years and that's the way I want to keep doing it I I don't see reason to change this this works for me uh I have to stick to these FDA regulations uh there's a a screenshot of the this title 21 uh chapter uh was uh CFR 21 part 11 uh this

is part of the compliance that I'm required to do and this is part of the the piece that requires this accurate copies of data uh and I need to be in full control over any of the software updates that happens to uh the servers that are running active ingredients for my third parties or for my own proprietary uh drugs that I'll be making for uh some of the the other research that my company would be doing you know these uh these regulations are killing me you know I'm trying to make drugs trying to save people's lives and the FDA keeps throwing more and more regulation on here and to to make a drug uh they want

me to leave my servers UNP patched because if a patch comes through I got to do all these regulation things this is this is not the right thing we need to move to the cloud we need to allow companies to update quicker so their systems can be

safer all right now as a contract manufacturing company I need to be able to maintain connections to my end customers uh now on this screen this says uh some of the servers that osisoft uses uh it's not particularly important that I explain what each one of these does but the idea is that as a contract manufacturing company I need to be able to send data to my end customers so I would be sending data to some of the big Pharma companies out here and to do this I generally maintain an active VPN tunnel to each one of my customers I have a separate of routers and switches and I maintain that constant VPN so that

I can share data while I'm making their active ingredient and this is the way I've always done it I don't see any reason to change uh I have a direct connection uh I'm pretty sure it's safe and it's uh we usually only pass back and forth uh CSV files or text files and I I I think those are are pretty safe to uh to be passing back and forth um so I don't I don't see any reason to to change uh I need to be sure that my information that I'm passing cannot be adulterated in any way and I think this is a good solution for uh for what we have today adulterated wow so so the contract

manufacturing organization is is communicating with dozens of other organizations with a VPN level two connected passing files I'm sure that the antivirus works perfect I I just can't see that that is a scalable architecture going forward we need to do something better we need to proxy that information transfer through something in the middle uh I think the cloud is a great place to have that proxy and and that's that's uh the strategy we we believe add security to this instead of um adulterated [Music] data [Music] all right so my manufacturing process is uh integrated with the Erp system that we've always had um I have uh an sap system that's been there for a while I

have a whole team that maintains it they're really good at maintaining it uh it only takes maybe six months to get something changed in it uh so that's a pretty good process that uh that we have right now um and I I want to continue this uh this investment with the the on-prem system there's a lot of Legacy features that I like to use uh lots of older systems that I want to keep integrated with it uh I I just can't see how we could ever move forward uh we need to continue the investment uh with the the great people that we have and to continue to allow them them to uh Thrive with these uh historical and Legacy

systems uh again I don't see any reason to move to the cloud uh because the cloud when support a lot of these Legacy features that my company requires in order to do [Music] business I think I'll only talk about one of the features that that kind of system supports but uh and I didn't introduce the meme for uh for the pro Cloud argument here but one of the projects our company was involved with was a program for elite athletes and uh and uh Special Forces right so the idea of uh right out at the edge in in these uh Health companies is how how can people heal better how do we know if if an athlete is actually able to perform

at his full potential so if we don't have these kind of cloud-based systems to gather information you know we're talk we're not talking about your everyday Fitbit we're talking about something a bit more detailed here but uh we we need these Cloud systems if we're ever going to move from the the old way that's really slow to get these new cures to Market so that's that's why we need the [Music]

[Music] cloud now another piece that I have here is to ensure some of this security compliance uh there's a lot of regulations that I'm under from the FDA and I'm pretty sure that the only way I can satisfy all of these regulations is by having my own systems that I fully control uh these are U some of the standards that are out there for specific Industries and it's not just Pharma in this case uh for the companies and uh vertical markets that osis soft serves um there's many things like nuclear or oil and gas and they all have their own security compliance regulations and when I comply with these regulations um that's going to make me

very secure uh I can simply follow the letter of the law and I can be sure that uh I he he warned me about this one I I can be sure that I'm going to be 100% safe and also I'm not connected to the cloud and you know all the the hackers that are are up there so I uh I'm pretty sure I I just follow these security compliance rules and uh you know I can I can sleep easy at night yeah give me a break the regulations are going to save us um and the security standards and the compliance Frameworks I I mean people in here I know you um probably are very uh

you probably have your special uh uh um set of Standards or Frameworks that you like and it's not to say best practices are wrong in any way but what what we see is that this is a minimum and people don't go beyond the minimums in compliance so that's the real problem it's not that these these things are U are bad it's that that they're not enough but when you make it a regulation companies often interpret compliance as that's all they have to do and no more so that's why we need the cloud we need to be able to move the security function into a place where um Specialists can go beyond the minimums

all right so time to switch the vest yeah yeah we got to switch the vest again so I can finally take off the the safety vest and I can go back to supporting the the public Cloud which is what I wanted to do the beginning talking about the regulations um that's that's literally what a lot of my customers will tell me uh and I have convinced several of them start migrating to the public so they have some very good arguments but Brian also helps me address some of so to set up this third scenario um Smart City and it's it's nothing um unlike the prior to uh scenarios where Mike and I have deep uh experience in it

smart city is an assent right it's it's a probably more of a concept than a reality today so uh we if we didn't have answers for you uh or interesting uh dilemmas in the earlier scenarios this one is far more blue sky so let me try to set it up a little bit but what we're talking about with smart city you'll find a thousand definitions for it again we're going to focus on the utilities Services Transportation just the electricity water communication a bit emergency service and uh Transportation aspect some of the places we do have experience I've listed here the airports uh data centers medical centers and as odd as it sounds even stadiums so uh

with that uh I guess the uh the first one goes goes my way here as arguing uh as an anti- public Cloud infrastructure I said it didn't I Cloud um so San Francisco we're in San Francisco why not bring this one up right City's own own network um how good is that right City's own administrator locked him out and by the way the control signals for scada were running on that Network too so uh you know I'm not so sure that that maintaining the uh infrastructure inhouse uh privately is uh the way to go here it it sure sure seems like uh was a problem um so I argue the wrong way didn't I no a

safety forgot I have the vest on dang um all right so reset that anyway um so so to argue um argue against this with Terry Childs is that um this was a a private infrastructure and um if it was if it was public who else could have done that besides Terry Childs we always will have the Insider threat you'll never get rid of it entirely but uh at least it was Insider even uh even the now Governor Went to went to go visit with uh Mr Childs and he he gave him the password he was an all bad guy right he just was proven a point I would say this is more of an isolated incident uh besides this is San

Francisco right uh now the argument for the more public infrastructure uh for some of the high-speed networks and communication um could be seen by some of the private Ventures that are providing fiber uh now a disclaimer the lit s Leandro is a project that's sponsored by the president of uh the company that Brian and I work for um but this lit San Leandro project is a project where they're installing a a 10 gbyte Loop of fiber bandwidth and the the city the public infrastructure of San Leandro has provided a private company the right away to install the fiber and in return these private company is giving the city part of the bandwidth but they're not giving them

everything so San Leandro is is giving this right away it's giving the public infrastructure but they're not getting the the full benefits of what is uh uh could be returned by the the full bandwidth of the fiber Loop uh so for these reasons uh I would argue that it would be much better if the public infrastructure and the public Communications and the fiber were was um licensed out so that everybody in the the general public could take advantage of this infrastructure the infrastructure is using the rways that are in the the city streets and that are owned by the government and all of that public infrastructure should be used not by a private entity should be used by

the public in general by everyone in this room and by everyone in San Francisco in San Leandro well I'm glad I wasn't on record saying that I'm teasing you so how about emergency response and what does what does that have to do with critical infrastructure and smart city um let's take an example uh that is uh the NRC right everyone will get the thing you know it was just a few years ago that Fukushima had uh had its incident and Japan did not have the equivalent of the nrc's emergency Operation Center so uh the idea that there's this private uh infastructure that is connected to all the nuclear plants and monitoring it uh in case of emergency uh is a is a great

uh great story right so uh I I think that the these kind of services like emergency U Services for smart cities um this is this is a good case for keeping it private right we want we need to count on this stuff well I could point out lots of flaws in some of those private ideas uh one such flaw would be the 911 failure that affected 2 million people in Northern Virginia uh so this was an outage caused by some of the private infrastructure and I would argue that if we were using public infrastructure for some of this emergency communications then we would not have had such a large and widely distributed outage uh it also

wouldn't be wouldn't have been down for such a long period of time and affected so many other people uh there's lots of these critical emergency response centers things like medical centers um and is as Brian said the the NRC emergency Communication Center uh so I would argue that that many of these could take some of the advantages of the public Cloud uh for the same things uh for looking at the high uptime numbers of some of the public Cloud infrastructure and you know those High uptime numbers would have prevented or at least limited the effect of some of these wide outages um now just a quick time check I think we have time for one more topic

here so I might pick a good one good all right so so I mentioned stadiums earlier and the funny thing about stadiums is they're not normally critical but for a couple hours on any given day they are right there's a whole bunch of people that rely on those uh facilities to be safe and uh we all saw this in Spades when San Francisco was duking it out down in New Orleans right so uh hey um that could have been a disaster the fact that half of the stadium stayed lit saved their bacon right so that's uh that's probably an argument for some really good engineering whoever built that stadium was smart enough not to have uh you know

one point of failure at least at least half the stadium stayed up so uh my my argument is um hey we if we go to Cloud isn't that one point of failure if that cloud goes down isn't it going to take it all out again maybe that's one of those isolated incidents uh if I look at some of the good things that the public Cloud would be able to provide uh I can look at some of the other work that osisoft has done around these stadiums and by analyzing and looking at the energy and water usage of something like safe co- field uh they're able to uh look at the actual use and be able to optimize it

and by using some of the public Cloud infrastructure and all the communication that it provides they're able to reduce the energy intensity and uh this is uh kilbanes uh per square foot so the idea is that over time uh by analyzing the data and using the cloud again another marker on my side by using the cloud they're able to reduce the energy usage so that the stadium can become more green and we can conserve more energy and uh we can be uh a better Society overall by giving the uh the data to the people and by using some of this public Cloud infrastructure that was three clouds four all right next one we are in

California and we're in a major drought right and U some people are proposing that the cloud can save us from the Dr Out imagine that I I suppose there would be a way to Hype but I live up in Sacramento and uh the idea there is is just a lot simpler why don't we just conserve why don't we just tell you know you can't water this day and you know here's your odd and even day and here's the day that no one can water we don't need this Cloud uh stuff well I would argue that this California drown is a really big problem and uh there was a recent article on the internet interational business time uh

about some of the uh marijuana plants that uh they're using so much water and uh starting to dry out some of these Rivers so I would argue that this is one of the the major problems that we have here in in San Francisco uh especially for the upcoming holiday tomorrow uh I don't know if anybody's celebrating in in Golden Gate Park um but uh osis soft is uh helping to um run some of these water conservation projects uh with universities and the idea is that uh these uh research entities or universities need access to the water consumption data and if you want to run a water cons conservation project you need to identify the largest consumers

so uh for example uh if we're able to analyze everybody's water usage in this room uh some people would be larger consumers than others based on where you are on a hill so if you look at a hill something like Knob Hill uh it would be generally more expensive to consume water at the top of the hill because it takes energy to pump the water all the way up to the top than it would be to uh consume water at the bottom of the hill so if you can convince the people at the top of snob Hill to uh reduce some of their water usage then that could be a uh a much more uh effective way to

conserve water uh and in San Francisco is a fairly small region but if we look at a larger part of California uh it costs money to run a conservation project to send out flyers or to analyze information so you need to identify the largest consumers uh in the residential space uh in the agric in the Agricultural and commercial space it's a different kind of topic but there are still huge uh gains to be seen uh for instance in Sacramento uh from even some of the residential water consumers I will go on record I never thought I'd argue against weed anyway um so um demand response is uh another area and um you know I look at demand

response as uh uh people are touting it as the answer for our critical infrastructure being stressed right to its limits they'll say oh we'll just send out this signal that says you know uh we're at the limit and uh uh we're going to start charging a lot more and people will just back off kind kind of sounds uh might sound appealing to me but I'm going as a hack I could have some fun with that maybe maybe even game the market send some fake signals out that could be that could be a whole bunch of fun I I just see a whole lot of ways to game the system and uh we know that when it's

about money and that's what this is about uh that's what that's what it'll be used [Music] for now I would argue that we need a lot of this public Cloud infrastructure to to be able to support this demand response uh we need to be able to communicate to businesses and individuals to uh Identify some of the large consumers and to be able to try to proactively uh reduce some of the consumption at the peak times uh there could be some sensitivity of this power generation data uh and it kind of depends on the time and space uh you can look at some of the old uh disasters of Enron um but I'm hoping that with the

next version of a lot of our cloud-based software that things like demand response would be a much easier program to run if everybody has their smartphone and an app uh it would be very easy to send out that signal we got 10 minutes left uh so maybe we we want we're almost there yeah this is our last one all right so the big the big magic uh in uh electricity that's holding Society back if if you ask me and I I've spent many years uh dealing with the industry is we're not very good at storing electricity the electricity system has to stay in balance between uh consumption and generation uh at all times electricity moves at the speed of

light it has to stay in Balance if it doesn't we're facing a cascading blackout so it's it's really really important to keep that system in balance and what people are highlighting as storage uh to help us out are are the uh electric vehicles your electric vehicles are batteries on Wheels they're uh at in quantity it's going to be storage and uh that's all sounds fine but I go you want to hook it up like this through WiFi come on this is this could be hacker City this is this is going to be a real problem and uh I I'm just not sure we're ready uh to solve the problem problems of of energy with uh with this

kind of system yet maybe we need to do what what China did they they didn't charge they didn't charge to plug in your car they just charge for the parking you don't have to have all this wi-fi stuff you just plug your car in it charges you pay for the parking comes with your parking spot so all this wi-fi all this communication not needed hey I just want to charge my car I I just want get where I'm going uh I don't see any big problems uh about storing or analyzing or sending this charging information over our public Cloud infrastructure definitely going to lose this debate uh but what I see in the field is that

um many customers are using the data and the information about charging the the vehicles and the length of time they're charging and the time of day and the usage of those Vehicles how far they're driving to identify uh the best locations to have these Chargers to be placed uh this is what Tesla has done uh you can drive down Interstate 80 uh and they've done a pretty good job uh I would argue that if they're using some of the uh public Cloud infrastructure they could have done a little better uh but for some of the new smart cities uh if this is a thing then uh all of this data and information has value and we

need to continue to collect that value and the only way that I could see to really gain the the the most benefit out of this would be by using some of this public Cloud infrastructure so uh so that really concludes the materials we we prepared and these uh three scenarios um so um Mike thanks for arguing uh against yourself many times and can respect how hard that is uh we're uh open for questions uh [Music]

so uh to repeat the question I and I think I really liked your point about medical devices and terms of Regulation the role it has uh is are there I think your question was along the lines of have you seen it work uh effectively or

not so so medical devices um I think that some of the uh security companies are working with the FDA to bring some sanity to the regulations but a regulation that says that uh in order to apply a patch you uh you can't you can't apply the patch economically at all uh makes makes the case that regulations are uh need this need to be worked out better right the way it's written is it's not the regulation that's bad necessarily the intent anyway it's that it's the way it's implemented isn't

[Music] working app

[Music] right so for for FDA validation um they did have some rulings that relaxed some of the uh validation procedures for security patches now the issue as a software provider that we see is that um separating a security update from a functional update isn't always clear and that's that's a place where probably more work has to be done but if um if the update is identified specifically as a security fix only the FDA has an accelerated process now um I don't know if that applies to medical device uh and I know there's some people here working in the device space but would the yeah so so right right now uh the the essence is that uh companies are so

frightened of Regulation that they take the approach that that any change they have to go through validation so they they do no updates there's there's critical drugs being made relying on XP today right that's that's the kind of impact that that current set of regulations has so from a security perspective my contention is it's it's a net negative effect right now uh with what we know that's going on if you could really Island those systems maybe you could make a case that is working I I don't think it is working today

[Music] um being a security gu you know you cannot see you canot protect that's so with L Cloud whether it's infrastructure application what we are seeing is that we're losing the visibility I into your analysis and you got to figure out solutions to address that you know security monitoring and response discover you achieve that when allow provider different that [Music] right so that question about transparency in the cloud is a great one and I way I like to look at it is from the lens of uh osmm right so the think of uh uh visibility access and Trust right so whenever you take on uh a third party you you have this trust thing and

that's what you get at with respect to uh is the people I'm trusting are they transparent about what they're doing in the security space so in the case of um uh comparing those what we believe is that when you're in a scenario as a Critic critical infrastructure person where you're having to uh continually trust not one not two but three but dozens of external entities you can make the case that it's better to shift those to uh to a single entity and you still have the transparency problem with both the problem is is there instead of dozens of issues with transparency there's only one right so if you're in that boat the cloud is superior if if you're in a case

where you're only having to trust one other entity um uh you you could argue that transparency is the same same with just one uh as trusting the cloud it's kind of a Cheesy answer but I think the issue exists in our current world and shifting to Cloud doesn't change it it's it's just a matter of counting how many external entities uh do you lack visibility and transparency of

yes

right so to start where I left off with the previous question right so so you have the opportunity to reduce the amount of trust that you have to um put outside right if you can limit the number of EPN connections instead of dozens of them just just one connection to the cloud uh service provider that's that's a lot better the the issue of the updates where professionals are doing the updates was another piece we touched on where we believe that a lot of times the public Cloud public infrastructure providers are doing a better job than what we see in uh uh people trying to do it themselves um and then the third piece is the

enabling scenarios all together there were things we talked about that aren't possible without the cloud and that's that's probably the big Tipping Point when you are able to actually take advantage of pervasive sensing so you know that your pipeline hasn't fallen off a cliff and it's it's ready to explode right so uh we need we need to take advantage full advantage of the cloud to make it [Music] worthwhile is the hook coming one minute anyone want to give it a shot all right then we thank you