AMPYX CYBER

View Original

How it started, where it's going: 20 years of NERC CIP

By Patrick Miller

Two key people who helped start NERC CIP 20 years ago talk about how and why it came together, and where it could go next. Patrick C. Miller, one of the first NERC CIP auditors in the country, and Earl Shockley, a former leader at NERC, talk about this momentous regulation that changed the electric sector cybersecurity landscape forever.

PATRICK:

We are going to talk about the NERC CIP (North American Electric Reliability Corporation Critical Infrastructure Protection) standards. And why? Because the NERC CIP standards turn 20 years old this year. They're almost old enough to buy a drink.

Twenty years ago, the first iteration of what would become the CIP standards was a little FERC (Federal Energy Regulatory Commission) document that got floated around Started this big conversation that ultimately ended up basically just transforming the entire North American electric sector cybersecurity landscape.

Before it, there was really nothing. It was really just voluntary. It was entirely up to you. You could do pretty much whatever you wanted to do, from a security standpoint, that you thought was right or not. This was the first for us to actually get all of the utilities aligned and say, "Okay, this is the minimum bar that you're all going to have to meet for security, at least security of a certain size and function."

This started way back in 2001. It's been a long ride, but this actually completely transformed the North American electric sector security landscape. It's been so momentous, and it's done so much all around the world, I wanted to have a chat with Earl Shockley and talk about this, because both of us were in this early, early in the day.

I take myself back 20 years ago, I was a basically a SCADA (Supervisory Control and Data Acquisition) security guy at a utility. They were saying, "Hey, there's these new things coming out that look like SCADA security. So, why don't you go check it out?"

We took a look at this FERC document. Of course, this all happened right around the terrorist attack. And many other things were going on at the time. We thought this was going to be a big deal. And it certainly turned out to be a big deal 20 years later.

Over that span, left the utility, went to become the first CIP regulator. I was the first CIP auditor in the country under the Western Region, WECC (Western Electricity Coordinating Council). We did that. Helped write some of the original language in the standard. Then to this day, as a consultant, I'm still doing security, the guidance for the Security Working Groups and stuff for the standards.

Earl, you're also a CEO of a consulting firm for the O&P (Operations and Planning) side, but 20 years ago, where were you? And what were you doing when all this came out?

 

EARL:

I was in system operations at the time at Tennessee Valley Authority. I had just got off a series of night shifts when my wife woke me up and she said, "Hey, our country is under attack. "

So, really, for me, the catalyst to security was 911, that awareness that 911 brought us. Physical security really stepped up around our critical facilities. We immediately started securing our control centers and blocking off streets and having concrete barriers around all of our facilities. We really did not understand whether we'd be attacked or not at that time. That was high alert. We really moved forward with securing everything that we knew to secure at the time.

That basically led into the 2003 Northeast blackout where the regulatory role shifted. And we had the Urgent Action Standards. We had cybersecurity being discussed, we had the 2005 Power Act that formulated the ERO (Electric Reliability Organization). Then we had the FERC Orders 693 and 706 that rolled out the NERC Reliability Standards. Before that, it was voluntary policies that we were abiding by in the industry. In 2003, it showed that our industry didn't have a good day.

So, that's where I was 20 years ago. I just remember one of our old mentors saying --- when I was on the desk as a matter of fact, when the 2003 blackout occurred and we separated from the Northeast part of the United States --- we had an old mentor there.  He says, "You know what, your life is going to change. I'm retiring soon, but we're going to have federal regulation based on this."

 

PATRICK:

Yeah, and there it was.

 

EARL:

And there it was.

 

PATRICK: 

Myself, I had just joined a utility. I was at PacifiCorp in August, my first month in 2001. And then, of course, the September 11 terrorist attack happened. For us it, on the cyber side of things, it definitely changed our world. We got lots of calls. We were the power provider for the upcoming Olympics in 2002. So, in addition to all the other moving parts we had, we had that on our plate.

I remember getting dragged into a meeting with the Critical Infrastructure Protection Advisory Group, or the CIPAG. And it was to discuss this thing called Appendix G of the FERC Standard Market Design that was this thing coming out.

We were wondering, "Okay, what is this?" This is part of an old presidential directive from 1998. We follow the chain back and it was PDD 63 (Presidential Directive 63) from the Clinton era that spawned this discussion about protecting infrastructures. September 11 terrorist attack. We're going to use this as a vehicle.

It got things going and it was, I want to say, it was like 14 pages of the Appendix G, this little security appendix at the end of like an 800-page Market Design. Needless to say, the Market Design didn't make it through it, it failed. And Appendix G got pushed off a little bit.

Then as you mentioned, the blackout happened. I think everything kind of got dusted off again. Then shortly after that --- it wasn't completely forgotten about, it had been moving around behind the scenes --- then we all got basically dragged back together, got the band back together, to create the Urgent Action Standard in 2003, the UAS 1200.

For those playing the Jeopardy game at home, it actually does go back that far. I guess the earliest thing that would spawn into CIP was the Appendix G of the SMD (Standard Market Design). But it's interesting to think it's been that long, and we've had all of these things happen between then and now.

Back then, we were both at utilities. What did you think about this? For you, what do you think the hardest part about getting this thing off the ground was?

 

EARL:

That's a really good question. Because we came into the ERO around the same time. I was hired in about 2007, about four or five months before the standards became mandatory. One of the big lists was we had to establish programs at NERC, compliance programs.

We had to establish compliance auditors, which you were a part of the CIP side of that, being one of the first CIP auditors that we had at the ERO. We had to stand up programs that could be sustainable and could monitor the reliability standards and audit the reliability standards.

I think the hardest thing, if we're focusing on CIP, about getting the CIP standards off the ground, was the question, "Would they succeed?" I was excited that number one, the energy sector was addressing cyber and physical security. Other sectors in the energy world hadn't done that quite yet. To me, we were breaking new ground. We were looking, as you know well, for a control-based approach to auditing the CIP standards. We felt that we were going to be setting the bar for other energy sectors.

I also sensed a struggle at that time. Because really, what did the regulators want, versus what the technical people in the industry want, versus what NERC wanted? When I mean the regulators, I mean FERC, the upper levels of Department of Energy, so on and so forth.  They had an opinion of what it should look like. NERC had an opinion of what it should look like. The technical people in the industry, which you were a big part of, had a certain view of what it should look like.

There were frameworks in place at the time, the NIST (National Institute of Standards and Technology) and SANS (SANS Institute) frameworks in particular that I remember. And we had lots of discussions at the NERC level about whether we should create a new wheel or whether we should adopt these frameworks.

The discussion around that was these frameworks at the time did not include control systems. They were more corporate IT-related. I remember that, moving forward with the CIP standards, it would have to be focused more on control systems and protecting our critical infrastructure in the energy sector.

I also remember there was a lot of discussion around what was the ES-ISAC (Electricity Sector and Information Sharing and Analysis Center) at the time, around its independence. NERC being a regulator and being certified as the ERO, there was a lot of discussion as to whether that ISAC should be under that umbrella. But it still fell within a regulatory structure and there was concern about independence there.

I think my overall opinion was, I was excited. I think that we were doing something the other sectors weren't doing and I had high hopes for the CIP standards, because I believed, as I was part of the ERO in those days, that we were there to make a difference. We were there to help put administrative controls in place. We were there to address the risks of the bulk electric system. I really liked that approach early on in the process.

 

PATRICK:

I agree. I felt like we were moving the needle. This was going to set the bar. Even at the utility when I was writing this stuff. I hadn't become a regulator yet.  Even at the utility writing the stuff, I felt like, "Hey, we're making history here. We're doing cool things. We're going to secure the grid."

I had two key challenges. The utility that I was at, at least, was kind of built by merger and accretion over, like, 100 years. I had nothing in common and I had to try to figure out how to get all of this stuff to meet what was then the UAS 1200, the earliest part of the CIP standards. 

At the same time, I'm running up against my management, which is basically saying, "Oh, NERC's been voluntary forever. This isn't going to be mandatory and enforceable." And I'm like, "No, this is on the path to being a federal law." So, it was a big challenge just to get the management to shift to 'you got to do this,' versus 'we should probably do this.'

We were the power provider for the Olympics after the September 11 terrorist attacks. We had some sense of motivation, needless to say, to do some things. But when it came down to whether this was going to be law or not, they still didn't quite think it was going to happen.  I had to fight against that. It was a pretty strong headwind.

Then in the industry, if we're being asked to write our own future, I remember tons of infighting and discussions around, "Do we go with something like a NIST or a SANS framework?" Because it's pretty IT centric. There wasn't a lot of OT (operational technology) or ICS (industrial control systems) specific frameworks at the time. We had ISA99. And there was, I guess, arguably a little bit of that in the NEI 04-04 stuff.

But it was still, like you said, a rounder wheel. We had to go off and invent our own special round wheel for the industry. And I think that was at the time, probably what we needed. I'm not sure we would have embraced anything else, honestly.

But I think the hardest part for me was just getting the organization to admit that this was serious and that we had to do it. And that it wasn't just a 'nice to have' and 'can we just do the minimum?' And, 'do we have to do it now? Can we do it later?' There was a lot of getting that, kind of turning-the-battleship-in-the-bathtub problem. That was the hardest part.

By the time you made it to NERC, and you saw the standards were now mandatory and enforceable, like 2008 and beyond.  We'd had Orders 706 and 693. And we're looking at possibly even some interpretations, and there's some machinery in place. Did you think it was going to succeed? Or did you did you have your reservations?

 

EARL:

I did think it was going to succeed. I did think it was going to make a difference. I thought that we would be identifying a baseline. I thought that we were going to kind of break down the barriers between what security looked like versus what compliance looked like. And I know that you were deeply involved, being one of the first CIP auditors to conduct a CIP audit on the energy sector. I know that there was some angst about what that audit approach would be like. What was your thinking when you guys were formulating the audit approaches to the CIP standards?

 

PATRICK:

I guess there was a handful of us. Myself, Roger Lampila; the early days, we had Jamie Sample and John Stanford, and even Tom Glock. But there were a few of us trying to figure out what this would look like. We had everything on the spectrum from, like, remember the old readiness reviews? Where you just had NERC and some peers? And it was collaborative. I think it was because there weren't real penalties involved.

WECC had like the RMS (Reliability Management System) violation, but it was kind of voluntary penalty. But it seemed much more collaborative. And there was a genuine drive and goal to make things better. We tried that. They said that wasn't going to work.

We came back and said, We'll there's this thing called COBIT and COSO. We could look at actual control objectives and controls and control testing. And that seemed to be foreign and undesirable at the time.

I think it was even Roger and I came back with the Yellow Book and said, "Okay, here is something from the GAO (Government Accountability Office). And if you're going to be kind of a quasi-federal thing..." At that time, they were a nonprofit, all that good stuff. But to get them to kind of embrace maybe something that had some rigor to it, that could in theory be measured, at least pick one of these.

They ended up picking the performance-based one, which is my least favorite, well, one of the least favorite out of all the options. Because you get to generate a ton of evidence. It's not designed really to test your controls, it's to just evaluate your evidence, and hopefully some non-arbitrary and consistent manner, which we all know we didn't end up with that. In our early-stage design, that was kind of the goal.

Even when you saw the UAS 1200 came out. And the earliest draft one of CIP, it was very control center-focused. It had the words like 'generation' and 'transmission' in there, but it was still very control center-focused. It took us a while to actually morph it, I guess, kind of beat it into shape. Which I think is why you see so much flux in the standards; we're still trying to correct some of those early one-size-fits-some approach that we took, and we didn't have a generation-specific standard or a transmission one, or a special one for control center that felt more like IT, versus OT.

I had my hopes that it would succeed because I wanted it to. Heck, I was at WECC, we had the first CIP program in the country. And I was the first CIP auditor that actually went out and did this stuff. So, I had high hopes for it.

 

EARL: 

I think there were high hopes in my perspective as well.

 

PATRICK:

And I think it moved the needle then.

To transition from then to now, like fast forward to where we are now, we've gone through what, Version 1, UAS, 1200, 13. We start with the SMD, 1200, 1300, Version 1 through 3, Version 4 gets drafted, it doesn't happen, it's whacked at the knees. And then we got Version 5, which of is a complete landscape shift for everybody. And then we start this regular churn, as I think I've heard even you say, like 50% of the standards are constantly in flux.

 

EARL:

Absolutely.

 

PATRICK:

That's difficult to keep chasing. We fast forward to now. In today's world, with today's threat landscape and today's modern utilities, where we've got everything from DER (distributed energy resources) and renewables and the grid's kind of turning itself inside out, where do you think this is going to go? What's the future of NERC CIP?

 

EARL:

That's a really good question. Looking back on 20 years ago, it's interesting to discuss what we felt like back in the day, when we were doing the programs and formulating.

One of the CIP industry mentors, Mike Assante, said something to me early on in my NERC career. We were talking about particularly the CIP standards and where they're going to go. He said his greatest fear was that bureaucracy was the evil of what we were trying to do. Administrivia would have been the evil. Because he discussed pretty specifically that not only can you under control something, but you can over control something.

You can spend too much money and you can put too much in place. And it really prevents you from hitting your security objectives.  One of your famous quotes is that if we are in a mode where we're promoting fear of the auditor more than fear of the attacker, we're really not hitting the mark.

Twenty years later, in the CIP standards going forward.  When I left NERC in 2015 and formed INPOWERD, one of my key aspects to my mission was to simplify the complexity. Because, as I spent almost 10 years as a regulator, and I was auditing and involved in many major investigations, I saw that the complexity was great.

Once we formulated these standards and we put them in place, the prototypes really had a lot of bureaucracy to them, the evil, like Mike Assante said. There was a lot of administrivia to it. Those are the things that disappointed me that we couldn't come to a control-based approach to auditing, looking at performance and looking at folks protecting the infrastructure. 

At times, I feel that --- you spoke of the needle being moved --- the needle has swung so far that we pay more attention to compliance and the administrivia around compliance than we do security.

If you look at the CIP standards, there's some charts out there on the enforcement side on the NERC web page that shows the top 10 standards that were violated. Most of those are low risk issues. It's administrative issues that they're finding. And to your point, at any given time, over 50% of the NERC standards are in flux. What it does is it creates a constant churn of documentation for the industry.

If you have smaller companies that don't have the budget to have very strong compliance programs. Basically, they have one or two, maybe three compliance people, and they rely on the rest of the team to supplement that. But they wear many hats. Being able to address the complexity around it is very difficult.

If I look at the program now, the level of bureaucracy disappoints me. The level of administrivia that the regulator is expecting on the industry and the money they expect them to spend to achieve levels of bureaucracy is disappointing.

That's really tough because the level of security talent is challenged in our industry. I read a report just recently that for every gray-haired technical guy like me that's leaving the industry, there's only one in the pipeline. For the cybersecurity world, that's even more so, because not only is the energy sector fighting for this talent, the banking systems, the medical, all of the different sectors in the world are fighting for this talent.

I'm definitely seeing that, on the audit teams, the level of security talent is not there. There's a challenge for the industry in that they have auditors that have less experience than they do auditing them.

I think the other aspect --- if I'm looking back 20 years --- is, I'm really disappointed that the ERO hasn't come up with some more effective metrics to show how effective the CIP standards and the program is. What can we look at? ERO has been sitting on this data since 2007. How successful has the CIP program been?

Historically and currently, there are CIP standards --- the most violated standards are in the top five, always in the top five. We have to ask ourselves, if the most sophisticated security programs are not meeting the mark, historically or currently, then the ERO, the regulatory industry, in my opinion, must consider this. 

We have to ask ourselves the question: are the regulators being accountable for helping the industry miss the target? Because we have this constant moving regulatory target. You mentioned this right, there is complexity for the industry to move through before they can even pull the bow to get a shot. It is not a static target that they can just take aim at. They have to navigate all of this different stuff before they can even see the target. 

With so many violations, perhaps we should examine the quality of the requirement language, the ever-changing direction, the administrative complexity, the inconsistent audit approach. I'm with clients auditing in all the different regions, and I see auditors with different pet peeves and different approaches. That puts a strain on the industry to make sure that they're trying to follow everything everybody wants.

I think the question comes up, and you and I've talked about this before, is it time to change directions? Because if I look back on SANS and NIST, where it was 20 years ago, versus where it is, these frameworks have matured greatly. They include all the aspects of controls, particularly around controls and around security.

Just to sum this up, I think my biggest fear is that a cyberattack of great consequence on the U.S. power grid would shatter the ideal cybersecurity framework of private sector accountability. We have accountability. We're the guardians of this now. I promise you that the people in the industry take this seriously. We don't want them fearing the auditor more than we want them fearing security. We don't want them to take their eye off of operations and reliability and security so that they can make sure they're checking a box in the compliance world. We really have to take accountability for maintaining security of the critical infrastructure. I think the ERO and the regulatory world has to help us do that.

 

PATRICK:

I agree with all that. I see lots of messaging, not so covert. It's very overt messaging from FERC about there's gaps in the CIP standards, and why isn't CIP more like NIST, especially this particular thing that we're looking at?

I get asked all the time, “Do we need to continue with this NERC CIP stuff, or is there something better?”

I think honestly, at this point, I think it was good when we needed it. It was useful to do it that way to start. I think, honestly, it could be collapsing under its own weight with respect to complexity, administrative burden. Honestly, the CMEP (Compliance Monitoring and Enforcement Program). Really, let's be honest, it's not just the standards themselves. They're by no means perfect. And I'm at fault as much as anybody who started this thing, because I helped write some of that stuff originally.

Like I say, it got across the finish line at the time. But I think today, we've got much better options. The administrative burden component, as you mentioned, we could go to something like controls objectives and controls and control tests. And we're not having to produce mountains of performance evidence that then gets arbitrarily judged by whatever auditor and whatever level of experience they have, or don't. The degrees of inconsistency between the regions.

But I do think there's some better approaches that we could be looking at now. This is the most critical of all the critical infrastructures, and it does deserve, I guess, to have the right thing for it, versus just what we've inherited. 

I agree. And I would like to see if there are metrics to hold NERC accountable for, I guess, being a good steward or custodian of these standards. They should honestly have their feet held to the fire for success. This is really important stuff. You and I have seen this from the inside at the utility and the inside at the regulator. We've seen the entire package of sausage being made. I definitely think we deserve better. I don't know how to put it any other way better than that.

 

EARL:

Absolutely. We've had 20 years to learn. I've been in the industry for 40 years.

As you know, if you go back 25 - 30 years, when we were putting our infrastructure together, we weren't thinking about security. We weren't thinking about the Internet of Things and everything connecting together. When we put these programs in place, not only did the industry have to adjust to the compliance aspect, but they had to learn how to secure aging, historical infrastructures that were in place. They didn't have have the ability to kind of redesign and spend the money to do everything right, they had to protect what they had.

I think the 20-year point is a good point for all of us to reflect back and say, "What have we learned over the last 20 years? How effective have we been? What can we do to really step up the game?" Because, as you can see, with the pipelines getting hacked and everybody having the cybersecurity fear, as they should have had a long time ago, it's starting to roll even more.

We really should put our feet on the ground and look at the programs in place. Or are we just going to continue to build the bureaucracy and the administrivia? Are we going to continue to burden --- I really like the phrase you gave --- allow the program to collapse upon itself. That would be tragic, in my opinion, if we're not learning and if we're not further developing. And if we don't have the courage to change direction when it's necessary. I think that's something that's really important.

 

PATRICK:

I agree. Not that there's not a lot of great work going on. Those drafting teams, they spend their life in those drafting meetings to write stuff, and I appreciate what they're doing.

But I do think that it's getting to a point to where --- this process of going through the ANSI-accredited process to get everything approved, and then get it voted down.

As much as I would love the industry to have a little more charge of its own future, I also think that it's hurting us as much as it's helping us. So, we probably need to start thinking about some options.

 

EARL:

The legal aspect, where they take the technical language and they have to convert it in a legalistic manner so that they can actually enforce it. The attorneys have to have their point. Sometimes that's where the ambiguity comes from.

I understand that legal aspect where it starts with the applicability, the directive, and what the evidence is in the language of the standards. But what it does sometimes is it takes away from the technical aspect and it makes it more ambiguous than it could be if we allowed them to be technical standards.

 

PATRICK:

There's some good ones now that exist that we could borrow, for example.

So, what do you think, 20 years later, let's take a look at some of the accomplishments that NERC CIP has done. Because I don't want to just say it was a terrible thing, because, like I say, it was a great thing to move us at the time and we needed it. Let's just go through a 'greatest hits' of some of the awesome things that NERC CIP has done.

 We'll just start out with a big shout out to Mike Assante for being a pioneer in all of this.

 

EARL:

Absolutely, absolutely. I think number one is awareness. Cyber awareness is at an all-time high in our industry. That was one of the things that excited me early on, is that we were taking the leading edge in the energy sector about security, physical and cyber.

Awareness around cyber and physical security I think is at an all-time high for there.

There are definitely great aspects to the CIP standards in that access management, change management, patching, all of these things that have really not been our forte over the years.

We're a lot better as an industry doing some of the key things that's required in the security world. I think that we do have a leg up on these other industries that are just now thinking about what we can do.

As they start building their programs, I'm sure they're going to be looking at the CIP standards, they're going to be looking at the progress of those standards and how they were rolled out, and whether they can easily adopt. When you're in pressure situations like that, it's easier to adopt than build. I think they're going to be looking at that.

But I really think the cyber awareness, just having a number of the key elements, training in place, to teach people what to look for. Reporting, just a simple thing of reporting up to the E-ISAC, so that we understand what's going on around us. 

One of the things that before we got the CIP standards in place was, we were very siloed in informational sharing. And even so in the operations side to 2011 southwest blackout, one of the big deals is we weren't sharing data. Being able to report up things that are going on so that we can see consolidated, coordinated attacks on our grid is really important.

Awareness training and letting people know what to look for, having the fundamental programs around firewalls and change management and patching, and all these different things, is just so essential to CIP security.

I think that's really some of the wins that we've had. Because you can sit down at a table now and talk to people and they've heard of patching software, they've heard of baselines, and keeping track of, and they understand now that to protect something, you have to inventory, you have to know what you have before you can put a program in to protect it. 

I think that we've come a long way as an industry in 20 years there. There's nobody in our industry that you can talk to that has not heard of the CIP standards and has not gone through at least a certain level of CIP training, so that they understand all of the challenges. And that the hackers are really serious about what they're doing. There are some great things that's happened. I just think that it's the maturity and sustainability aspect that we're talking about here.

 

PATRICK:

Yeah. I would like to add that it's actually been adopted in a lot of places around the world already. It's not just moved our needle, it didn't just get our country and our North America at least aware, it's now finding its way into all over South America and even parts of Asia. Europe discusses it. But it's at least kind of held up as that initial thing that worked well for the electric sector.

In terms of accomplishments, it's done some great things. Like I say, it really definitely was the right thing at the time and it moved the needle for us.

I look back at all the things that my organization, when I was at the utility, had to change just to accommodate the standards. And when I looked at it as a security professional, I thought, "Oh, this is a low bar. I've been to high-security environments that do way more than this." But just getting all of that implemented across the board at a big utility was an absolute mountain to move. But it did, we moved it. Like you say, it got everyone's attention. It made everyone aware.

 Everyone likes to argue about the language and the terms and the definitions, but we now all use those definitions. That's our playbook. We all talk with that speak and that language. We all mean the same thing when we say those words now, where beforehand, it was much more confusing.

I do think it's done a lot of really good things in its 20 years as well. It deserves a big birthday cake for 20 years and a send-off.

 

EARL: 

Absolutely. Wouldn't you agree that it's move the needle on risk. I think that our industry has adopted cyber and physical security as part of the enterprise risk portfolio.

I look back 20 years, we saw it as a risk, but it was really something that we didn't pay a lot of attention to. It is now really understood that, "Hey, this is a serious risk." It's not only a compliance risk, but it's an enterprise risk, it's a financial risk.  

One of my big conversations that I have with clients when we're building compliance programs around, whether it be often planning or cybersecurity, is, "Hey, we can practice risk management, or we can practice crisis management, and crisis management is more expensive in the long run."

I really think that the CIP standards, and just that awareness piece again, has moved cyber and physical security. It took some other things like the Metcalf shooting and different things that kept bringing it forward and bringing it forward. But executives now see this as part of the enterprise risk management portfolio. They pay attention to it, they put money and budgeting towards it.

If you look at a positive that the CIP standard profile, and the NERC standards for that matter, has done, it really has matured the risk profiles across the energy sector, in my opinion.

 

PATRICK:

Most definitely. We even seen the conversations happening at the state, like within NARUC, the regulatory utility commissions in each state, they all use it as well. It's kind of their measure, or measure of effectiveness.

There's even been some blanket resolutions from NARUC that say, "Hey, if you need it for security, or for regulatory components in addition to security, by all means, the money's there."

I think it has really brought the conversation forward at that level, where it's not just a bunch of hair-on-fire technicians running around trying to secure things. It actually gets a line item in the budget. It's talked about at the committee level of the board. The executives now know what those words mean.

 

EARL:

They pay attention to that regulatory world. Where before, they knew it was there, but they didn't really pay much attention to it. I think it's higher on that radar.

 

PATRICK:

I agree. Awesome conversation, Earl. I really appreciate it. Let's go do another 20 years.

 

EARL:

Yeah. It's hard to believe we've been doing this 20 years, though.

 

PATRICK:

I had a lot more hair and a lot less gray back when it started.

 

EARL:

I had a red beard, I think, when I started.

 

PATRICK:

Well, great to talk to you. Thanks so much. I'll talk to you soon.

 

EARL:

Thank you.

 

Featured Posts

See this gallery in the original post