The Dispatch: Security Isn't a Feature. It's How We Work.

Here's something that might surprise you: I have an Electronics Engineering degree that I never used. Not once. I got a Master's Degree in Information Security and have spent the last 25 years in this space instead. I started at IBM just before 9/11 happened, suddenly every enterprise customer in America needed to know if their infrastructure and information were safe. Unlike today, nothing was encrypted back then and you could see everything on the wire. It was both terrifying and fascinating at the same time.

Our nation's grid and energy systems are now in a similar position. They didn't need protecting the way they do now. The difference between building energy infrastructure today versus 30 or 40 years ago is that the people who built it weren't necessarily thinking about nation-state adversaries or anyone trying to control it remotely. They were thinking about physics. Now, many years later, attempts to bolt on security capabilities to this critical infrastructure are still occurring, and for a lot of energy companies, it's still only partially implemented or still an afterthought.

Security at Torus runs through every layer of our technology stack. Hardware, firmware, software, operations. All of it, starting from the moment we fabricate the physical systems all the way through to the software monitoring them in the field.

That philosophy didn't happen by accident. When I joined Torus as part of the founding team, security-first became a guiding principle for everything we would build and how we would operate — not a checkbox, not a feature, but the foundation. It's one of the reasons our Founder and CEO, Nate Walkingshaw, asked me to carry both the CTO and CISO roles. And I finally got to use that Electronics Engineering degree I'd received, nearly three decades later.

An early example of this is how we decided to handle securing product command and control. We considered how wireless signals could be jammed, attacked, and manipulated from great distances. We knew that would not be a risk we could live with in our products. Energy command-and-control signals are just too critical. Ultimately, we hardwired as many communication channels as we could so those doors would not be open to our adversaries to exploit. Additionally, our Shield product encrypts those communication channels, detects anomalous activity, and generates threat intelligence – all locally at the energy system.

That same idea — get the critical intelligence as close to the product as possible  — is also how we approach the broader mesh infrastructure we're building at Torus. Think about power the way you think about a freeway at 5 pm on a Friday. You're not getting where you need to go because there's too much congestion. What we're trying to do is get those electrons as close to the load as possible, store them when the freeway is clear, and have them available when it isn't. 

None of this works, though, if the culture inside the company doesn't match what we're building. Security has always been a guiding principle at Torus. We didn't set out to build a team that catches problems after the fact. We set out to build a company that creates fewer of them as we build. Everyone is empowered to question and make security upgrades. From our executives to every individual contributor, security isn't owned by a single team. It's owned by everyone.

My personal philosophy comes from years of having to think like an adversary. Think evil, but do good. You have to genuinely sit with how something could be turned against you before you can build something that holds up. Making our nation's grid more intelligent is great until you realize you've also made it more valuable and more interesting to the wrong people. That's why you can't bolt security on at the end. By then, you're already behind.

Energy companies that treat security as an afterthought will always be playing catch-up. The ones that treat it like a culture won't.

And when a customer tells me they sleep better knowing we're watching, I get it. The less sleep I get, I suppose the more they get. That's the job. The utility infrastructure out there is old. The threats are modern. And for once, with Torus, so is the solution.