Currently, I am involved into taking over some software product. This software product consists of several integrated systems, where every system has its own owner. One system is built and maintained in USA, another in Italy, third in Ukraine, forth in India, etc. All these systems are gathered by fifth, international company, who is in charge of installing and running these systems for more clients. So they are having integration, deployment and operation role. Client only have its own customer support, marketing, finance and management roles.
So, development is done by 4 companies, integration, deployment and operations by 1 company, and usage of this software by one company.
This company which is heavily dependent of this software is not able to run, install, maintain this software by its own - it is 100% dependent of the service provider - its critical infrastructure = its life is in the hands of other, service provider company, which is quite scary for me, if I am the client. If I am service provided (middle company, middle man) I would be in very comfortable position, since I know that client knows that he is totally dependent on me, so I would be in position to take very big advantage on him.
Without "middle man" company, client even does not know how to start system, where are the servers, credentials etc. I presume that there are some legal rules which are not allowing "middle man" to strand client. So there are many issues regarding normal operations to be discussed. For example, how much "middle man" knows about Your business, what would "middle man" do if some of system in product fails etc.
What I am interested in thinking about is to think about not-normal, critical, and rare cases, where client's critical infrastructure is downed by some accident? And if client is in some problem with his "middle man", he even does not know how to run critical part of its system! So, as a minimum, critical part of client infrastructure should be in a responsibility of client - client needs to be able to run its critical resources without any other party. And this is especially true for really critical systems - power utilities, hospitals, nuclear plants, plains.. When I was writing this I was thinking that there are more and more "critical infrastructure" things. For example, motor highway, big shopping mall, railroad networks, trains, etc. So, there are more and more these things, and there is increased demand for "middle man" service providers, who are going to maintain and observe these critical infrastructures. And also, there is also increased number of "weak" points where some of this critical infrastructures can be hit which can cause terrible outcomes - number of "critical infrastructures" is increasing, and "critical infrastructure" becomes more and more complex. And since that is probably known to business people, there will be increased offer of "critical infrastructure" maintainers, observers and guardians. Some of them will not be serious enough, or will not be properly motivated, or not skilled enough, or the "critical infrastructure" system is so complex, that the existence of "critical infrastructure" guardians is not going to decrease the scope of the problem, but even to increase it.
So, what is the answer to this issue? Parallel "critical infrastructure system" which could be used when main system is down? How would business look at that parallel system? Since it is not used often, or maybe never, and it requires maintenance and observation, it will looks like additional cost without benefit!
What to do and how protect critical infrastructure? Very serious and with every day, more and more important question.
What I can be quite sure is that this problem and its occurrences and different malfunctions of critical infrastructures are going to increase in next years and decades, and that is for sure.
