I want to thank Walt Boyes for allowing me to join this continuing blog. The blogs are my thoughts and sometimes may be provocative. You may or may not agree, but the facts and logic are indisputable. I heartily encourage you to comment.
I want to use this initial blog to set the stage for further discussion. This first blog will focus on the history of control system cyber security as I've lived it. From my perspective as a control system engineer, control system cyber security started about 7 years ago with the AGA Gas SCADA encryption efforts and the advent of the EPRI Enterprise Infrastructure security (EIS) Program. We started the EIS Program in early 2000 without (at least on my part) recognizing a problem really existed. My initial thoughts were that the appropriate technologies such as firewalls and intrusion detection systems already existed and it was our job to simply educate the electric industry about the technologies. Consequently, I helped author the EPRI Primer on control system cyber security for the electric power industry and several associated guidelines. It wasn't until I started attending cyber security meetings (IT since control system cyber security didn't exist) and asking questions that it became evident (at least to me) that the IT security industry did not understand control systems and that their technologies could potential hurt legacy control systems. Since the EIS Program started in 2000 (obviously prior to 9/11), we could not get many utilities interested in spending money to join the program if its focus was national security. Consequently, those utilities and oil companies that joined did so because they thought they had a business case to do so. Interestingly enough, I held two workshops on control system cyber security in
I hope to hear from you.