Real ICS cyber incidents including cyber attacks against critical infrastructure ICSs continue to occur. Yet, ICSs continue to be connected to the Internet. Moreover, the information is not being adequately shared. Additionally, vulnerabilities such as Aurora are not being adequately addressed yet the government has made the information public.
Unisys sponsored a report by the Ponemon Institute: “Critical Infrastructure: Security Preparedness and Maturity”. It is being widely quoted even thought there was little Operational input and many of the questions were not relevant control systems. Consequently, the results need to be questioned as to their relevance.
I will be attending the Air Force Research Institute’s C-ACTS meeting on July 17th. The intent of the meeting is to identify and highlight strategic issues, foster research, collaboration, and develop educational programs that explore national security and military operations in cyber space.
For the first time, we are having a formal call for presentations for the 2014 ICS Cyber Security Conference - www.icscybersecurityconference.com. The call for presentations can be found at http://www.marketwatch.com/story/2014-ics-cyber-security-conference-call-for-papers-now-open-2014-07-10.
July 3, 2014 DHS made the INL Aurora information public despite the request being for the Google Aurora information. With the exception of two utilities, industry has still not responded to mitigate this problem. DHS claims they released the information because the information is old and industry has addressed the problem.
The past two weeks continue to demonstrate the lack of understanding about the unique issues of ICS cyber security – why isn’t it just IT. This includes the lack of understanding from private industry, DOD, DOE, and academia.
I have been concerned for years that companies have been monitoring corporate networks and extrapolating those results to the ICS networks. I know of only a few companies that have actual monitoring data from their ICS networks. The results are certainly different than those on the corporate networks.
I was in Washington DC to be interviewed for an upcoming TV show on cyber security. We spent about an hour filming in front of two critical infrastructure sites. No one came out to see who we were or ask what we were doing. What if we were bad guys?
Many ICSs are connected to the Internet and it isn’t expensive to find them. ICSs continue to be connected to the Internet even though they may not be cyber secure. Be careful what you ask for - you just might get it.
To many in the IT community, the gap in understanding industrial control system cyber security is gaping. I was drawn to a May 29th Dark Reading article titled “Large Electric Utilities Earn High Security Scores as the title seemed to be at odds with what I have seen.