Guest Post: Jake Brodsky on the Roadmaps and what’s going wrong…

We have a problem.  We have efforts at all levels to secure industrial control systems, but there isn't much coordination.  Some efforts are falling by the wayside.  The Roadmaps for energy and water are mostly taking top-down approaches.  There are approaches in the middle such as the ISA-99, and going further toward the technical side, Secure Authentication for DNP and the AGA-12 effort. However, I know of nearly nothing taking place at the bottom.  There are training courses from DHS aimed at operators, but there is little mandate to train them. Looking at the example of Safety standards and the like, we had buy-in from executive, engineering, and operations people. We don't have that happening right now in security.  We have Roadmaps written for executives who are expected to wave their hands and make security happen without knowing where it's supposed to come from or how it's supposed to work. We have half baked standards, still very much in development from engineers and IT specialists.  These standards don't know how to address issues such as patch management because at the end of the day, we know we can't set a standard without coordinating with operations. And as far as I know, the efforts to train operators on this security issue and how it helps them is feeble.  They don't see the need yet. Meanwhile, legislators are turning up the heat on organizations such as TVA for not be properly secure.  The managers are blindsided.  They don't know which way to turn and their IT departments are at a loss to figure out how to set policies for reasonably safe AND secure control system operation. The problem is that these professions aren't talking to each other.  The Energy sector roadmap becomes a matter of useless handwaving if we don't bring engineering and operations in to the picture.  Engineering or procurement standards won't help if managers don't know what it does or if operations doesn't know what to do with it.  And one thing is sure: We can build economical and secure control systems, but if the operators don't know how to use it or fail to see the advantages, they'll subvert these features and all will be for nothing. I had hoped the Roadmap documents would be broader than they turned out to be.  I had hoped that ISA-99 would have more than just engineers and IT specialists in it.  I had hoped that the ISAC organizations, regulations, and legislation would push operations to train themselves to ask for what they need.  None of this is happening on a practical scale. It's time to talk turkey.  We keep bumping in to this problem.  How can we get this discussion started?  What umbrella organizations should we build to facilitate this discussion? Something has to happen here.  Compare the Roadmap documents to ISA-99, or the DHS operator training.  We're barely speaking the same language. If we can't learn to build a common language and inclusive, industry specific practices, we're going to continue spinning our wheels.  Is anyone from another utility interested in working with me on this?  I'm tired of seeing the efforts of so many talented people go to waste. ====================================================================== Fair disclosure:  I participate in the Water Sector Coordinating Council Cyber Security Working Group, ISA-99, and the DNP3 Technical Committee and I'm employed by a large water and wastewater utility. Jake Brodsky

What are your comments?

Join the discussion today. Login Here.

Comments

  • Hi Jake You certainly have some good points on areas where we need to improve with "all our homelands", to paraphrase Perry Pederson (DHS U5/07).

    The top down approach is the most effective way for effecting cultural change in Business Enterprises.

    This is a very important message for all of us to remember with our efforts towards improving awareness and understanding and uptake of our goals for security improvement.

    The goals and aspirations of the PCSF are to co-ordinate activities for improving control system security, however I suspect you are thinking more along the lines of the approach we are taking here in AUS and the PCSF mandate is not all encompassing enough, yet....

    I am certain that with the right sort of encouragement and direction we can establish an entity that will provide teh sort of structure you are looking for.

    What you are speaking of is really what we mean here in AUS whenever you hear one of us speak of Resillience. There are going to be some discussions later this year where I hope some info can be drawn from to describe the concepts in more depth than I am willing to post to a blog at present. I can say that we do not operate here in silo's and that our cross sector co-operation and collaboration is in fact quite sound and healthy.

    Bringing together a raft of stakeholders towards a common goal is very challanging and I think the working model we have here is still being ironed out. CPNI in the UK probably has some good processes to follow btw however not much is in the public arena.

    I will see what info is in the public realm and I will send this to you along with the other info that I have already promised.

    You are correct in that we need to keep momentum going on all aspects of the security landscape so closing the gaps whatever they are is very important.

    I spend a lot of energy trying to bring together people collaboratively as I do agree that we can do things a lot better and more efficiently that what we are at present. Encouraging people to come togeter and produce outcomes towards a common goal is challanging but it is surprising how much difference one voice and mind in this landscape can make a real difference.

    I reviewed my short and long term goals recently with the efforts I have been putting in as I have been feeling like I have been loosing traction and I surprised myself as to what we have all acheived so far in the last few years.

    Remember with any good project it is usually 90 percent planning, 2 percent work and 8 percent frustration for 500 percent return on investment.

    This really is a global problem and that is the scope and size of the type of entity we need to put in place to really make some quantum level differences Jake. I think the good news is that there have been some very big steps towards this.

    Reply

RSS feed for comments on this page | RSS feed for all comments