I had some recent experiences with very knowledgeable people that demonstrate how little we really communicate with each other. Yesterday I had a discussion with an IT security vendor who has a security solution for endpoint devices. This was a very knowledgeable security expert who is working with control system vendors and control system end users as well as the IT community. He felt their endpoint security solution was directly relevant to industrial control systems. When I asked him what he considered an endpoint it was cell phones, PDAs, laptops, etc. When I told him what we consider endpoints are for industrial control systems, he was stunned. I just had a weekly telecom dealing with Smart Grid, specifically Industry-to-Grid (I2G). Industry is defined as power generation and large industrials. When ISA POWID was mentioned, one of the more loquacious participants asked first what was POWID and secondly what was ISA. For a specialized group such as this, how can that be? Lack of communication is not a recent issue. Several months ago, I attended an Infragard meeting in San Francisco on securing the critical infrastructure. At the beginning of the meeting, the FBI mentioned IEDs. To the people attending the meeting representing physical security the term IED meant Improvised Explosive Devices. When I mentioned that we have a different meaning for IEDs- Intelligent Electronic Devices (eg, smart relays, etc), the vast majority of the attendees had never heard that term. The terminology used by the different organizations often has different meanings, even if the words are the same. Several years ago at the first International Standards Coordination Meeting on Cyyber Security of Control Systems I put together a list of common terms such as "control systems", "SCADA", and "security" and showed how different the definitions were for different organizations - ISA, NIST, IEEE, NERC, etc. There are many more examples I could provide to prove the point that we need to make sure we are truly communicating. It seems like I will have to do this again for the October Control Systems Cyber Security Conference.
Joe Weiss
Leaders relevant to this article: