Infrastructure, IEEE, and Senate Meetings

March 23, 2009
Monday March 16 and Tuesday March 17 I attended the Infrastructure Modernization Initiative Workshop at the Naval Postgraduate School in Monterey. The purpose of the Workshop was to discuss security implications of the Stimulus bill on infrastructure improvements. My takeaway was that the primary focus of security has been physical with minimal understanding of cyber issues.

"
Monday March 16 and Tuesday March 17 I attended the Infrastructure Modernization Initiative Workshop at the Naval Postgraduate School in Monterey. The purpose of the Workshop was to discuss security implications of the Stimulus bill on infrastructure improvements. My takeaway was that the primary focus of security has been physical with minimal understanding of cyber issues. Wednesday March 18, I attended the IEEE Power Systems Conference and Exhibition (PSCE) in Seattle. Walking the halls and talking to vendors about security resulted in similar results to Distributech – they are familiar with the NERC CIPs and associated compliance but don’t really understand actual cyber security issues inherent in their system design. Subsequently, Jeff Dagle from DOE’s Pacific Northwest National Lab and myself gave a 4-hour short course on cyber security of industrial control systems. There were approximately 25 attendees and we had very interactive discussions. When we effectively ruled the subject of NERC CIP compliance off-limits, it was fascinating to see how many attendees acknowledged the lack of technical bases of the CIPs and their internal frustrations with trying to actually secure their systems. Thursday March 19 was a very busy day. First thing in the morning I met with FAA, airlines, and aeronautical vendors. It was fascinating to see “the lights go on” as to the common issues with control system cyber security and issues of security and safety. I then testified to the Senate Commerce Committee under the Chairmanship of Senator Rockefeller. The other witnesses were Jim Lewis from the Center for Strategic and Internal Studies (CSIS), Ed Amoroso Chief Security Office from AT&T, and Eugene Spafford from Purdue. My takeaways were that the Committee is truly concerned about cyber security but didn’t understand control system issues or their implications. I was greatly disappointed by Jim Lewis’ lack of willingness to accept control system issues and his putdown of the NIST standards. The Committee is truly interested and will be following up this hearing with others. I believe we now have a Senate champion for cyber security of the critical infrastructures in Senator Rockefeller. Incidentally, the Senate Energy Committee had a representative who expressed great interest. I think the most important part of the hearing was to have the industrial control systems community with a seat at the table – at last. Walt has the link for the hearing already on the unfettered website (www.controlglobal.com/unfettered).  I will make my written testimony available to those interested. Walt Boyes at Putman will also have it available as a White Paper. It appears as if the genie is now out of the bottle with all of the press on this subject since Thursday. There are some good discussions, but also a lot of regurgitated garbage like referring to the National Journal article about the Chinese having caused the Florida outage. I am also seeing a lot of the IT vs Control Systems bickering that doesn’t help anyone. Joe Weiss