It’s the end of June 2014 and ICS cyber security is still an enigma to many

June 30, 2014

The past two weeks continue to demonstrate the lack of understanding about the unique issues of ICS cyber security – why isn’t it just IT. This includes the lack of understanding from private industry, DOD, DOE, and academia.

The past two weeks continue to demonstrate the lack of understanding about the unique issues of ICS cyber security – why isn’t it just IT.

  • Recently, I met with the Chief Operating Office of a major water utility.  His security staff had not provided information or awareness about what ICS cyber security really is and what it could do to his utility. The AWWA water industry guidance does not adequately address the more than 30 actual water/wastewater ICS cyber security issues that have already occurred.

  • June 21st I gave a presentation at the Suits and Spooks Conference in New York City. Attendees were primarily from the intelligence community. The information was new to most.
  • June 24th, I gave one of the opening presentations at the CyberEndeavour 2014 Conference at the Naval PostGraduate School in Monterey, CA. The attendees included some of the top minds in IT security for DOD and private industry. I think we are making progress as there were several control system people attending including those on a Smart Grid panel. I thought it was interesting the only utility that attended the conference in Monterey, CA was Hawaiian Electric – no attendance from PG&E, Southern California Edison, or SEMPRA. There was also no attendance from the California PUC. As has been the case, control systems issues were new to many. However, the light seemed to come on to many of the attendees which is a very positive step. The cyber exercise that was conducted in parallel with the conference finally included “SCADA” which is good but the selected attack did not include the actual attack vector which was the wireless attack against the control systems. We are starting to make progress.

  • For reasons only DOE can explain, DOE continues to downplay Aurora. The DOE representative also downplayed the results of Project Shine which has demonstrated the vast number of control systems and control system devices directly connected to the Internet.

  • There is an upcoming cyber security conference at George Mason University that is to include control systems. However, the participants are CIOs and others without a control system background. I spoke to one of the three University conference organizers. He had not heard of ISA99 and yet the discussions are to include cyber security of control systems across multiple industries. There seems to be little appreciation for what this lack of this understanding means.

  • The Harvard Kennedy School Executive Education program has a new program on Cybersecurity: the Intersection of Policy and Technology, offered in collaboration with the Belfer Center Cyber Project.   This five day program will run from July 27-August 1, There are no ICS experts participating and the Harvard Program feels it is too late to fix this oversite.

  • As noted in my June 3, 2014 blog, the BitSight assessment of the cyber security of the electric industry did not even address control systems.

It is the end of June 2014 and the light is still not on, but at least it is finally dim.

Joe Weiss