I had discussions with a utility IT cyber security representative at the June 1 San Francisco Electronic Crimes Task Force Quarterly Conference. The nub of the discord was the dissonance between myself worrying about “keeping lights on” at all costs and his focus of maintaining security at all costs. As an example, I told him there will be systems that will not be able to be secured because they are either too old, not designed for security, or both - but CANNOT be replaced. He was surprised and appalled. This is not just a problem with electric utilities. When I gave a presentation at the November 2006 “Beyond SCADA” Conference and discussed the issues between IT and Operations, representatives from Ford and Toyota said they had the same issues. The same concerns have been expressed by representatives from the chemical and petrochemical industries. It is Security’s job to design security to allow Operations to do their job (eg, keep lights on) not to tell Operations what they need to change to meet Security (and NERC’s) needs.
People need to recognize the goal – keep the lights on!