RSA Conference observations

April 24, 2009
Monday, I had a chance to wander the halls in a similar manner as I do at ISA, Distributech, IEEE, etc. In this case, it was all IT-focused. Whereas at Distributech, NERC CIP was prevalent with many of the vendor displays, here I found only 1 vendor that mentioned it. I’m sure this will comes as a great surprise, but there was minimal technical understanding of control systems especially when you got away from the Windows interface, but lots of awareness of the Wall Street Journal article.

"
Monday, I had a chance to wander the halls in a similar manner as I do at ISA, Distributech, IEEE, etc. In this case, it was all IT-focused. Whereas at Distributech, NERC CIP was prevalent with many of the vendor displays, here I found only 1 vendor that mentioned it. I’m sure this will comes as a great surprise, but there was minimal technical understanding of control systems especially when you got away from the Windows interface, but lots of awareness of the Wall Street Journal article. Tuesday I had a chance to meet several very important House and Senate staffers. They are really taking this seriously. There are also questions as to what should be included in the proposed legislation for the President’s Cyber Security Advisor. It currently does not address critical infrastructure and obviously needs to. Additionally, I had an opportunity to have a discussion with NIST staff on Smart Grid security. The basic question is why isn’t NIST SP800-53 being designated as the security approach for the Smart Grid roadmap. There is an enormous amount of industry resources that I believe is being wasted reinventing the security wheel. Wednesday was our session and also Melissa Hathaway’s keynote presentation.  It was not clear to me from her presentation exactly what this will mean for critical infrastructure and how it will tie into the proposed Rockefeller-Snowe legislation. It was also not clear what organization(s) will be responsible for cyber security. However, all signs point to the White House. As for our session, we had approximately 40 people. Not too bad when you consider our session wasn’t even mentioned in the show guide or update. Almost all of the attendees were from the IT-side. One very interesting comment was from an IT vulnerability consultant who did an assessment of a bank and found an electric utility workstation on the bank’s network. It had no hardening, but the real question was what was it doing there. I then had a chance to spend some time with a NERC CIP consultant who was going to be on one of the panels. Since I didn’t know him I was curious as to his background and knowledge on this subject. What surprised me and I know it shouldn’t is he was not cognizant off any equipment beyond the DCS or SCADA workstations. In fact his answer was that it was up to the utilities to tell him what to do at that level. Thursday I attended a session that had a NERC CIP focus. An oil/gas representative asked if it applied to them which opened the discussion of where the NERC CIPs are going and the potential inclusion of NIST SP800-53. Thursday afternoon was an informal get together on the future of NERC CIPs. The conclusion was that there was an enormous waste of time and resources on compliance that was diverting other resources from more important work. There is also palpable fear that the CIP audits will be very gruesome. That is, focusing on compliance issues (were the right “i’s dotted and t’s crossed”) to the exclusion of actual security issues. Joe Weiss