Would anyone with a heart condition go to an orthopedist to check on their heart? An internist and orthopedist are both doctors, but they certainly have different specializations. The fact that someone understands IT security does not make them an ICS cyber security expert. Two different items are driving this rant:
- The SGIP effort to look at IEC62443 (this is ISA99). IEC62443 is an ICS cyber security standard and yet many of the people making comments are not familiar with the unique issues of ICSs. If they are, their comments certainly appear incongruous.
- The Pennwell Cybersecurity Roundtable: Are We Safe? Participants were the CEO of PEPCO, the energy security lead for IBM's Security Systems Division, an information security expert who served as a computer scientist for the National Security Agency (NSA), and the chief product and marketing officer for GlobalSign. None of these people are ICS experts much less ICS cyber security experts. Their recommendations were general in nature and none were specific to the needs of securing the field controllers.
There was a reason the October ICS Cyber Security Conference held a panel session on ICS cyber security functional requirements with ICS experts (a first). That is because there is more to securing an ICS than just securing a network or having a digital certificate (Stuxnet proved both of those points). Yet none of the Rountable participants, or their representatives, demonstrated a willingness to learn about ICS security by attending.