On Monday October 8th, I gave a seminar at Stanford's Center for International Security and Cooperation (CISAC). The following is a note from CISAC:
"... The Industrial Control Systems vulnerability was likely little known by most of our audience..."
On Wednesday October 10th, I gave a presentation at the Air Force Research Institute's (AFRI) Cyber Power Conference. The following is a note from AFRI:
"... I think presenting at the AFRI Cyber Power conference got the right message to some of the right ears. Several people commented that you provided valuable context for the serious cyber armed-attacks that we would likely see in a cyber war, rather than the criminal activity that is currently in the mass media. This was value added for both the Air Force, and the national security community at large."
On Thursday October 11th, I had an opportunity to attend the Atlantic Council and World Institute for Nuclear Security's (WINS) conference on Mitigating the Cyber Threat to Innovate the Nuclear Power Market. I had two observations:
- There were very few attendees that understood ICSs which makes a conversation on nuclear plant cyber security problematic at best.
- There was discussion of what should be a nuclear plant Design Basis Threat (DBT) for cyber. This included what would be included as part of a DBT and what would be considered outside the scope of DBT. One suggested approach was a nation-state attack would be beyond the DBT. In my opinion, a specific cyber DBT does not make sense as cyber threats are constantly changing. It may be difficult to identify the difference between a nation-state vs a non-nation state attack. My belief is not to have a cyber incident (malicious or unintentional) exceed the design basis for the nuclear plant independent of the source of the cyber incident - nation-state, non-nation-state, unintentional, etc.
On Friday October 12th, I was part of a proposal review panel of the Transportation Research Board on ICS cyber security for mass transit.
The common thread in the meetings was the general lack of ICS cyber security understanding. Consider this in light of Defense Secretary Panetta's warning about Iranian cyber attacks against the critical infrastructures.