We’re in danger of missing the point of the INL demonstration…

This post is in response to the scores of responses to the CNN report and AP articles on the INL cyber destruction of the generator. It is very clear that from the blogs such as the SCADA ListServer, we have not just skeptics, but complete lack of knowledge on the subject from people who should know better. Many of you know me or of me. I have been working on instrumentation and control systems for more than 30 years. I am not a fear monger (if the facts bother you- tough!) and technically know my subject matter (I have several patents on instrumentation and control systems and am an ISA Fellow). From my perspective, it appears that the majority of people I have come in contact with directly or indirectly view cyber as a "weapon of mass nuisance" and not a real threat. Too many people equate cyber to e-mail threats. Cyber can, and has, caused significant damage to real plant and substation equipment including, in at least one case, deaths. I know of more than 90 cases and the list grows as I talk to people at the different venues or sites I visit. As for the point of this note, it is my belief that many of you are missing the point of the INL demonstration. I cannot speak for either INL or DHS, but I can present my thoughts. Systems such as the generator destroyed in the demonstration at INL have many electronic connections. Many are missing the interlocks many of you are sure must be, or at least should be, present. In other cases, the protection is not adequate to protect against these modern threats. The testing that was performed exploited a particularly serious vulnerability that may not be obvious to you. The destruction of one generator, one substation, one anything is not of broad concern except to the organization that owns that affected facility. The exploits being addressed are broad in nature and can cause MULTIPLE concurrent failures that can lead to cascading effects. Before anyone decides to continue diatribes about your pickups or Aunts, or the difference between a diesel generator and a steam turbine, do your homework. You people are too smart to have these inane discussions. There are far too few experts on control system cyber security. Many of you can certainly help if you would take the time to learn the subject.