What does it take for people to understand CONTROL SYSTEM cyber security?

I received the following message from Ron Southworth on my blog on nuclear power. ""¦ The "Need to Know" ethos is very much part of the culture and understandingly so. Still, as you say there are common frames of reference within control systems regardless of the process that can benefit from sharing between verticals and lessons that can and should be learned from reading any incident synopsis.Out in the open, there are always going to be issues with discussions in sensitive to national and global or even local interest process control systems and this too may be part of the reluctance or resistance you are coming across? I struggle with every word I type to try and discuss what we can without creating a disadvantage for "my team" and to convey my meaning, perhaps this is also behind the issue of uptake as well"¦"Ron raises a fundamental quandary I have been struggling with for almost 7 years- how do we inform the "good guys" without leaving a roadmap for the "bad guys".(This is the real reason I haven't yet written a book despite many industry people and publishers asking.) The overall issue of control system cyber security is the macroscopic issue of disclosure as opposed to vulnerability disclosures which to me are the microscopic issues. Until the good guys understand the real problems, and it is VERY evident they don't (see all of the fluff on Aurora, etc.), how can we solve this problem. This is not a nuclear industry problem, it is not an electric industry problem, it is not a water industry problem - it is a universal industrial control systems problem. Joe Weiss

What are your comments?

Join the discussion today. Login Here.

Comments

  • A key point: We don't need permenant confidentiality. We need to to maintain confidentiality among front line ICS operators only until enough of them understand what they have, how to protect it, and how to upgrade it.

    Once we reach that critical mass, we can then openly disclose vulnerabilties just like the rest of the IT world does.

    However, there is one detail that shouldn't be overlooked: The software itself has to get more reliable and better tested so that there aren't the volume of patches that the rest of IT has. If the volume of patches is high, there is no way most operators will be able to keep up with them.

    Reply

RSS feed for comments on this page | RSS feed for all comments