I received the following message from Ron Southworth on my blog on nuclear power. ""¦ The "Need to Know" ethos is very much part of the culture and understandingly so. Still, as you say there are common frames of reference within control systems regardless of the process that can benefit from sharing between verticals and lessons that can and should be learned from reading any incident synopsis.Out in the open, there are always going to be issues with discussions in sensitive to national and global or even local interest process control systems and this too may be part of the reluctance or resistance you are coming across? I struggle with every word I type to try and discuss what we can without creating a disadvantage for "my team" and to convey my meaning, perhaps this is also behind the issue of uptake as well"¦"Ron raises a fundamental quandary I have been struggling with for almost 7 years- how do we inform the "good guys" without leaving a roadmap for the "bad guys".(This is the real reason I haven't yet written a book despite many industry people and publishers asking.) The overall issue of control system cyber security is the macroscopic issue of disclosure as opposed to vulnerability disclosures which to me are the microscopic issues. Until the good guys understand the real problems, and it is VERY evident they don't (see all of the fluff on
, etc.), how can we solve this problem. This is not a nuclear industry problem, it is not an electric industry problem, it is not a water industry problem - it is a universal industrial control systems problem.