What does it take to get engineering back into security?
As an engineer, I have been brought up to work with number, physics, and logic. As a control systems engineer, I have brought up to focus on reliability and safety - we want the process to work and not to hurt people. I had a large group of like-minded colleagues that I could call on to discuss these issues in a reasonable technical manner. In general, governments were passive bystanders except for the Nuclear Regulatory Commission (NRC) when it came to licensing of plant safety. What's more information sharing was a given and occurred at multiple venues. Alas, cyber security shows up. Now look what has changed:
- IT has effectively taken over control systems under the guise of security
- Programs like the NERC CIPs require people to use "the Emperor wears no clothes" philosophy and look the other way
- IT organizations feel if it doesn't affect their systems, it is of no interest
- IT security technologies are developed for IT and rebranded as SCADA without having an understanding of what it can do to control systems
- Government organizations are developing "consensus" standards without having any requirement that these standards are actually meaningful.
- Most distressing of all is the chasing of the buck where previous collegial discussions and honest disagreements are now branded as heresy with all of the accompanying back-biting
The utility test bed is meant to try to change the paradigm of security for security sake and make it security for reliability and safety sake. We have the only utility in the country willing to evaluate these cyber security technologies and talk about them. Yet, we are still on the outside looking in.
Before it is too late, how can we go back to being engineers?