Why domain expertise isn’t important in cybersecurity—not.

I had a meeting with a vendor who is not a control system vendor but is working on control system security. Last year they participated in a webinar when the question was asked what control system cyber events have occurred. The answer was they didn't know nor care because they were coming up with their own solution. How can you solve a problem when you don't even know what the problem is you are trying to solve???  This is representative of many of the recent "solutions" I am seeing at conferences and webinars especially now that the NERC CIPS have been ratified. It would be interesting to see how many of these solutions actually cause more problems than they solve. The new SCADA Security listserver asked the question today which IT vendors are offering "SCADA security" solutions. The same issue is there - you have big and small IT suppliers with "SCADA security" hardware, software, and best practices solutions. As Mark Fabro stated, "Nobody ever got fired for using these big companies, but these large companies may be very incapable to really deliver accurate services." Joe Weiss

What are your comments?

Join the discussion today. Login Here.

Comments

  • This is a the prime example of defining a business need through a technological solution (e.g. 'square peg into a round hole' concept) that so many 'businesses' have fallen into. Uh....come again? How can you define a business need from the solution? Shouldn't it be the other way around? The answer is 'yes, it should'. Solutions should be fulfilling a need, rather than artificially creating the need to satisfy the solution. The horse is behind the cart! WRONG!

    One of the reasons why we're in trouble is because these organizations are established and thought of as 'experts' in their areas of specialty. Fact is, most are not, and are simply interested in selling their products, services or subscriptions. After all, they're in the business to sell you something...even if you don't really need it. ;)

    Whatever happened to asking what the *customer* wanted? You know -- THE *customer* -- the one who *buys* your products or *pays* your bills???

    Think about it.

    Reply

  • Hi Joe,

    I would best describe your observation as "the consumer goods and services model".

    We "The Industry" have to decide if this is an acceptable model. I think it is not an acceptable model even for consumer products. When I have experienced this type of behaviour I have tried resolving it thru the working relationship or with going elsewhere.

    With what you have posted I don't see a strong tie in with the Nerc CIP standards but I know these are understandably near and dear to you. You have so much energy and effort in making them as close to best practice as is possable.

    Are you are expressing your concern that the product or technical solution won't meet the new requirements or will have availability issues, yet somehow be assessed acredited and certified at least initially?

    Based on the scenario, There should not only be concern due to the knowledge gap that we all agree exists.

    I can forsee perhaps far more and higher level fundamental challanges that fully developing this scenario could open up as opportunities for discussion Joe.

    Reply

  • Joe asked me to post this reply to Ron's comment above:

    This post was not meant to tie with the NERC CIPs. It was simply stating that many IT cross-over vendors simply do not understand the control system domain. However, since you mentioned the NERC CIPs, they actually do fall in this same posting since there was no power plant or substation domain expertise on the NERC drafting team. They assumed the standards that applied to a modern control center SCADA would also apply to a substation or power plant - they were wrong.

    Joe

    Reply

  • Thanks Joe (& Walt) for clarifying the point you were trying to make. It is difficult at times to bring together the "right" resources when scoping/working projects of any kind. I do understand and share your frustration.

    The need or void or knowledge gap is still there Joe. From what I think you have said on this topic alone this extends from Regulator through to manufacturer to end user and possibly broader?

    As you know root cause analasys is a tool we use in control systems to uncover the casuation of problems. I find it seems to stop being used the moment it is no longer a pure technical environment or is not conducted more often.

    I tend to analyse a situation and look for the originating source of the problem otherwise it will only manifest itself in other forms and at another place in time. The idea is to learn from our mistakes?

    To me it is abundantly clear from your example that the knowledge gap is the common problem. Peraps you have a different set of conclusions that you may like to share and I am more than willing to see / hear what these are.

    We can all bemoan these challanges and I am as guilty (or more so) as the next person in venting frustration, so please don't think of me as being critical of you at all in this discussion.

    I have been thinking on this issue for a while, as I know you have and I have set a goal for this year with my activities with community. I am going to spend some time on trying to reduce this gap problem and I will be tackling it on a number of fronts.

    One way I am persuing at the moment taken from an idea you put forward elsewhere, is by developing, seeking to develop a gap training course (or more extensive), the material & resources, trying to see where we can all collaborate and alleviate this frustration. We do have a global problem with the void of technical skills and we (everyone) need to work on reducing this.

    Take some heart or solace that my early discussions with people so far, I have found so many people are willing and are keen to provide input into such a venture, providing we can establish the right environment.

    The work you and others do with conference events etc, it all goes towards making a difference. Lets tackle the problem - not each other and fix the gap and just maybe the symptoms will go away!

    Reply

RSS feed for comments on this page | RSS feed for all comments