SCADA / Stuxnet

IT versus ICS

If You Really Want Folks Involved in ICS Security They Need a Safe Place to Learn

[In a May 20 post "ICS Cyber Security is still not understood by the IT community - and it is hurting critical infrastructure", our "Unfettered" blogger, cybersecurity expert Joe Weiss, argues that cybersecurity heavyweights such as Symantec still don't get industrial control system (ICS)cybersecurity.]

Weiss states: "With so much money and spotlight on critical infrastructure protection and no barrier to entry, is it a surprise there's so much participation from the IT security community that's relatively clueless about ICS issues? This lack of understanding is evident in the utility control system cybersecurity test bed. Most of the companies that responded to provide ICS cybersecurity solutions simply rebranded their IT solutions with the term 'SCADA' in front with minimal understanding of the environment. This lack of understanding is not painless. There have been too many ICSs shut down or disabled by well-intentioned IT types. As a plant manager recently stated, 'With well- intentioned people monkeying around in the automation system, who needs terrorists or disgruntled employees?' "

One blog reader, named "bryansowen," adds: "Indeed, this is a quite ironic position for Symantec given their researchers were knee-deep with Stuxnet.

"Not too long ago ICS were just too complex or expensive to have test beds. Many apprentice engineers and technicians had no choice but to 'practice' on production systems.

"The test bed concept is awesome. Integrating the test bed concept with real-world practices at a utility seems like a good path forward. Industry probably needs a few more test beds. ICS-ISAC is starting up the ICS Security Lab, but a few more real-world venues might be in order.

"If you really want folks involved in ICS security they need safe place to learn."