Joe Weiss-- Security Unfettered

I want to thank Walt Boyes for allowing me to join this continuing blog. The blogs are my thoughts and sometimes may be provocative. You may or may not agree, but the facts and logic are indisputable. I heartily encourage you to comment.



I want to use this initial blog to set the stage for further discussion. This first blog will focus on the history of control system cyber security as I've lived it. From my perspective as a control system engineer, control system cyber security started about 7 years ago with the AGA Gas SCADA encryption efforts and the advent of the EPRI Enterprise Infrastructure security (EIS) Program. We started the EIS Program in early 2000 without (at least on my part) recognizing a problem really existed. My initial thoughts were that the appropriate technologies such as firewalls and intrusion detection systems already existed and it was our job to simply educate the electric industry about the technologies. Consequently, I helped author the EPRI Primer on control system cyber security for the electric power industry and several associated guidelines. It wasn't until I started attending cyber security meetings (IT since control system cyber security didn't exist) and asking questions that it became evident (at least to me) that the IT security industry did not understand control systems and that their technologies could potential hurt legacy control systems. Since the EIS Program started in 2000 (obviously prior to 9/11), we could not get many utilities interested in spending money to join the program if its focus was national security. Consequently, those utilities and oil companies that joined did so because they thought they had a business case to do so. Interestingly enough, I held two workshops on control system cyber security in Houston at ISA 2001 -the date was 9/10. Attendees included a car component manufacture, a dog food manufacture, electric utilities, oil companies, and others. The term "critical infrastructure" wasn't relevant. The mantra was "these are my most critical business assets". The next day, the world turned upside down, the term "critical infrastructure" became a buzz word, and common sense became uncommon. Until 9/10, prudency ruled where control system engineers looked long and hard at control system reliability and availability and only trusted real control system experts with their systems. From 9/11 on, security became a mystifying term that no longer had a tie to reliability and availability, "instant" experts (IT security types that just learned how to spell SCADA) were required, and the IT security world went into a feeding frenzy.

I hope to hear from you.