A European view of the lack of understanding of ICS cyber security

June 29th, 2016 the AntiPhishing Working Group (AWPG) and FTI Consulting held a 1-day cyber security conference in Brussels on the European Commission’s (EC’s) Networking and Information Security (NIS) Initiative. The primary focus of the EC’s cyber security initiatives including for Smart Grid have been on privacy, not reliability or safety. The Conference was titled New Cyber Security Legislation: Operational Compliance Challenges for Companies. There were three panel sessions, two of which were IT-oriented and ours which was focused on ICS. As such, there was almost no attendance from the control system community. Our panel was: The Network and Information Security (NIS) Directive: Operationalizing compliance for operators of essential service and industrials. The session was moderated by Ellen Smith – former Chief Operations Officer and Executive Vice President of US National Grid. The panel included the head of Unit Trust and Security and the head of Energy Policy Coordination at the European Commission (EC), Franky Thrasher from Engie-Electrobel, and myself. Prior to going to National Grid, Ellen held senior executive positions at GE and is very technically cognizant. While at National Grid, Ellen was the senior executive responsible for NERC CIP compliance. Like almost all other senior utility executives, Ellen relied on her security organization and assumed NERC compliance meant security. She now understands how little security actually exists and regrets never challenging her security organization. It’s a real shame she is a one-of-kind. 

There were approximately 100 attendees. Franky and myself were the only two attendees representing ICSs. As with most other conferences, Franky and my detailed discussions and experience with ICS cyber security were new to almost everyone including the EC representatives. The EC representatives discussed the content of the NIS Directive. The Directive was the “first reading” (version) and will be revised with new input. The Directive did not mention SCADA or ICS and was explicitly focused on networks not systems. The Directive identified specific industries considered to be critical. A beverage-maker with facilities in multiple countries asked a question about consistency in regulations from country-to-country. The beverage-maker was told food and beverage were not considered critical (nor was chemicals, manufacturing, mining, pharmaceuticals, etc.), only water. The Directive mentioned the International Maritime Organization (IMO). IMO doesn’t address control systems and no other standards organization was identified including those working on ICSs. There was a panel session devoted to the EU-US privacy Shield. As stated, it was only about privacy, reliability and safety were not included. Additionally, information flows between manufacturing facilities/power plants, etc were not included. In general, there was minimal understating of ICS-unique issues.

Our panel session generated many questions and hopefully led to a better appreciation of the need to address ICSs. The EC representatives stated they were interested in new input. I felt the the Conference was a success as we were able to get the conference participants to appreciate the need to address the unique issues associated with ICS cyber security.

Joe Weiss