ACS 2011 Conference Summary - September 21

The final agenda can be found at There are several unique hallmarks of the conference:

  • Discussions of actual control system cyber impacts
  • The significant amount of discussion makes keeping a schedule almost impossible
  • Many of the presenters are not recognizable as they are not the typical speakers – these are the control system cyber security experts.

Wednesday September 21

High Points:

  • A domestic utility stated their Board of Directors wants to be ready for any regulation and is therefore going beyond CIP.
  • An international utility mentioned that a nuclear plant in Europe had malware in the control system network. They also mentioned that a major combustion turbine vendor to date has not been willing to adequately secure the combustion turbine communication links.
  • Air Products, representing the chemical industry, provided an illuminating discussion including the fact that the chemical industry does security because it is a business imperative.
  • Gary McGraw mentioned that no ICS vendors to date were participating in the Building Security in Maturity Model (BSIMM) software security program. After Gary’s presentation, at least one ICS vendor approached Gary about joining.
  • Stewart Baker provided an illuminating set of statistics: in the US, only about 16% of the energy companies have been audited by the government while the number in China is over 75% and in Japan 100%
  • Rockwell provided an ad-hoc presentation on what they are doing to respond to Luigi Auriemma’s uncoordinated vulnerability disclosures
  • Jake Olcott provided a legislative update along with Congressional perspectives. From Jake’s perspective, Congress will pass legislation if the electric industry does not get more proactive about actually protecting assets.
  • Congressman James Langevin provided his perspectives and answered questions. He was emphatic the electric industry was not doing enough.

This summary of the conference was emailed to us by Joe Weiss.