ACS 2011 Conference Summary - September 22

Sept. 28, 2011

The final agenda can be found at www.realtimeacs.com There are several unique hallmarks of the conference:

  • Discussions of actual control system cyber impacts
  • The significant amount of discussion makes keeping a schedule almost impossible
  • Many of the presenters are not recognizable as they are not the typical speakers – these are the control system cyber security experts.

Thursday September 22

High Points:

The final agenda can be found at www.realtimeacs.com There are several unique hallmarks of the conference:

  • Discussions of actual control system cyber impacts
  • The significant amount of discussion makes keeping a schedule almost impossible
  • Many of the presenters are not recognizable as they are not the typical speakers – these are the control system cyber security experts.

Thursday September 22

High Points:

  • Robert Trainor from NTSB provided as summary of their findings on the San Bruno gas pipeline rupture. It was not a pretty picture detailing PG&E and the California Public Utilities Commission (CPUC) incompetence. Ironically there was no attendance by either.
  • A utility provided a presentation on their approach to securing their assets (real security) and their rationale for having a penetration test performed on one of their RTUs. Mocana described their test results from successfully penetration testing the VxWorks-based RTU.
  • An ex-Secret Service Agent described how law enforcement would address a control system hack. During the open discussion, the FBI confirmed ICSs in the US have been hacked and held for ransom. They also mentioned they currently do not have a vehicle for sharing information with industry.
  • Marty Edwards from DHS stated that if there is a design deficiency and cannot be patched, it is not considered a vulnerability.  Consequently, no disclosure is required.  Recall that Ralph Langner, Marcelo Branquinho, and Jake Brodsky demonstrated inherent ICS “vulnerabilities”.  However, according to Marty these “issues” are not vulnerabilities and need not be disclosed.