I participated in the Air Force Information Technology and Cyberpower Conference (AFITC) in Montgomery, AL August 29-31, 2016. There were more than 1000 attendees from the military, contractors, vendors, and others. The keynotes included presentations from 4 Air Force generals. General William Bender, the CIO of the Air Force, explicitly mentioned ICSs as did other speakers. Additionally, there was an ICS keynote session with participation from the Air Force, Navy, and Army – I was very impressed. I gave presentations to the Cyber Statecraft Advisory Group and the Whole of Nation Advisory Group.
The Conference was primarily IT-focused. However, as mentioned there were pockets of ICS. As with most conferences, the IT attendees had little understanding (and much misunderstanding) of ICSs. The attendance for the ICS keynote panel was very small. However, that didn’t diminish the quality of the keynote session and that it was even held. The following observations should sound familiar to any industry:
- There is a recognition ICS cyber is a problem, but senior management is not quite sure what it is and hasn’t explicitly provided necessary resources and attention.
- There is funding, but not enough.
- There is a lack of appropriate skill sets. IT doesn’t understand control systems and the control system people don’t understand security. There is still not sufficient integration between IT and ICS.
- There were concerns about factors DOD can’t fully control such as availability of power. This is being addressed with use of back-up power capability. However, even back-up power from renewable resources use the same insecure ICSs.
- Wireless ICS technologies appeared to be a security issue to some of the speakers. However, wireless ICS technologies are extensively used and security is a major topic being addressed.
- There was a question of defining the term “Internet of Things- IOT. Again, the responses were similar to other conferences in that IOT is not really new but more of marketing term.
The Cyber Statecraft Advisory Group session was about legal considerations and policy. Specifically, the session was to start the discussions about how American policy makers should use cyberspace as a tool for statecraft. The intent is to identify gaps and challenges in our nation’s approach to using cyberspace and provide policy recommendations to improve our ability to protect the nation. I was asked to participate so there would be a voice from the ICS community. It is my belief based on previous meeting such as the February National Academy meeting (see March 4, 2016 blog) that policy makers do not understand the unique issues associated with ICS cyber security and this has affected cyber security policies to date. I believe there is now a better appreciation by the attendees for the unique issues associated with ICSs that need to be considered.
The Whole of Nation/Unity of Effort Advisory Group session was because the Air Force recognizes the conversation about cyber security is bigger than the Air Force and even the US government and must include the private sector. On August 30th, private industry leaders discussed their perspectives on the way ahead for national cyber security of US critical infrastructure. CenturyLink, AT&T, IBM, USAA, and FireEye. However, there was no participation (or even attendance) from the commercial ICS community including the ICS vendors and local utilities. As with the Cyber Statecraft Advisory Group session I was asked to provide the ICS perspective which I gave on August 31st. There was minimal private industry attendance. However, we had a lively discussion with the Air Force “users” who were very concerned about ICS cyber security. Getting the private ICS community involved is critical for this (and other ICS cyber security) efforts to succeed.
Following the Whole of Nation session, I had an interesting off-line discussion with several of the Air Force attendees. They had mentioned that my presentation was similar to my September 4, 2012 lecture at Stanford (https://www.youtube.com/watch?v=S3Yyv53dZ5A). Unfortunately, the message is not very much has changed in protecting ICSs since that lecture. As an aside, Air University is using my book, Protecting Industrial Control Systems from Electronic Threats, as required reading.