An Open Invitation to the IT Community - Learn the differences between ICS and IT and help secure critical infrastructures

The industrial infrastructures of electric power, water, oil/gas, chemicals, manufacturing and transportation all use very similar industrial control systems (ICSs) to monitor and control the physical processes. ICSs are computerized and depend on IT and ICS technologies. Many of these technologies are the same Information Technology (IT) standards and tools used on the Internet today. Much has been written and spoken about the continuing vulnerabilities in today’s IT. And there are many professionals knowledgeable in IT Security. 
The ICS communication technologies, though not necessarily the same as IT, have also been demonstrated to be cyber vulnerable. Therefore ICSs must be assessed for cyber security risks and have such vulnerabilities remediated through improved security tools and practices. Many of those tools are identical to those used by business IT professionals, but some are not. 
Generally, the operations community that operates the ICSs have had minimal dealings with IT for these systems and there is often little trust between the organizations. It is vital that these two sides build effective communication and collaboration in order to develop and implement appropriate and effective security technologies and practices. 
The best security measures to protect these systems are only as good as the individuals implementing and maintaining them.  Business IT professionals cannot effectively implement security measures without a comprehensive understanding of both these system and the human factors that underlie their operation. Plant Floor IT professionals cannot adopt IT security tools and practices without a comprehensive understanding of their applicability to the safety and reliability demands of ICS environments. Without appropriate trust and communication, this understanding will not sufficiently develop and deployed ICS security will not meet the increasing threats presented. Consequently, there is a need for IT and control system personnel to talk to each other and understand each others needs.
Over the years, I have had numerous discussions with IT security vendors with technologies that work in Finance, Health Care, DOD, etc. They feel that these are demanding applications, with 24/7 availability, and therefore the vendors feel their technologies must work in control system environments. 

Yet, most have never talked to control system end-users to find out if the IT technologies even address their needs.  This was evident when I attended the NISA SCADASecurity Conference in Israel in April. The first rule in control system cyber security is “do no harm.” In general, these IT technologies have never been tested in a control system environment and therefore cannot be assured they will cause no harm. In fact, there are quite a few documented cases where using conventional business IT security tools caused cyber incidents they intended to prevent.

The ACS Conference was meant to be a forum from the perspective of the control system community that the IT community can gain a better understanding of the technical needs of these critical systems.  It is also meant to be an opportunity for the two sides to meet each other and break the cultural barriers. 

There is resistance to this from both sides. We need the skills and manpower the business IT community can bring to bear on ICS security. They need training and understanding on how to use those tools, and others we have developed in the correct context. It is clearly time to stop this and share.

I just received this note from an IT vendor asking about the September ACS Conference. He said: “I’d like to attend this, but want to verify that interested folks from the IT industry are welcome – I know a good deal of sensitive information is discussed.  We are now producing a new set of cryptography capabilities (Suite B) that many of our Federal government customers intend to use for classified control systems, sensor networks, video surveillance, etc.  My interest in attending is primarily to listen and learn about what the issues are, before we go make fools of ourselves saying “Hey, we can solve all your SCADA security problems!”  I also just like hanging out with people who think Stuxnet was really, really fascinating.” 

I want to make an open invitation to the IT community to attend the ACS Conference to both learn about control systems and meet the “other side”. It will be good for all. And it is about time, don’t you think?

Joe Weiss