Control systems are still not mainstream - the "mostly" Comprehensive National Security Initiative

The following note was placed on the Link-in PCSF members' site by Perry Pederson:
"What's up with the Comprehensive National Cybersecurity Initiative (CNCI)?
I attended a vendors day conference at DHS-NCSD yesterday where they briefed industry on the role that NCSD will have in the execution of the CNCI. I am obviously a little biased toward the ICS world, but I was struck (more like dumbstruck) with the glaring absence of control systems in the plan.


That's right, the COMPREHENSIVE National Cybersecurity plan does not include industrial control systems, SCADA, or anything of the sort. Sorry, that does not sound very comprehensive to me unless the Administration has redefined the term. But, then again, they have redefined more than a few terms over that last few years, so I guess I should not be surprised."

We obviously still have a lot of work to do.
Joe Weiss
Show Comments
Hide Comments

Join the discussion

We welcome your thoughtful comments.
All comments will display your user name.

Want to participate in the discussion?

Register for free

Log in for complete access.


  • <p>Most IT managers or executives have no clue what this is about. I would bet that many, if not most security people know; but the managers do not. </p> <p>There isn't much we as a group can do to impress upon the former groups of people that they're not as comprehensive as they think they are. This is outside their experience because until recently this was almost entirely an engineering endeavor. </p> <p>Until we offer courses on this in universities, I expect most managers will continue to have significant blind spots on this subject. --Of course, now that series such as 24 and movies such as Die Hard are written up about these sorts of systems, maybe we'll at least see some awareness, if not wisdom. </p>


  • <p> That's goddamn right, ab3a, but it's nobody's fault but ours. If we keep telling people that we're talking about (a special niche of) IT security, then we shouldn't be surprised to end under the jurisdiction of the CIO, who happens to have other priorities. </p> <p> Let's assume we wouldn't have referred to our issues as IT. Let's assume, for example, we would have told everyone that there is a new area of problems in safety. My theory is that we would have achieved much more by now. The CIO simply is not the best position to take care of our problems, and no CIO should be blamed for that. </p> <p> We may only be a pimple, but we can choose where we blossom. Let's be a pimple where we're sure to get attention. </p>


RSS feed for comments on this page | RSS feed for all comments