Educating the narod on cybersecurity…control systems ARE different

The need for education for the "vast unwashed" is still extreme. Last Thursday and Friday, DOE sponsored the GridWise Interop Conference in Albuquerque. Generally, there are few common participants between security and interoperability discussions. It is not clear if the final rule on cyber security will impact the interoperability considerations being developed for GridWise. This past week, the San Jose Mercury-News published a three part series on cyber security. The author has been writing on cyber security for years. Until I called him this past Monday, he didn't know there were technical differences between IT and control systems that affected cyber security. On Tuesday, I was on a panel at the National Association of Regulatory Commissioners with the President of NERC, a utility executive, and a representative from INL. NARUC is predominantly lawyers. They had little understanding of the technical issues of control system cyber security, but appear to be getting more interested. It should be noted that NERC is still publicly maintaining that the NIST standards were not available when the NERC CIPs were being prepared. Thursday and Friday, I attended the St. Mary's University Center for Terrorism Law Conference in Washington. This was predominantly lawyers with few exceptions. The lawyers were all involved in some form of terrorism and critical information protection. The lack of understanding about control systems was also apparent. There was a representative from a large water utility. On an off-line discussion, he is trying to determine how to set up a networking organization vis-à-vis how Operations and IT should interface.  I had the opportunity to talk to Congressman Michael McCaul who is co-chair of the Blue Ribbon Cyber Security Panel. He was not aware of the impact of the lack of control system expertise on the panel and will take that under advisement.