House hearings and ICS Cyber Security - lack of ICS expertise

Patrick Coyle wrote a blog on his Chemical Facility Security Blog on the House Homeland Security Committee hearing highlighting testimony of people opposed to the President’s cyber security plan. The attendees were: 
- Ms. Melissa Hathaway, President, Hathaway Global Strategies LLC;
- Dr. Greg Shannon, Chief Scientist for Computer Emergency Readiness Team, Software Engineering Institute, Carnegie Mellon University;
- Mr. Leigh Williams, BITS President, The Financial Services Roundtable; and 
- Mr. Larry Clinton, President, Internet Security Alliance

Patrick stated the following: "While the written testimonies of Ms Hathaway (politically influential) and Dr. Shannon (technically influential) are significant, the one that most people in the chemical and control systems communities should pay attention to is that of the Internet Security Alliance President, Mr. Clinton. I recommend that anyone with management responsibility for control system security should read Clinton’s testimony."

Consequently, I called Larry Clinton. There were two major eyeopeners in the conversation:
- There are no industrial control system vendors or end users  who are members of the Internet Security Alliance
- Larry did not understand the unique issues associated with ICSs

This is another case of why it is important for the ICS community to speak for itself. 

Joe Weiss
Show Comments
Hide Comments

Join the discussion

We welcome your thoughtful comments.
All comments will display your user name.

Want to participate in the discussion?

Register for free

Log in for complete access.


  • <p class="MsoNormal"> Actually Joe, the post you quoted was one that I posted on <a href="">Digital Bond's SCADA Security</a> blog. While Larry Clinton may not know squat about ICS security (and to be fair his comments were not about ICS security) he made some very interesting points about what types of ‘entities’ would be covered by the President’s proposed legislation. I certainly don’t agree with all of his points as readers of my blog are aware, but the points that he does make need to be discussed before they get incorporated in legislative language that ends up making ICS security even more difficult. </p> <p> </p> <p class="MsoNormal"> I certainly agree that the ICS community needs to speak for itself in this matter (and I hope my blog posts on this topic are helping to generate that discussion) but we do need to know what others are saying about cyber security issues that will certainly directly effect what we do or have done to us. </p> <p>   </p> <p> Patrick Coyle </p> <p> Chemical Facility Security News </p>


  • <p> Excellent read Joe.  </p> <p> Mr Clinton's testimony and advice to law makers was insightful. I particularly appreciate mention of pitfalls including: over-reliance on public disclosure, failure of government controlled standards in global markets, and ineffectiveness (or worse) of an annual review by those with questionable skills and motives. </p> <p> He also cited lack of bounds in proposed regulatory authority. By itself this seems a formula for strong political opposition and stalemate. I certainly missed these nuances in the glossy brochure. </p> <p> -bryan </p>


RSS feed for comments on this page | RSS feed for all comments