More than 250 people from numerous countries and industries attended the 2011 Israel National Information Security Authority (NISA) SCADA Security Forum in Tel Aviv, Israel. The Forum consisted of a one-day closed government session and a two-day open conference.
I do not fully understand NISA’s charter but it is a regulator, supports the commercial information infrastructure including control systems, and also does classified government work. I found the sessions to be very informative (both plus and minus) and was very impressed with NISA.
A general observation from this and other international conferences is I no longer feel the US is the unquestioned leader in industrial control system (ICS) cyber security. I believe that too much focus on compliance not security is to blame.
The unique issues of ICS cyber security were new to most of the attendees, including government officials from several countries. This is similar to what occurred at the US NITRD AssumptionBuster Workshop in Arlington, VA March 22nd (see previous blog).
As an aside, because of the response from the attendees to that ad-hoc presentation, I was asked by NSA to formally give the presentation again in June. These recent events aptly demonstrate appropriate ICS awareness is a long way away.
NISA has a process called NISASecure which is similar to ISASecure (ISA take note) for certifying secure ICS products. NISA has certified three ICS vendors’ products to date and is willing to certify others.
Many of the vendor presentations were by IT companies assuming their technologies applied to ICS. Many had not even talked to ICS users to determine if their products were needed or applicable. That sounds familiar to my experience in almost all other Smart Grid and critical infrastructure cyber security conferences.
I found two vendor presentations of most interest – Securing an RTU which was jointly sponsored by the US Technical Support Working Group (TSWG) and NISA. The other project that caught my interest was on trustworthy SCADA sponsored by NISA. From what I could tell, these two projects are more comprehensive than any DHS or DOE security projects in the US.
A representative from the Netherlands gave a presentation and call for action on Smart Grid cyber security. This presentation and what I observed at the December 2010 Netherlands Smart Grid Cyber Security Conference demonstrated to me that the Netherlands, not the US, is the leader in Smart Grid cyber security.
After giving my presentation on case histories, I was able to get more than 35 new ICS case histories from various industries and countries. None of these are in the public domain and are all non-North American.
I had a chance to informally discuss with several of the foreign delegations what I believe is a way forward that will complement the work going on at INL and accelerate the efforts on ICS cyber security.
The next NISA SCADA Security Conference will be in 2013 in a location to be determined.
Joe Weiss
