I wanted to provide a capsule summary of several presentations I feel have compelling interest for what they mean to the big picture of ICS cyber security beyond Stuxnet. The Air Force provided a presentation on unintentional control system cyber incidents. The examples demonstrated unintentional cyber incidents can have significant system impacts costing hundreds of millions of dollars. If unintentional incidents can be of such consequence to the Air Force, shouldn’t it be to the ICS community especially considering most ICS cyber incidents are unintentional? The other presentations with implications beyond cyber security concerned the unintended consequences of the NERC CIPs. As many people have recognized, the NERC CIPs have created a culture of compliance not security. This has resulted in the law of unintended consequences. Because of fear of compliance findings and lack of auditor knowledge, the grid is certainly less reliable and possibly less secure. There is certainly less innovation. Moreover, there have been utilities that have been penalized for trying to do more than the minimum since it didn’t meet the auditors' check lists.
I gave a short presentation at the NIST meeting on September 24th. It was evident there was a lack of understanding by the IT community of the unique issues with ICSs. Attempting to force fit IT policies onto ICSs can have unintended consequences.