A Linked-in site had a discussion on the following premise: SCADA security professionals are hard to find. I am including my comments to this discussion.
Would anyone in the IT community be offended if you went to MacWorld and only talked about PC vulnerabilities? A similar situation exists in the industrial control system (ICS) community. SCADA is only one form of an ICS. Consequently, the premise that SCADA security professionals are hard to find is misleading and demeaning on several fronts. That is not to say the intent of the statement isn’t true - it absolutely is. However, the prevailing concept of SCADA security ignores the knowledge and training that go into understanding the reliable and safe operation of ICSs. This is a concern because inappropriate use of IT security technologies, policies, and testing have already caused many ICS impacts. Would any IT security expert feel offended if after reading several articles, you claim to be an IT security expert?
Even the term cyber security is misleading for critical infrastructure because the concern is actually functional security. That is, can a nuclear plant main coolant pump be impacted by electronic communications such as occurred at the Browns Ferry Nuclear Power Plant; can control system electronic communications precipitate pipeline ruptures such as the gasoline pipeline rupture that occurred at the Olympic Pipeline Company in Bellingham, WA; can electronic communication issues cause a train to crash such as occurred with DC Metro; etc. Each of these were ICS “cyber” incidents that did NOT violate any IT security policies nor could they have been prevented by IT security methods.
Arguably there are less than several hundred people worldwide that truly understand ICS cyber security. This requires a cross-functional knowledge of control systems, IT, and more importantly what it means to the operation of the process. Because it is so misunderstood outside the ICS community, I have spent a significant amount of time identifying the differences between IT and control systems in my book, in the short courses I give on ICS cyber security, my university lectures, and testimony to Congress on this subject.
Since there are no certifications for a SCADA security professional, there is no barrier to anyone claiming to be a SCADA security professional. Additionally, there currently are no interdisciplinary university programs on ICS cyber security. Last year at Worldcomp 2010, I was on a panel on cyber security education. The session chair was the Chair of the Computer Science Department at a major university. His first words to me were that he did not know anything about control systems. How can Computer Science Departments teach ICS security if they don’t understand it?
I do not believe we need to create individuals that are experts in ICS and IT. I believe we need to have experts in ICS that have an appreciation for IT and know when to call for help as well as IT experts who know when to listen to the ICS domain experts. This is the reason I wrote my book – Protecting Industrial Control Systems from Electronic Threats. Protecting ICSs is rocket science and requires ICS domain expertise as well as IT expertise.
Shouldn’t these issues cause rethinking about what constitutes SCADA (ICS) cyber security professionals?