The June 2009 DHS Primer Control Systems Cyber Security Framework and Technical Metrics report is meant to address a critical missing link – metrics for control system cyber security. It is a good start. My comments come from the perspective of how does this Primer address actual control system cyber incidents. That statement leads to my first concern – most control system cyber events are incidents not attacks. Many of these actual incidents have caused significant damage and yet did not violate IT security policies. However, the Primer is focused on malicious IT-type attacks. Another concern is security knowledge. According to the Primer, “The security group represents those people in an organization who are directly responsible for the cyber security of the control systems.” Many security groups are staffed by IT-trained security experts. There are very few people that actually understand control system cyber and most are not in the security group. There have already been numerous cases where the security organization CAUSED the control system cyber incident. Not only does the metric not account for this, having the wrong people doing the wrong things should lead to a NEGATIVE metric. The final concern is the Primer simply does not recognize the unique issues with legacy control systems. Many systems cannot take complex passwords. Many systems simply cannot be patched expeditiously, if at all.
I am simply not seeing much coming out of the DHS Control Systems Cyber Security Program to address legacy control system issues or the actual incidents that have occurred.