This past week was ISA Expo in Houston. As this was the first time in many years I did not attend, I went to Dale Peterson’s blog for his thoughts. He mentioned there was very little Linux on the show room floor. This is not surprising to me. Linux is making headway into the electric T&D world which is not a focus of ISA.
I believe one long term solution to control system cyber security starts with our colleges as they educate the students that will join the end-users, vendors, consultants, and regulators. This includes undergraduate and graduate courses. Because of Professor Ray Vaughn’s previous association with NSA, the Mississippi State computer security program is addressing relevant issues in control systems. Consequently, I was not at ISA but at Mississippi State to give two lectures. One lecture was to a computer science class (I was impressed with the knowledge and interest from many of the students) and the other was open to the University at large as part of Cyber Security Awareness Week. Several items of interest:
- There is still a hole in the universities for teaching control system cyber security. It requires an interdisciplinary approach and needs to address both policy and technology. Livermore National Laboratory has been charged with developing curricula. I have not seen the results.
- The university-wide lecture turned out to be a microcosm of the IT and Operations disconnect. Of the more than 100 attendees, only three acknowledged being from engineering - 2 from electrical and one from aerospace. The rest were from the IT community. My feeling is that if the lecture was sponsored by the engineering community, the numbers would probably have been reversed.
- The Computer Science Department found a significant vulnerability in a control system vendor product (another reason I was impressed with the students). As in many other cases, the vendor has been reluctant to address the vulnerability. Other discussions from industry have demonstrated similar cyber weaknesses in control systems with similar vendor reticence to address the vulnerabilities. It reinforces the need for an appropriate organization for disclosure – a CERT for Control Systems.There was an October 16th report of a study (http://govtsecurity.com/news/ceo-infrastructure-security-1016/) from the National Infrastructure Advisory Council (NIAC). It stated that the government has made great strides working with private industry to secure the nation's critical infrastructures. Another statement followed saying that top executives in the private sector need to step up and do more. I believe there have been strides made, but I question “great strides”. There are still too many fundamental issues with the cyber security of critical infrastructures such as electric power and water (see multiple previous blogs and congressional testimony). I wholeheartedly agree that CEOs need to be more involved.