Last week I attended the CSI "SCADA/Control Systems Summit" and met with Congressional and government representatives to present an "unvarnished" status of industrial control system security as well as to request continuing support. This is the first in a series of blogs on last week's trip.
CSI SCADA/Control Systems Summit: “Security professionals often polarize around the topic of control systems (SCADA) - the information systems that control physical systems like power grids and water treatment facilities. Are these systems truly the weakest link in the security of our critical infrastructure; or is that sort of talk merely fear monitoring? How do we best secure these systems? Hear from people on both sides about the ‘real’ security threats facing control systems and decide for yourself.” The panel consisted of an end-user (large electric utility – IT Security), an IT security vendor, a control system security vendor, and myself. In preparation, we prepared a list of questions that included:
1. What do you see is the top 2-3 threats/risks to control systems? 3-5 years from now?
2. What do you see is the single biggest challenge to adequately securing control systems today? 3-5 years from now?
3. Give some examples of successful approaches to getting the right organizations collaborating. Top down v. grass roots? Also, when it was particularly challenging what made the difference for success?
4. What would you say are most important areas of improvement for education for control system folks? How about IT folks? What would be your recommendation for the best way/source for these educational needs?
5. What would be you top priorities when approaching a control system with little to no security controls presently in place? e.g. perimeter defenses, monitoring, access control, patch management, etc.
There were 19 attendees. The session was disappointing as there were no attendees with control system experience – it was an IT audience. Consequently, the discussions focused on securing Windows. However, it was so focused on traditional on IT experience that when an example was provided of actual control system field implementations (older, unpatchable Windows systems that cannot be replaced), it caught the attendees off-guard and they didn’t know what to do. They were not expecting that unintentional threats are critical to securing control systems. When discussions focused on what security control system vendors are providing (HMI and field devices), the attendees did not understand why security was not a primary design criteria or the difficulties in implementing secure control systems. There was also little knowledge of the control systems standards organizations and why IT standards were not directly applicable. I realize this may not be a typical representation of IT personnel working on control system cyber security, however, one wonders how much progress actually has been achieved in understanding the unique issues of control system cyber security.