What are DHS’s industrial control system cyber security priorities?

It seems that while ignoring hard problems such as Stuxnet, DHS NCSD is focusing on the easy things such as reinventing roadmaps. Why hasn’t DHS provided more information on Stuxnet since September yet Controls Magazine has provided the latest information on the PLC issues in this month’s issue?  What is DHS doing about the details provided by Ralph Langner? What is DHS doing about other field controller issues? These are hard problems.
Process control systems, networks, and protocols in fossil plants, chemical plants, water systems, and even nuclear plants are similar enough that NIST prepared NIST SP800-82 for all industries and ISA created S99 for all industries. Why did DHS consider it necessary to create multiple roadmaps for different industries that all use similar control systems with similar communication protocols? These are easy problems. Why is DHS ready to develop a nuclear plant R&D roadmap?  As a nuclear engineer I am very curious.
DHS S&T funded the Conficker Working Group. The report makes no mention of the NERC Conficker Advisory or control systems. This is important because control systems have been affected by Conficker and Stuxnet can utilize downadup (Conficker) as a delivery vehicle. There is little DHS S&T work on controllers (non-Windows parts of the system) and no mention of industrial controllers (other then the general term “control systems”) in the recent DHS S&T Cyber Security BAA announcement.
Are we making progress?
Joe Weiss

Prior to psting this blog I e-mailed both DHS NCSD and DHS S&T for comment and neither has responded

Show Comments
Hide Comments

Join the discussion

We welcome your thoughtful comments.
All comments will display your user name.

Want to participate in the discussion?

Register for free

Log in for complete access.


  • <p> Maturity in cyber initiatives takes time to develop.  Just my 2 cents but sector roadmaps seem like a reasonable approach to help stakeholders move forward in a collaborative way.  </p>


  • <p> I agree, a roadmap document is a good idea.  The problem is that the current "roadmaps" are not living up to their billing.  </p> <p> The documents I've seen are basically vague wish lists and time tables built on castles in the sky.  They do not specify technologies or procedures to develop.  They do not promote standards.  They do not identify areas for future research.   </p> <p> The documents promulgated by Energetix as sector oriented roadmaps are nearly useless. They are feel-good exercises. </p> <p> However, if someone were to write a thoughtful Roadmap, it would be a good thing.   </p> <p> I'm still waiting.  </p> <p> Jake Brodsky </p>


RSS feed for comments on this page | RSS feed for all comments