It seems that while ignoring hard problems such as Stuxnet, DHS NCSD is focusing on the easy things such as reinventing roadmaps. Why hasn’t DHS provided more information on Stuxnet since September yet Controls Magazine has provided the latest information on the PLC issues in this month’s issue? What is DHS doing about the details provided by Ralph Langner? What is DHS doing about other field controller issues? These are hard problems.
Process control systems, networks, and protocols in fossil plants, chemical plants, water systems, and even nuclear plants are similar enough that NIST prepared NIST SP800-82 for all industries and ISA created S99 for all industries. Why did DHS consider it necessary to create multiple roadmaps for different industries that all use similar control systems with similar communication protocols? These are easy problems. Why is DHS ready to develop a nuclear plant R&D roadmap? As a nuclear engineer I am very curious.
DHS S&T funded the Conficker Working Group. The report makes no mention of the NERC Conficker Advisory or control systems. This is important because control systems have been affected by Conficker and Stuxnet can utilize downadup (Conficker) as a delivery vehicle. There is little DHS S&T work on controllers (non-Windows parts of the system) and no mention of industrial controllers (other then the general term “control systems”) in the recent DHS S&T Cyber Security BAA announcement.
Are we making progress?
Prior to psting this blog I e-mailed both DHS NCSD and DHS S&T for comment and neither has responded