What’s Missing?

I have been involved in hosting a conference on control system cybersecurity for seven years. It has always been held with a focus on and with the perspective of a control systems engineer. Several events have “opened my eyes” to what seems to be missing: * Design issues. The control system infrastructure is analog. Industry is upgrading to digital, but the infrastructure, as well as the design philosophy, remains analog. This has led to significantly more complex systems with significantly more complex interactions with unexpected consequences. * Complex interactions. Several control system unintentional cyber events were caused or exacerbated by the complex interactions of systems that were not addressed in the design process or by adequate procedures. * Standards and regulations. Standards and regulations are being proposed for control system cybersecurity focusing on the more traditional cyber threats from the Internet, IP and Windows. As mentioned, the recommendations to meet those threats have contributed to some of the control system cyber incidents. These issues led to an epiphany about control system cybersecurity conferences and other cybersecurity and reliability conferences in general. The focus of cybersecurity has been on traditional cybersecurity including passwords, firewalls and compliance, not system reliability. This is where most cybersecurity conferences focus. Conferences on reliability of industrial facilities (power plants, substations, chemical plants, refineries, water systems, pipelines, etc.) focus on control system challenges, not cyber vulnerabilities. There is a need to address the very complex intersection of control system vulnerabilities and reliability of industrial control systems and processes. This is the August Applied Control Solutions Conference is about – what and how can we recognize the complex interactions between the older analog infrastructure as it collides with the new digital world. As an aside, Marshall Abrams from MITRE and I will be giving a presentation tomorrow at RSA, which is billed as the world’s largest cybersecurity conference. It will be fascinating to experience the interaction of this major IT security conference on a presentation of control system cyber events. I am then scheduled to give a presentation at a major control system users’ group meeting. It will be interesting to see the reactions between these two vastly different audiences. I will provide my reactions later this week.