Observations from the 2017 RSA Security Conference

Feb. 20, 2017

The 2017 RSA Security Conference had more discussions of ICS cyber security which is important as RSA is the mainstream of cyber security. On the other hand, some of the discussions were misleading with some speakers unaware of control system issues – an all too common problem.

I attended the RSA Security Conference February 13-16, 2017 actually starting with an American Bar Association meeting on IOT Security on Sunday February 12th.

My general observations were:

-        RSA is, first and foremost, an IT security conference and that was its focus. There were vendors that provided ICS cyber security solutions and several sessions that addressed ICS cyber security including an RSA keynote session. There was even an ICS stage at the Marriott that had a series of 30 minutes discussions of ICS cyber security.

-        IOT was a major item of discussion. The IOT discussions were more about “fitbits and refrigerators” than “power plants and substations”.

-        There were some interesting sessions that discussed ICS cyber security and ICS issues such as the power grid. Many of the discussions were very good but there were some that were actually more harmful than helpful.

-        What was missing at RSA: No major ICS vendors exhibited (e.g., GE, Siemens, ABB, etc). Cyber security was primarily about protecting IP networks not serial “networks”, sensors, controllers, and actuators.  Additionally, there were minimal discussions about the need to develop the requirements for standards-based, secure-by design industrial control systems. This need was identified by Exxon-Mobil resulting in a new initiative that now has some of the largest industrial companies in the world participating including Dow Chemical, BASF, Georgia-Pacific, PraxAir, Chevron, Aramco, and Merck.

On the plus side, there are more discussions of ICS cyber security at RSA which is important as RSA is the mainstream of cyber security. On the other hand, some of the discussions were misleading with some speakers unaware of control system issues – an all too common problem.

Joe Weiss

Sponsored Recommendations

IEC 62443 4-1 Cyber Certification – Why ML 3 is So Important

The IEC 62443 Security for Industrial Automation and Control Systems - Part 4-1: Secure Product Development Lifecycle Requirements help increase resilience for control systems...

Multi-Server SCADA Maintenance Made Easy

See how the intuitive VTScada Services Page ensures your multi-server SCADA application remains operational and resilient, even when performing regular server maintenance.

Your Industrial Historical Database Should be Designed for SCADA

VTScada's Chief Software Architect discusses how VTScada's purpose-built SCADA historian has created a paradigm shift in industry expectations for industrial redundancy and performance...

Linux and SCADA – What You May Not Have Considered

There’s a lot to keep in mind when considering the Linux® Operating System for critical SCADA systems. See how the Linux security model compares to Windows® and Mac OS®.