RSA 2013 and ICS cyber security

The control systems used in critical infrastructures are different than those in traditional business IT systems. As mentioned in a previous blog, I am currently working with one of the only electric utilities in the US (they are not ready to identify themselves publicly) that is actually trying to secure their control systems and not just meet compliance requirements like almost all other US utilities. This utility has also been willing to be a test bed for evaluating control system cyber security technologies. Consequently, I spent this past week at the RSA Security Conference (more than 25,000 attended) trying to find who might have technologies that can help secure ICSs that would willing to have their systems evaluated. Unfortunately, very few of the vendors had technologies that were specifically designed to secure systems beyond Windows (or other commercial off-the-shelf) operating systems or Internet Protocol (IP) networks. In fact, some solution suppliers even acknowledged their solutions could add significant latency but they didn't think it would matter. However, latency is very important in a control system environment. There were very few sessions devoted to critical infrastructures and all presentations had the term SCADA in the title. The level of understanding of control system cyber security, besides the use of the terms "SCADA" and critical infrastructures", was not very high.Joe Weiss