Home

What does it take for a utility to be a leader in Industrial Control System (ICS) cybersecurity?

Aug. 17, 2012

With Smart Grid and NERC CIP, many utilities have been public about their efforts to secure their systems. Unfortunately, those efforts haven't addressed Aurora, Stuxnet, or securing legacy ICSs for reliability. To the best of my knowledge, there has been only one utility willing to step forward and address hardware mitigation for Aurora and work with their ICS vendors to secure their legacy ICSs (more on the technical details in a later blog).

Joe Weiss

I believe the characteristics necessary to be a leader in securing critical ICS systems are:
- Visionary senior management that feels securing their ICSs is critical to meeting their mission (focus on meeting their mission not compliance)
- Big enough to have typical systems and credibility in the industry and yet not so big that senior management cannot be directly part of the process (~$250-1B/year in revenue)
- Technical in-house expertise on their ICS systems (~200-500 employees)
- Not under NERC CIPs (the NERC CIP audit process stifles innovation)
- Want to help industry by making information available
- Have an Operational Technology (OT) function that can work with Operations
- Operations willing to work with OT

The utility will discuss their experiences at the October ICS Conference (www.icscybersecurityconference.com).

How many utilities meet these criteria?

Joe Weiss

About the Author

Joe Weiss | Cybersecurity Contributor

Joe Weiss P.E., CISM, is managing partner of Applied Control Solutions, LLC, in Cupertino, CA. Formerly of KEMA and EPRI, Joe is an international authority on cybersecurity. You can contact him at [email protected]