What does it take for a utility to be a leader in Industrial Control System (ICS) cybersecurity?

With Smart Grid and NERC CIP, many utilities have been public about their efforts to secure their systems. Unfortunately, those efforts haven't addressed Aurora, Stuxnet, or securing legacy ICSs for reliability. To the best of my knowledge, there has been only one utility willing to step forward and address hardware mitigation for Aurora and work with their ICS vendors to secure their legacy ICSs (more on the technical details in a later blog).

I believe the characteristics necessary to be a leader in securing critical ICS systems are:
- Visionary senior management that feels securing their ICSs is critical to meeting their mission (focus on meeting their mission not compliance)
- Big enough to have typical systems and credibility in the industry and yet not so big that senior management cannot be directly part of the process (~$250-1B/year in revenue)
- Technical in-house expertise on their ICS systems (~200-500 employees)
- Not under NERC CIPs (the NERC CIP audit process stifles innovation)
- Want to help industry by making information available
- Have an Operational Technology (OT) function that can work with Operations
- Operations willing to work with OT

The utility will discuss their experiences at the October ICS Conference (www.icscybersecurityconference.com).

How many utilities meet these criteria?

Joe Weiss