I gave a presentation on May 10th at the High Tech Crime Investigation Association Meeting (HTCIA) in Menlo Park, CA on Industrial Control System (ICS) Cyber Security. As with most presentations, the unique ICS issues were new to most of the attendees but I wanted to share two tell-tale reactions from that day. First, during my presentations I often mention that ICS are bought and sold as being secure, when in reality they come out of the box vulnerable but capable of being secured. I illustrate that point with the example of a plant that purchased a Distributed Control System (DCS) believing it came vendor-loaded with Antivirus, only to realize later that it only came capable of supporting Antivirus software but had none installed. Somehow a virus entered this DCS and went undetected for an unknown period of time. At that point came the first interesting reaction from the audience: a senior utility security representative stated one of their plants had implemented a DCS capable of, but not actually endowed with, Antivirus. They also had a virus on the DCS. It is not clear which plant was affected or if it was a nuclear facility, but the security and potentially safety implications are considerable. The second interesting reaction of the day was the ongoing denial about the reality of the vulnerabilities exposed by the 2007 Aurora test at the INL. The same senior utility security representative stated he had “heard that the INL test was rigged" to give the desired results - it was NOT. This is one reason why we will have an entire session devoted to Aurora at the 2012 ICS Cyber Security Conference in Norfolk, VA (http://www.icscybersecurityconference.com/).On May 14th, Stanford’s Center for International Security and Cooperation (CISAC) had a seminar by Professor David Alderson of the Naval Postgraduate School on critical infrastructure protection. The attendees were some of the top names in the field. It was a fascinating presentation using Operations Research methodology and game theory to determine how to protect critical infrastructure. Dr. Alderson mentioned that in order to secure infrastructure it is critical to understand how systems operate and their interactions. This has been a continuing of mine with having people without control system domain expertise making decisions, or designing products for, ICS cyber security. Dr. Alderson’s presentation did not address some of the issues unique to ICS and I have been invited to speak about ICS cyber security at one of the next CISAC sessions.
Joe Weiss
Joe Weiss
