The fallacy of the LIGHTS program

April 30, 2012
According to LIGHTS (http://www.infosecisland.com/blogview/20649-Shining-LIGHTS-on-ICS-Cybersecurity.html), "Large asset owners have vastly complex operations and accordingly stringent requirements. The process of assessing their current security status and doing anything about it is similarly resource-intensive. Making a significant improvement in realized security at these organizations often occurs over the long term.

According to LIGHTS (http://www.infosecisland.com/blogview/20649-Shining-LIGHTS-on-ICS-Cybersecurity.html), "Large asset owners have vastly complex operations and accordingly stringent requirements. The process of assessing their current security status and doing anything about it is similarly resource-intensive. Making a significant improvement in realized security at these organizations often occurs over the long term. Small facilities on the other hand are in most cases relatively simple operations. These facilities require much less resource to achieve much greater improvement in security. As well, unlike large organizations which require significantly customized solutions, solutions for smaller facilities can be highly portable and consistent. The LIGHTS program was created as a means of addressing security for this large number of small industrial operations.

The premise of LIGHTS assumes the following:

- "BIG" companies have very complex systems and can secure their systems

-  "LITTLE" companies are not very complex and can't secure their systems

- Solutions for smaller facilities are highly portable and consistent

- Having a SEIM is the "silver bullet"

I have worked with BIG and SMALL asset owners and believe the assumptions are flawed.

- No BIG utilities have addressed the need to implement hardware mitigation for Aurora. The first utility to address hardware mitigation for Aurora is a LITTLE utility.

- It is a LITTLE utility that is the first to be a testbed to implement security for reliability reasons.  The LITTLE utility has the SAME equipment as the BIG utilities, just fewer. 

- From a control system cyber security perspective, there is nothing unique about being small. This is why ISA99 is applicable to both BIG and LITTLE across all industries.

- SEIM is only a part of the overall solution. Appropriate control system policies and procedures are the closest to a silver bullet solution.

- What is necessary for control system cyber security at BIG and LITTLE facilities are control system cyber security education (in general, missing at BIG and LITTLE) and senior management buy-in (in general, missing at BIG and LITTLE). Without appropriate education and senior management buy-in, any program is fatally flawed.

Ironically, it is the LITTLE utility that is raising the bar for the BIG utilities. The LITTLE utility will provide their lessons-learned at the 12th Control System Cyber Security Conference the week of October 22nd in Norfolk, VA.

Joe Weiss