The other point that came up was how do you get senior management to understand the difference between IT and control systems? In the meeting DOD used the terms IT and OT (Operational Technology). Senior management wants to apply IT rules of engagement and IT security approaches to any computer system without understanding the negative impacts IT approaches could have on control systems (OT). This same question arose when I met with Senate staffers later that afternoon. This confusion should not be new to any of us working in control system cyber security. The question is what does it take to get senior management in any organization to understand the unique needs of OT.
I was asked by DOD how do you get an organization to address OT security. I believe the only chance for OT security to succeed is if senior management drives it. As best as I can tell, there are only a few utilities whose senior management has mandated (actions not words) they be secure, not just compliant. What a sorry commentary.
I also had an opportunity to meet with several DOD/government cyber policy organizations. The need to understand ICS-unique issues was also prevalent. Even though I did not attend, there were Senate Armed Services hearings on cyber security Tuesday March 27th. From the questions from many of the senators, they also did not understand the unique issues with ICSs.
There certainly is an opportunity for education, hopefully before it is too late.