1. Home

Meetings with DOD and Congressional Staffers - March 26-29, 2012

March 31, 2012
I met with DOD and have two new definitions to add to the list of confusing terms.  The first is "data center".  DOD is in the process of consolidating their data centers. Consequently, I asked what is a data center.  Apparently any location with a server and a database can be considered a data center.
I met with DOD and have two new definitions to add to the list of confusing terms.  The first is "data center".  DOD is in the process of consolidating their data centers. Consequently, I asked what is a data center.  Apparently any location with a server and a database can be considered a data center. Several weeks ago, I visited a utility as part of a kick-off meeting on an Aurora hardware demonstration project (the first). As part of a tour we were shown the substation building that housed the IEDs as well as a MicroSCADA (a server). Does this mean that a substation building would be considered a "data center"? The second definition that leads to confusion is Information Assurance- IA.  In the IT world, IA makes sense. In the industrial control system world, the concern is SYSTEM Assurance". How can we be sure the system (be it a power plant, substation, pipeline, etc) is secure? That is, how do we prevent another San Bruno natural gas pipeline rupture, 2008 Florida outage, Hatch nuclear plant shutdown, etc? None of these would have been prevented by a traditional IA program.

The other point that came up was how do you get senior management to understand the difference between IT and control systems?  In the meeting DOD used the terms IT and OT (Operational Technology). Senior management wants to apply IT rules of engagement and IT security approaches to any computer system without understanding the negative impacts IT approaches could have on control systems (OT). This same question arose when I met with Senate staffers later that afternoon. This confusion should not be new to any of us working in control system cyber security. The question is what does it take to get senior management in any organization to understand the unique needs of OT.

I was asked by DOD how do you get an organization to address OT security.  I believe the only chance for OT security to succeed is if senior management drives it. As best as I can tell, there are only a few utilities whose senior management has mandated (actions not words) they be secure, not just compliant.  What a sorry commentary.

I also had an opportunity to meet with several DOD/government cyber policy organizations. The need to understand ICS-unique issues was also prevalent. Even though I did not attend, there were Senate Armed Services hearings on cyber security Tuesday March 27th. From the questions from many of the senators, they also did not understand the unique issues with ICSs.

There certainly is an opportunity for education, hopefully before it is too late.

Joe Weiss

Continue Reading

Sponsored Recommendations

Measurement instrumentation for improving hydrogen storage and transport

Hydrogen provides a decarbonization opportunity. Learn more about maximizing the potential of hydrogen.

Get Hands-On Training in Emerson's Interactive Plant Environment

Enhance the training experience and increase retention by training hands-on in Emerson's Interactive Plant Environment. Build skills here so you have them where and when it matters...

Learn About: Micro Motion™ 4700 Config I/O Coriolis Transmitter

An Advanced Transmitter that Expands Connectivity

Learn about: Micro Motion G-Series Coriolis Flow and Density Meters

The Micro Motion G-Series is designed to help you access the benefits of Coriolis technology even when available space is limited.

Latest from Home

Source: Emerson
Source: Yokogawa

Most Read

Sponsored