I met with DOD and have two new definitions to add to the list of confusing terms. The first is "data center". DOD is in the process of consolidating their data centers. Consequently, I asked what is a data center. Apparently any location with a server and a database can be considered a data center. Several weeks ago, I visited a utility as part of a kick-off meeting on an Aurora hardware demonstration project (the first). As part of a tour we were shown the substation building that housed the IEDs as well as a MicroSCADA (a server). Does this mean that a substation building would be considered a "data center"? The second definition that leads to confusion is Information Assurance- IA. In the IT world, IA makes sense. In the industrial control system world, the concern is SYSTEM Assurance". How can we be sure the system (be it a power plant, substation, pipeline, etc) is secure? That is, how do we prevent another San Bruno natural gas pipeline rupture, 2008 Florida outage, Hatch nuclear plant shutdown, etc? None of these would have been prevented by a traditional IA program.
The other point that came up was how do you get senior management to understand the difference between IT and control systems? In the meeting DOD used the terms IT and OT (Operational Technology). Senior management wants to apply IT rules of engagement and IT security approaches to any computer system without understanding the negative impacts IT approaches could have on control systems (OT). This same question arose when I met with Senate staffers later that afternoon. This confusion should not be new to any of us working in control system cyber security. The question is what does it take to get senior management in any organization to understand the unique needs of OT.
I was asked by DOD how do you get an organization to address OT security. I believe the only chance for OT security to succeed is if senior management drives it. As best as I can tell, there are only a few utilities whose senior management has mandated (actions not words) they be secure, not just compliant. What a sorry commentary.
I also had an opportunity to meet with several DOD/government cyber policy organizations. The need to understand ICS-unique issues was also prevalent. Even though I did not attend, there were Senate Armed Services hearings on cyber security Tuesday March 27th. From the questions from many of the senators, they also did not understand the unique issues with ICSs.
There certainly is an opportunity for education, hopefully before it is too late.
Joe Weiss
