DOE Risk Management Process for the Electric Sector - Doesn't DOE understand the difference between IT and Control Systems?

DOE has issued for public comment- Electricity SubSector Cybersecurity Risk Management Process dated March 2012.

September 2011 DOE issued the first draft of the Electricity SubSector Cybersecurity Risk Management Process document for comments. The document essentially equated IT and ICS.  The only mention of differences between IT and ICS in the new version is the following:

"It is acknowledged that IT and ICS have different cybersecurity requirements. An ICS is primarily concerned with availability. The ICS communication is time critical with specific determination requirements for jitter and latency. Conversely, delays within an IT system database or Web page access are not unexpected by IT users. While the use of encryption or packet authentication is more common with an IT system to protect confidentiality and integrity, the same use in an ICS may reduce the level of ICS performance. The activities at Tier 3 will assist in determining the controls and risk responses that apply to the cybersecurity requirements of the IT and ICS."

The entire Tier 3 section uses the term "IT and ICS" as if the two domains were the same. In Section 5.1.2.2 "Define or Refine Cybersecurity Plans" the reference is to National Rural Electric Cooperative Association and NIST SP 800-18.  Neither of these documents are specific to ICS and there is no reference to ISA99 which provides cybersecurity plan development for ICSs. Appendix A References do not even include ISA99.

Doesn't DOE understand the difference between IT and Control Systems?

Joe Weiss