Lack of adequate cyber security in DCS and SCADA procurement specifications

My new book will have an appendix that should be of interest to everyone. I have taken several recent DCS procurement specifications and created an archetype specification. I identified where cyber security could impact the detailed specifications. (Since the NERC CIPs are not adequate to secure ICSs, I did not address them in reviewing the specifications.) This is important for a number of reasons:
- The DCS vendors that responded to the actual specifications did not include security. The end-users subsequently experienced cyber incidents with varying degrees of impact. Additionally, the DCS logging (forensics) features were unable to identify or record these cyber incidents.
- The NERC and DHS identified vulnerabilities of Aurora or Boreas were not addressed in the specifications used in the appendix.
- The DHS procurement language did not address many of the items identified in this appendix.
- DHS’s CS2SAT methodology did not address a number of cyber issues identified in this appendix.

Additionally, I reviewed a number of SCADA procurement specifications for electric and water utilities. They were no more comprehensive with respect to cyber security than the DCS specifications used in this appendix. As with the power plant DCS vendors, the SCADA vendors did not provide security for these specific projects. At least one of the utilities suffered a significant SCADA cyber incident.

I will let the readers make their own conclusions.

Joe Weiss