When I was managing the EPRI Fossil Plant Instrumentation and Control (I&C) Systems Program, success stories were very valuable because they demonstrated improved reliability. Not only that, you could measure the improvement. However, cyber security success stories may not be meaningful or even successful. I continually read about cyber security conferences or Smart Grid conferences having end-users talk about their success stories. What exactly is a success story? With the lack of control system cyber security forensics, how do you know you really haven’t had a cyber incident? How do you know you are even doing the appropriate monitoring? How do you know your program hasn’t actually increased the vulnerability of the legacy control systems? There have a number of significant control system cyber incidents that didn’t violate IT security policies. I believe the value in discussing end-user cyber security programs is when intentional or unintentional exploits are discussed. That indicates your monitoring is in the right direction. One of the reasons there was so much interest at the Applied Control Solutions Control System Cyber Security Conference two weeks ago was the discussions of actual control system incidents. It is also why if I have an end-user talk about their control system cyber security program, it isn’t called a success story– because too often they are not.
Joe Weiss