Thoughts on DHS Metrics Primer

Aug. 13, 2009

The June 2009 DHS Primer Control Systems Cyber Security Framework and Technical Metrics report is meant to address a critical missing link – metrics for control system cyber security. It is a good start. My comments come from the perspective of how does this Primer address actual control system cyber incidents.  That statement leads to my first concern – most control system cyber events are incidents not attacks. Many of these actual incidents have caused significant damage and yet did not violate IT security policies. However, the Primer is focused on malicious IT-type attacks. Another concern is security knowledge. According to the Primer, “The security group represents those people in an organization who are directly responsible for the cyber security of the control systems.” Many security groups are staffed by IT-trained security experts. There are very few people that actually understand control system cyber and most are not in the security group. There have already been numerous cases where the security organization CAUSED the control system cyber incident. Not only does the metric not account for this, having the wrong people doing the wrong things should lead to a NEGATIVE metric. The final concern is the Primer simply does not recognize the unique issues with legacy control systems. Many systems cannot take complex passwords. Many systems simply cannot be patched expeditiously, if at all.

I am simply not seeing much coming out of the DHS Control Systems Cyber Security Program to address legacy control system issues or the actual incidents that have occurred.

Joe Weiss

Sponsored Recommendations

Make Effortless HMI and PLC Modifications from Anywhere

The tiny EZminiWiFi is a godsend for the plant maintenance engineers who need to make a minor modification to the HMI program or, for that matter, the PLC program. It's very easy...

The Benefits of Using American-Made Automation Products

Discover the benefits of American-made automation products, including stable pricing, faster delivery, and innovative features tailored to real-world applications. With superior...

50 Years of Automation Innovation and What to Expect Next

Over the past 50 years, the automation technology landscape has changed dramatically, but many of the underlying industry needs remain unchanged. To learn more about what’s changed...

Manufacturing Marvels Highlights Why EZAutomation Is a Force to Be Reckoned With

Watch EZAutomation's recent feature on the popular FOX Network series "Manufacturing Marvels" and discover what makes them a force to be reckoned with in industrial automation...