Over on Unfettered, Joe Weiss has posted an interesting idea. He wants to create a live, working process control network as a test bed for cybersecurity. What if...
The establishment of a neutral Demonstration Process Control Network (DPCN) deploying process control systems that simulate the real world would provide valuable information and insight on how to more securely deploy such systems for the critical systems.The DPCN would simulate systems supporting: Hydro Electric Generation, Water Delivery, Waste Water Handling, Grid Synchronization, Fossil Fuel Electric Generation, and potentially other process control functions involved in flood control and environmental policy activities.
The DPCN would provide:- Physical representation of technologies and support systems for a variety of critical infrastructures
- Education on network design, deployment, and maintenance
- Validation and training on best practices
- Incident handling practices and procedures
- R&D test bed for commercially available off-the-shelf (COTS) hardware and software
- Vendor neutral representations of what does and doesn't work
The DPCN would be independent from any specific vendor or industry, but represent the Process Control world in general.Funding and support would be from the various entities that use, make, and require process control systems.Now, do I think this is a good idea? Frankly, I think it is a freakin' wonderful idea. And believe it or not, I don't always agree with Joe. (wicked grin)
Now, where would this logically belong?
Well, I'm feeling fatherly this morning, or at least avuncular. I think this logically would belong with the
ISCI at ISA. Who else can provide the vendor neutrality that is needed to produce believable results?
And having this test bed puts an end to the squabbling over IT vs process security. Why? Because we can TEST ideas and measure the results, and find out for sure what works and what doesn't-- instead of arguing for weeks pointlessly over who's right.