Having spent the week last week at PCSF, where several competing certification programs were discussed, and having spent the past year heavily involved with the creation of one of them, it occurred to me that once again we've found a major difference between the enterprise IT worldview and the automation IT worldview.
The purpose of security in enterprise IT is to save the server. Fringe devices can be dropped off the network. In automation IT, the purpose of security is to save the local control loops and the edge devices. Servers can be rebooted. History data can be lost, but lose local control and production stops.
Automation IT is looking for 24/7/365 uptime. As somebody recently pointed out, 2 hours to replace a busted computer in enterprise IT terms is spanking good service. At General Motors, 2 hours to replace a PLC on the production line is a $2 million loss.
The Process Control Security Forum is overrun with IT security folks trying to get on the next big bandwagon. If I hear another "expert" misuse the term "SCADA" in conjunction with the word security, I think I will hurl.