Joe shares his thoughts on the qualifications of control system security vendors

The following is an ad from Digital Bond's website. It is the second time they have advertised for control system expertise AFTER obtaining a DHS or DOE contract. "Digital Bond is still hiring security researchers to help with Bandolier, Portaledge and Quickdraw. We have one need that is proving difficult to find: a controller wizard."Various aspects of the projects require us to have multiple PLC’s, RTU’s and IED’s from different vendors in our lab. We have Rockwell Automation, DirectLogic and SEL in the lab now and need to do more with these and add other vendor products to attack, get packet captures, review existing logs and generate logs where security logging deficiencies exist. So we need to add someone to the team who is skilled at quickly learning and deploying new controllers."If you have these skills and are interested in getting into the control system security area this would be an ideal opportunity for you. Talk to me at PCSF or send us an email." One of the most important issues in securing industrial control systems is understanding them. In the spirit of full disclosure, I did NOT provide a proposal to DHS so this isn’t sour grapes. I am concerned that neither DHS nor DOE ensures that appropriate expertise is available and that work being done is relevant. When I was an EPRI project Manager, it was my job to make sure a contractor was knowledgeable and already had available expertise. After discussions with Dale on Bandolier, it was evident there wasn’t a fundamental understanding of control systems and impacts of computers on system performance. As PCSF approaches with many of the vendors presenting their wares, I wonder how many other DHS and DOE vendors fall into this category? Joe Weiss