IT and Operations Differences
I received an e-mail this morning from a Conference attendee wanting to know if I would give Continuing Professional Education (CPE) credits for the CISSP certification. I didn’t have an answer so I called the organization responsible for CISSP accreditation – the International Information Systems Security Certification Consortium (ISC2).
I explained the reason for the call and explained a little about control system cyber security and what makes it different than traditional IT. He was not aware of the unique issues dealing with control systems. Suffice to say they are willing to provide CPE credits. As an aside, so is ISACA, the international organization for IT governance.
I then had a chance to talk to some IT security professionals who will be attending the Conference.
One fascinating issue is the root cause of the Hatch Nuclear Plant cyber incident (the automatic shutdown of a large nuclear power plant). An accepted tenet of patching systems is that it should be done first on off-line test systems to discover any possible system impacts. What occurred at Hatch puts a new spin on this issue as the root cause was the connections between systems - something that cannot be discovered in off-line testing.
Other issues to be discussed include how do you secure, or effectively isolate, unpatchable systems and how do you address memory leakage in control systems that are designed to be shutdown for significant periods of time.
The underlying purpose of these discussions is to get the IT and Operational organizations to better understand each others accepted design and operational practices which are often in conflict.
Joe Weiss