We have a problem. We have efforts at all levels to secure industrial
control systems, but there isn't much coordination. Some efforts are
falling by the wayside. The Roadmaps for energy and water are mostly
taking top-down approaches. There are approaches in the middle such as
the ISA-99, and going further toward the technical side, Secure
Authentication for DNP and the AGA-12 effort.
However, I know of nearly nothing taking place at the bottom. There are
training courses from DHS aimed at operators, but there is little
mandate to train them.
Looking at the example of Safety standards and the like, we had buy-in
from executive, engineering, and operations people.
We don't have that happening right now in security. We have Roadmaps
written for executives who are expected to wave their hands and make
security happen without knowing where it's supposed to come from or how
it's supposed to work.
We have half baked standards, still very much in development from
engineers and IT specialists. These standards don't know how to address
issues such as patch management because at the end of the day, we know
we can't set a standard without coordinating with operations.
And as far as I know, the efforts to train operators on this security
issue and how it helps them is feeble. They don't see the need yet.
Meanwhile, legislators are turning up the heat on organizations such as
TVA for not be properly secure. The managers are blindsided. They
don't know which way to turn and their IT departments are at a loss to
figure out how to set policies for reasonably safe AND secure control
system operation.
The problem is that these professions aren't talking to each other. The
Energy sector roadmap becomes a matter of useless handwaving if we don't
bring engineering and operations in to the picture. Engineering or
procurement standards won't help if managers don't know what it does or
if operations doesn't know what to do with it. And one thing is sure:
We can build economical and secure control systems, but if the operators
don't know how to use it or fail to see the advantages, they'll subvert
these features and all will be for nothing.
I had hoped the Roadmap documents would be broader than they turned out
to be. I had hoped that ISA-99 would have more than just engineers and
IT specialists in it. I had hoped that the ISAC organizations,
regulations, and legislation would push operations to train themselves
to ask for what they need. None of this is happening on a practical
scale.
It's time to talk turkey. We keep bumping in to this problem. How can
we get this discussion started? What umbrella organizations should we
build to facilitate this discussion?
Something has to happen here. Compare the Roadmap documents to ISA-99,
or the DHS operator training. We're barely speaking the same language.
If we can't learn to build a common language and inclusive, industry
specific practices, we're going to continue spinning our wheels. Is
anyone from another utility interested in working with me on this? I'm
tired of seeing the efforts of so many talented people go to waste.
======================================================================
Fair disclosure: I participate in the Water Sector Coordinating Council
Cyber Security Working Group, ISA-99, and the DNP3 Technical Committee
and I'm employed by a large water and wastewater utility.
Jake Brodsky