If pigs could fly…

March 12, 2008
I had a telephone and email exchange today with an international electric industry security standards committee that I would like to share. It goes to the heart of the issue that there is little knowledge and understanding of control system cyber security issues and the resulting training that is required. The recent CIGRE D12.22 Security meetings in Florence, Italy had a presentation that stated “Developing Off-line tools for Risk Assessment” was “Done”. In my estimation, the area of risk asse...
I had a telephone and email exchange today with an international electric industry security standards committee that I would like to share. It goes to the heart of the issue that there is little knowledge and understanding of control system cyber security issues and the resulting training that is required. The recent CIGRE D12.22 Security meetings in Florence, Italy had a presentation that stated “Developing Off-line tools for Risk Assessment” was “Done”. In my estimation, the area of risk assessment for industrial control systems (power systems, power plants, etc) is not well-understood. Consequently, this morning I had a conversation with the developer of the utility’s methodology. He stated it was for the IT infrastructure and not for power systems. Since IT security is reasonably well understood and extends beyond the control system domain, I believe the CIGRE Security Working Group should be focusing on what is not well understood- that is the control systems domain. I received the following response from one of the other member’s of the Committee: “,,, once the relevant parts have been identified by appropriate personnel with the necessary skills, there is no reason why an IT security risk assessment framework could not be applied, again by appropriate personnel with the necessary skills. If control systems weren’t different than IT systems, we wouldn’t be discussing control system cyber security. If those people and skills actually existed within each of the utility organizations, these issues would not be relevant. If… I do not believe there are enough people with requisite skills who understand these issues. I have documented too many control system cyber incidents (including recent events that caused significant impacts) that were caused by inappropriate policies, procedures, technologies, and testing to believe that appropriate personnel and skills exist. Joe Weiss

Sponsored Recommendations

Make Effortless HMI and PLC Modifications from Anywhere

The tiny EZminiWiFi is a godsend for the plant maintenance engineers who need to make a minor modification to the HMI program or, for that matter, the PLC program. It's very easy...

The Benefits of Using American-Made Automation Products

Discover the benefits of American-made automation products, including stable pricing, faster delivery, and innovative features tailored to real-world applications. With superior...

50 Years of Automation Innovation and What to Expect Next

Over the past 50 years, the automation technology landscape has changed dramatically, but many of the underlying industry needs remain unchanged. To learn more about what’s changed...

Manufacturing Marvels Highlights Why EZAutomation Is a Force to Be Reckoned With

Watch EZAutomation's recent feature on the popular FOX Network series "Manufacturing Marvels" and discover what makes them a force to be reckoned with in industrial automation...