I had a telephone and email exchange today with an international electric industry security standards committee that I would like to share. It goes to the heart of the issue that there is little knowledge and understanding of control system cyber security issues and the resulting training that is required.
The recent CIGRE D12.22 Security meetings in Florence, Italy had a presentation that stated “Developing Off-line tools for Risk Assessment” was “Done”. In my estimation, the area of risk assessment for industrial control systems (power systems, power plants, etc) is not well-understood. Consequently, this morning I had a conversation with the developer of the utility’s methodology. He stated it was for the IT infrastructure and not for power systems. Since IT security is reasonably well understood and extends beyond the control system domain, I believe the CIGRE Security Working Group should be focusing on what is not well understood- that is the control systems domain.
I received the following response from one of the other member’s of the Committee: “,,, once the relevant parts have been identified by appropriate personnel with the necessary skills, there is no reason why an IT security risk assessment framework could not be applied, again by appropriate personnel with the necessary skills. If control systems weren’t different than IT systems, we wouldn’t be discussing control system cyber security. If those people and skills actually existed within each of the utility organizations, these issues would not be relevant.
If…
I do not believe there are enough people with requisite skills who understand these issues. I have documented too many control system cyber incidents (including recent events that caused significant impacts) that were caused by inappropriate policies, procedures, technologies, and testing to believe that appropriate personnel and skills exist.
Joe Weiss