I had the opportunity to attend and participate in the St. Mary’s University Cyberterrorism Law Conference in San Antonio Wednesday and Thursday. There were several interesting observations:
- Since the focus was cyberterrorism, the conference was heavily tilted the government and DOD.
- The general level of attendee was very senior – several worked in, or still work, in the White House (we don’t get these people for control system cyber security meetings – at least, not yet)
- Several attendees were members of the Blue Ribbon Cyber Commission (we don’t get these people for control system cyber security meetings – at least, not yet)
- Except for one individual, there was very little understanding about industrial control systems and why they were different than IT. The general feeling is they used Microsoft and so they could be secured in a similar manner as IT (déjà vous all over again).
- Two representatives from the Estonian government discussed the cyber attacks that occurred last year. It was fascinating to see how a country could have such a coordinated, coherent response. The attacks were focused on government and banking with no apparent attempt to attack control systems.
- Roger Cressie discussed the newest cyber Presidential Decision Directive. Unless there is substantial input from the industrial control systems community, we will be left behind, again.
All in all, it was very interesting because of the attendees, but same old, same old with respect to control systems.
Joe Weiss