Following the August Applied Control Solutions Workshop in Knoxville, several utilities and vendors got together to discuss the idea of an "open test bed" for security that would also utilize DOE lab expertise. The concept of an "open test bed" means that all non-proprietary information from the testing would be available to all funders. One utility has been willing to act as a host. We would like to get feedback on the viability of this approach. It is similar in some respects to what was done with the EPRI Instrumentation & Control (I&C) Center.
Joe Weiss
Demonstration Process Control NetworkA Vision
A major debate is raging in the world today about security. Not that security is needed, but rather, how to implement security. The daily news reports provide continuous demonstrations about why we need physical, personal, and cyber security. This includes a dramatic demonstration of cyber incursion aimed at process control systems by Idaho National Labs. We endure a constant barrage of questions on what would happen if, what is wrong and why nothing is being done. The intent of this paper is to provide a solution to some of the questions, including the most difficult question of all, "What if "¦?"
The establishment of a neutral Demonstration Process Control Network (DPCN) deploying process control systems that simulate the real world would provide valuable information and insight on how to more securely deploy such systems for the critical systems. The DPCN would simulate systems supporting: Hydro Electric Generation, Water Delivery, Waste Water Handling, Grid Synchronization, Fossil Fuel Electric Generation, and potentially other process control functions involved in flood control and environmental policy activities.
The DPCN would provide:
"¢ Physical representation of technologies and support systems for a variety of critical infrastructures
"¢ Education on network design, deployment, and maintenance
"¢ Validation and training on best practices
"¢ Incident handling practices and procedures
"¢ R&D test bed for commercially available off-the-shelf (COTS) hardware and software
"¢ Vendor neutral representations of what does and doesn't work
The DPCN would be independent from any specific vendor or industry, but represent the Process Control world in general. Funding and support would be from the various entities that use, make, and require process control systems.
Outcomes and Deliverables:
"¢ A working model with best practices for use
"¢ Updates about changes to the best practices
"¢ Training for all on the best practices, on-site, at the demonstration network, and online
"¢ The ability for all to test and evaluate the model, with the results of those tests fed back into the model and reported out
Costs:
The costs have not been determined in total at this time, but preliminary estimates indicate that annual operating costs would be in the $3-$5 Million range, with initial setup to be in the $2-$3 Million range.
Location: Northern California with possible virtual locations throughout the world
ROI:
Many small entities have little funding left to do the kind of evaluation and R&D to implement strong cyber security and cyber security processes. They could expend small amounts ($5-$10K per year); allowing an organization to do the R&D required providing the information to support appropriate and effective security installations.
Operation and Maintenance
The Demonstration Process Control Network would be maintained and operated by a Board of Directors appointed by the consortium of businesses that establish the network.
Relationship with Government
The DPCN could receive Federal or state funding for specific projects and apply for grants as appropriate.
Relationship with Academic Institutions
The DPCN would welcome partnerships with academic institutions engaged in research and development relevant to process control systems.