First, a disclaimer: I'm not speaking for my employer. What follows are my own opinion and my own questions.
Your "Beltway Bandits" editorial in July seems to criticize the Obama Administration's executive order (XO) for bad advice they'll get from the Beltway Bandits.
Am I reading this right? What, specifically, in the XO evinces or promotes a lack of understanding of the different cyber security requirements for business IT and industrial process control systems? Absent such specifics, I'd think the administration's emphasis on ICS cybersecurity would be helpful. Doesn't that in itself show an awareness of the difference between business IT and ICS cybersecurity?
Charles Timmons
Sr. Process Control Engineer
[Walt Boyes replies]
Thanks for writing, Charlie.
I think you either misunderstood the point of the editorial or (as is more likely) I wasn't completely clear.
First, I not only have no quarrel with the executive order, I welcome it, just as I welcomed other signs from the administration that, for the first time, an administration is doing something besides making motherhood-and-apple-pie statements.
The problem is not the executive order. It is the sweetheart relationships between the U.S. Dept. of Energy (DOE) and the U.S. Dept. of Homeland Security (DHS) and the Beltway Bandits. These consultants have demonstrated over and over that they have no grasp of ICS security, but they're now rallying around the executive order, claiming expertise they don't have, and in several cases pointing out that their point of view is that they should be allowed to hijack the money into the types of IT security they do understand.
One such bandit actually said that he felt that ICS security was unimportant because people could survive without power, water and fuel, but that nobody could survive if the New York banks were hacked out of business!
I strongly disagree with him, and the fact that he went on to call me, among others, purveyors of fear, uncertainlty and doubt (FUD), made me write the editorial.
I have been a strong supporter of ICS security for at least a decade now, and have put my money where my mouth is, serving on ISA 99 among other things.
Does this help?
And Another Thing
[For another take on the Obama Administration's cybersecurity executive order, here is an excerpt from Joe Weiss' Unfettered blog post of July 15]
I've been involved with NIST to one degree or other on ICS cybersecurity since 2000 and on other technical issues long before that. I firmly believed NIST was the best independent organization to be able to develop ICS cybersecurity standards. Unfortunately, I can no longer say that in good faith.
NIST's technical approach dealing with ICS cybersecurity changed with the smart grid cybersecurity efforts because Congress mandated it to oversee, not actually develop, smart grid cybersecurity and interoperability standards. From an ICS cybersecurity perspective, it was not a success.
Fast forward to the current executive order. I met with a number of NIST senior staff in February. Suffice it to say, there was not a clear understanding by them of what makes ICSs different. I watched the first NIST industry session from NIST's Gaithersburg facilities via video and was appalled by the lack of ICS knowledge or formal participation.
Are the politics so thick that NIST can't do a better job of providing appropriate ICS cybersecurity guidance than it did with the smart grid?