1. Home

The fallacy of the LIGHTS program

April 30, 2012
According to LIGHTS (http://www.infosecisland.com/blogview/20649-Shining-LIGHTS-on-ICS-Cybersecurity.html), "Large asset owners have vastly complex operations and accordingly stringent requirements. The process of assessing their current security status and doing anything about it is similarly resource-intensive. Making a significant improvement in realized security at these organizations often occurs over the long term.

According to LIGHTS (http://www.infosecisland.com/blogview/20649-Shining-LIGHTS-on-ICS-Cybersecurity.html), "Large asset owners have vastly complex operations and accordingly stringent requirements. The process of assessing their current security status and doing anything about it is similarly resource-intensive. Making a significant improvement in realized security at these organizations often occurs over the long term. Small facilities on the other hand are in most cases relatively simple operations. These facilities require much less resource to achieve much greater improvement in security. As well, unlike large organizations which require significantly customized solutions, solutions for smaller facilities can be highly portable and consistent. The LIGHTS program was created as a means of addressing security for this large number of small industrial operations.

The premise of LIGHTS assumes the following:

- "BIG" companies have very complex systems and can secure their systems

-  "LITTLE" companies are not very complex and can't secure their systems

- Solutions for smaller facilities are highly portable and consistent

- Having a SEIM is the "silver bullet"

I have worked with BIG and SMALL asset owners and believe the assumptions are flawed.

- No BIG utilities have addressed the need to implement hardware mitigation for Aurora. The first utility to address hardware mitigation for Aurora is a LITTLE utility.

- It is a LITTLE utility that is the first to be a testbed to implement security for reliability reasons.  The LITTLE utility has the SAME equipment as the BIG utilities, just fewer. 

- From a control system cyber security perspective, there is nothing unique about being small. This is why ISA99 is applicable to both BIG and LITTLE across all industries.

- SEIM is only a part of the overall solution. Appropriate control system policies and procedures are the closest to a silver bullet solution.

- What is necessary for control system cyber security at BIG and LITTLE facilities are control system cyber security education (in general, missing at BIG and LITTLE) and senior management buy-in (in general, missing at BIG and LITTLE). Without appropriate education and senior management buy-in, any program is fatally flawed.

Ironically, it is the LITTLE utility that is raising the bar for the BIG utilities. The LITTLE utility will provide their lessons-learned at the 12th Control System Cyber Security Conference the week of October 22nd in Norfolk, VA.

Joe Weiss

Continue Reading

Sponsored Recommendations

IEC 62443 4-1 Cyber Certification – Why ML 3 is So Important

The IEC 62443 Security for Industrial Automation and Control Systems - Part 4-1: Secure Product Development Lifecycle Requirements help increase resilience for control systems...

Multi-Server SCADA Maintenance Made Easy

See how the intuitive VTScada Services Page ensures your multi-server SCADA application remains operational and resilient, even when performing regular server maintenance.

Your Industrial Historical Database Should be Designed for SCADA

VTScada's Chief Software Architect discusses how VTScada's purpose-built SCADA historian has created a paradigm shift in industry expectations for industrial redundancy and performance...

Linux and SCADA – What You May Not Have Considered

There’s a lot to keep in mind when considering the Linux® Operating System for critical SCADA systems. See how the Linux security model compares to Windows® and Mac OS®.

Latest from Home

look_ahead_to_plan_for_demand
the_effect_of_global_warming_on_precipitation
convinced_by_educational_content

Most Read

Sponsored