1. Home

Meetings with DOD and Congressional Staffers - March 26-29, 2012

March 31, 2012
I met with DOD and have two new definitions to add to the list of confusing terms.  The first is "data center".  DOD is in the process of consolidating their data centers. Consequently, I asked what is a data center.  Apparently any location with a server and a database can be considered a data center.
I met with DOD and have two new definitions to add to the list of confusing terms.  The first is "data center".  DOD is in the process of consolidating their data centers. Consequently, I asked what is a data center.  Apparently any location with a server and a database can be considered a data center. Several weeks ago, I visited a utility as part of a kick-off meeting on an Aurora hardware demonstration project (the first). As part of a tour we were shown the substation building that housed the IEDs as well as a MicroSCADA (a server). Does this mean that a substation building would be considered a "data center"? The second definition that leads to confusion is Information Assurance- IA.  In the IT world, IA makes sense. In the industrial control system world, the concern is SYSTEM Assurance". How can we be sure the system (be it a power plant, substation, pipeline, etc) is secure? That is, how do we prevent another San Bruno natural gas pipeline rupture, 2008 Florida outage, Hatch nuclear plant shutdown, etc? None of these would have been prevented by a traditional IA program.

The other point that came up was how do you get senior management to understand the difference between IT and control systems?  In the meeting DOD used the terms IT and OT (Operational Technology). Senior management wants to apply IT rules of engagement and IT security approaches to any computer system without understanding the negative impacts IT approaches could have on control systems (OT). This same question arose when I met with Senate staffers later that afternoon. This confusion should not be new to any of us working in control system cyber security. The question is what does it take to get senior management in any organization to understand the unique needs of OT.

I was asked by DOD how do you get an organization to address OT security.  I believe the only chance for OT security to succeed is if senior management drives it. As best as I can tell, there are only a few utilities whose senior management has mandated (actions not words) they be secure, not just compliant.  What a sorry commentary.

I also had an opportunity to meet with several DOD/government cyber policy organizations. The need to understand ICS-unique issues was also prevalent. Even though I did not attend, there were Senate Armed Services hearings on cyber security Tuesday March 27th. From the questions from many of the senators, they also did not understand the unique issues with ICSs.

There certainly is an opportunity for education, hopefully before it is too late.

Joe Weiss

Continue Reading

Sponsored Recommendations

IEC 62443 4-1 Cyber Certification – Why ML 3 is So Important

The IEC 62443 Security for Industrial Automation and Control Systems - Part 4-1: Secure Product Development Lifecycle Requirements help increase resilience for control systems...

Multi-Server SCADA Maintenance Made Easy

See how the intuitive VTScada Services Page ensures your multi-server SCADA application remains operational and resilient, even when performing regular server maintenance.

Your Industrial Historical Database Should be Designed for SCADA

VTScada's Chief Software Architect discusses how VTScada's purpose-built SCADA historian has created a paradigm shift in industry expectations for industrial redundancy and performance...

Linux and SCADA – What You May Not Have Considered

There’s a lot to keep in mind when considering the Linux® Operating System for critical SCADA systems. See how the Linux security model compares to Windows® and Mac OS®.

Latest from Home

shutterstock_1612677316
shutterstock_1358213252
shutterstock_2474268459

Most Read

Sponsored