The need for shared responsibility to secure control systems

In order to have a secure control system, it must be designed, built, tested, implemented, maintained, and finally retired in a secure manner. The end-user needs to ask for, and be willing to pay for, secure control systems.  The control system vendor needs to have the competency to develop secure control systems (if necessary in conjunction with security experts). The end-user needs to be able to work with the vendor to certify and assure via test the control system is secure when it leaves the factory. The end-user and system integrator need to assure the system (system of systems) is implemented in a secure manner and tested to assure its security. The end-user (and vendor if necessary) needs to operate and maintain the system in a secure manner.  Finally, the end-user needs to decommission and retire the system in a secure manner.  I also believe the government needs to play a role assisting in the developing and testing of secure control systems and providing appropriate regulation.

For those fixated on Siemens bashing, control system cyber vulnerabilities are not unique to any one vendor. IT students at DePaul University with no control system background had little trouble compromising Allen Bradley hardware. What control system vendor wants to be under the microscope next?

Joe Weiss