September 9-11, the government of Estonia held the International Cyber Conflict Legal and Policy Conference in Tallinn, Estonia. There were more than 130 attendees from government, academia, industry, and the media. Countries represented included, the UK, Austria, US, Turkey, Greece, Germany, Denmark, Spain, Italy, Croatia, Sweden, Norway, Estonia, Finland, Canada, Japan, France, and NATO. Russia chose not to attend. As in previous conferences, I was the only one representing the industrial control systems community. Because of scheduling conflicts, I was only able to attend and participate in the first day’s session.
The Conference was held in Estonia as it houses the Cooperative Cyber Defense Center of Excellence (CCDCOE). The CCDCOE has addressed four case studies: Estonia 2007, Radio Free Europe/Radio Liberty 2008, Lithuania 2008, and Georgia 2008. All were DDOS attacks against the Internet and government websites. Apparently, control systems were not targets of the attacks. However, it is not clear if control systems could have been impacted as unintended consequences of the attacks.
The lack of understanding or appreciating the difference between business IT and control systems was evident. None of the attendees I met were aware of the number of consequences of control system cyber incidents to date. Generally, they were unaware of the differences and limitations (technical and administrative) between IT and control systems.
I believe there will be more desire to have control systems addressed in the future. I will have Maeve Dion from George Mason University and one of the Conference organizers provide a summary at the October 19-22 ACS Control Systems Cyber Conference.
Joe Weiss
