How Secure Is Your Control System?

If you've been following the discussions at PCSF (the Process Control Systems Forum) and in the ISA SP99 Standards Committee, you know the answer. If the answer doesn't scare you, you are seriously asleep. So, instead of attending the Sensors Show this week, and attending the SP100 meeting at the Sensors show, I decided to attend the security forum instead. Glad I did. The actual meeting starts this morning, but there was a very important session yesterday, led by Eric Byres, formerly of BCIT, now with Wurldtech Analytics (a way to continue working with the BCIT lab Eric founded, yet maintain an "arms length" relationship with BCIT). There were representatives from at least 10 major end user companies, and all of the major automation vendors. The purpose of the meeting was to discuss a proposal from ExxonMobil to create a "Consortium for Industrial Security Research and Compliance." This "consortium" is not expected to produce standards...it is expected to develop significant best practices and benchmarks in the absence of standards, and turn them over to the existing standards bodies for use in assisting standards development. Discussion pointed to TUV, the Fieldbus Foundation, PTO and the HART Communication Foundation as examples of such a consortium. The consortium would act like these agencies in that it would produce testing and compliance documents, protocols, and perform actual testing on control system components and systems, first from developed benchmarks and best practices, and later from developed standards. This appears to me to be a no-brainer "we gotta do this" exercise. How it is organized, who leads it, all need to be figured out. Keep your eyes tuned to this space for more information in the next week or so.