Purchasing Language for SCADA systems…

Todd Stauffer of Siemens and I were discussing the need for critical engineering understanding when applying cybersecurity tools to plant level DCS and SCADA security the other day. Todd reminded me of the fact that there's a government funded organization called the Multi-State Information Sharing and Analysis Center that has produced a soi-disant set of procurement language for SCADA systems that is intended to help end users and EPCs ensure an appropriate level of cybersecurity when they buy and specify SCADA systems. I assume this also applies to DCS systems and simpler plant control systems. MSISAC is a venture of the State of New York and Idaho National Laboratory (INL). Yes, those people who brought you the Aurora video. MSISAC has posted several iterations of their recommended language document which they hope somebody will take and incorporate into real specifications for how to design and purchase cybersecure SCADA systems. What Todd and I were talking about was the need to actually know something about plant and utility control systems before attempting to use this document, in any of its iterations. Todd pointed out that it is entirely possible to specify ALL of the options in the documents, thus making it impossible to actually procure a system at all. What has to happen, when you use documents like this, is you have to have the engineering expertise and sound engineering judgement to be able to use the documents as a template, a framework, and not a stencil. We also noted in passing Boeing's problems with interconnected networks and the new 787 Dreamliner. I have previously noted, in Sound Off! about the folks from Boeing who spoke at ARC...who said that engineers wanted to be able to flash the solid state memories of the avionics systems anytime they wanted to--- and I hope I'm never on a 787 if they are allowed to log onto the avionics and flash the ROMs when the plane is at 40,000 feet. Walt Boyes