I’ve been talking with Joe Weiss about his Industrial Control Systems Cyber Security Conference. It always attracts thought leaders from government and industry about the topic. This year, it will be held the week of October 22, 2012 in Norfolk, VA hosted by the Virginia Modeling, Analysis and Simulation Center (VMASC).
The main thing about Joe is that he doesn’t talk only about the IT and networking aspect of cyber security, but he also brings in vulnerabilities and challenges around the control system itself.
Highlights of the conference include:
Most discussions on securing ICSs are concerned with new designs or to meet compliance requirements. One domestic utility is concerned with security impacts on the reliability of their legacy ICSs. Consequently, a “test bed” program has been established with various ICS suppliers to secure legacy ICSs for reliability. The utility and participating ICS suppliers will provide lessons-learned and an understanding of the size of the effort.
Aurora is a gap in protection in the electric grid (not just in North America). There has been a lack of implementing hardware fixes for Aurora as well as misunderstanding of what actually occurred with the 2007 Aurora test at the Idaho National Laboratory INL). Consequently, there will be discussions on what actually occurred at the INL test, dispelling myths about Aurora, and providing lessons-learned from implementing hardware solutions for Aurora. As Aurora affects almost every substation, these discussions should be of great interest in meeting expected NERC/FERC requirements.
An international utility has requested a detailed technical assessment of their nuclear plant control and safety system upgrade to understand their cyber vulnerabilities (not for compliance). The assessment is arguably the most comprehensive of any nuclear or non-nuclear plant nuclear plant. There will be presentation on the utility’s rationale for the assessment and the cyber issues identified.
Most discussions on securing ICSs are by security solution providers and do not address engineering issues. Many of the most significant ICS cyber incidents and vulnerabilities are not due to network issues. Consequently, a panel of ICS experts from multiple industries (chemicals, water, oil/gas, power, and DOD) will provide their perspectives on the functional requirements including engineering considerations needed to secure ICSs (security solution providers need to hear this!)
Additional discussions are expected to include:
- New incidents, such as the complete loss of all ICS logic in operating power plants
- Unpublicized water system compromises
- Cyber security of surface transportation systems, chemical plants, pipelines and micro-grids…
- A status of relevant standards for ICS security
- What makes quantifying risk unique for ICS cyber security
- Demonstration of selected ICS vulnerabilities
- International perspectives
- Finally, sponsors will discuss and display their solutions.
For more information on the conference you can click the link above or call (408) 253-7934.