I just posted a news item at Automation World about some new network security products from Siemens Industry. These are, no doubt, good products. We do need to continue to secure our industrial networks.
However, this is not the “final answer.” I believe that just securing the network would not prevent problems such as Stuxnet and Flame. These malware attacks came in at the control system level. They therefore became trusted users of the network. So the network would have little or no power over them.
In addition to network security, we need to also work on control system security. I recently asked Joe Weiss if there was any place engineers could go to learn how to do that. Not surprisingly I suppose, he suggested his conference. This is a closed door conference with nothing made public where peers can talk frankly about cyber threats to control systems and what seems to be working.
There are also tips. Weiss told me that he experienced a client who thought he had a secured DCS only to discover that it was “security ready” not “security enabled.” That client needed to do additional work to secure his system. There are many of these examples, just as there are many examples of problems where the security of the control system, not necessarily the network, was compromised.
Check out his conference. There are other venues, as well. Joel Languil, the SCADAHacker, spoke at The Automation Conference last week. Check out these and wherever you can upgrade your cybersecurity knowledge and skills.