Security Gaps ACS Conference Issue

Wednesday, August 11, 2010 @ 06:08 PM gHale


Safety and performance are the hallmarks of any industrial control system (ICS). But what lingers in the background, and is now becoming a hot issue, is security for those systems often comes into play after the fact.
That concept really hits home after the Siemens Programmable Logic Controller (PLC) and VxWorks (real time operating system for ICS field devices) vulnerability disclosures. There truly are significant security gaps in ICSs. Moreover, the differences between IT and ICSs led to conflicting recommendations on the Siemens PLC vulnerability by Microsoft and Siemens. That is just one of the discussions that will occur at the 2010 ACS Conference, September 20-23 at the Hilton Washington DC in Rockville, MD. In addition, NIST will hold a follow-on session September 24.
The Siemens and VxWorks vulnerabilities coupled with the Hatch Nuclear Plant cyber incident demonstrate we are still learning what is unique about ICS cyber security, said Joe Weiss Founder of Applied Control Solutions (ACS). Despite the perception that ICSs look like IT systems, they are not and need to be addressed accordingly. This has enormous implications for the Smart Grid, nuclear plants, and other critical infrastructures.
Industrial control systems must continue to operate – cyber security mitigation cannot have an impact on their mission. Yet, as of today there have been little discussions between the ICS domain experts and cyber security experts to try to prevent the unintended consequences that continue to occur to these critical systems.
In other conference topics, based on the testimony of the chief electronics technician aboard the Transocean-owned Deepwater Horizon, the BP Oil Spill disaster in the Gulf of Mexico was a control system cyber incident. Discussions will include the cyber aspects of the BP incident as they mirror those of the Bellingham, WA gasoline pipeline rupture 11 years ago.
Here are other highlights at this year’s ACS Conference:
• Presentations by end-users providing first-hand experience on actual industrial control system cyber incidents.
• Input and participation from the Navy and Air Force as industrial control system cyber security also directly affects them.
• Presentations by the Nuclear Regulatory Commission (NRC) and FERC
• Demonstrations of industrial control system cyber vulnerabilities.
• Significant time allocated for open discussions on how to address the problems.
These presentations will only be available to conference attendees.
Additionally:
The ISA 67 Joint working group on nuclear plant cyber security will meet September 20 at Rockville Hilton.
NIST will hold a session Friday on Smart Grid and the NIST Risk Management Framework (SP800-53, NIST SP800-37, and SP800-39) at the Rockville Hilton.
Click here for the draft conference agenda.
To register for the event, please click here.



Leave a Reply

You must be logged in to post a comment.