The November issue of InTech magazine is filled with interesting articles including the case for a frame relay WAN infrastructure, an overview article on ISA-95 and the emergence of manufacturing execution systems, and a commentary by Joe Weiss on the back page.

Joe’s commentary deals with the difficulty of proving a business case for SCADA security expenditures. Honestly, this is not an issue we deal with very often because organizations that hire Digital Bond have already made the decision to spend money and take the cyber security issue head on. However, I do talk to a lot of SCADA users at industry events who know there are serious vulnerabilities in their systems but can’t even get small budgets for basic cyber security.

This is not a new issue for security professionals - - the financial sector had this same problem in the late ’80’s and early ’90’s. What moved that sector was the establishment of a standard of due care through NIST documents, ANSI X9 standards, OCC audits and other vehicles. At some point it became too risky for bank executives to not spend money the appropriate security. Not spending the money would be a career disaster if a breach occurred.

This is why the SCADA Security standards work is so critical. I just read the draft NERC Standard 1300 (review to follow shortly), and it does a great job of creating a standard of due care for the limited portions of the electric industry it will address.

The harder business case may be for the SCADA manufacturers. We still are no closer to a secure PLC that authenticates the source and data sent in a request. What will drive a PLC vendor to develop this capability and add the product cost? the associated management system? If they spend this money can they convince SCADA application vendors to integrate a compatible technology? It is hard to make these numbers work.