CAVEAT: Read the document. There is a lot of good stuff, I’m just nit-picking things that drove me crazy upon first glance.

While there is no question that the Roadmap to Secure Control Systems in the Energy Sector is an impressive effort led by some of the thought leaders in SCADA Security, some of the timing on milestones really left me scratching my head:

2009 - Secure connectivity between business systems and control systems within corporate network.

I’m speechless. Then again, I remember finding it hard to believe when one of my colleagues several years ago said that 75-80% of his customers had only a router (with no access lists) between their process control and business network.

2014 - Security Test Harness available for evaluating next generation architectures and components

“Test Harness” is one of those lovely terms that has 10 different meanings if you talk to 10 different people. How about existing components? Widespread component-level security testing is clearly a short term effort that is achievable in less than 2 years. But I would also caution of the “bright shiny tool” panacea. Executives (and researchers!) often get the idea that if we just had “the tool” all our problems would be solved. And, testing “architectures” and components are two different problems–and shouldn’t be used in the same sentence. Process, process, process! I was extremly disappointed to see that “Secure Development” practices did not get mentioned anywhere in the document.

2010-2015 - Develop source-code vulnerability detection tools for SCADA, EMS, DCS.

There is definitely a place for source code auditing tools, but these are not the only (or even the most scalable) technique for identifying security vulnerabilities. Source code analysis isn’t terribly cost effective if you have a diverse product suite that run on multiple hardware architectures, half-dozen operating systems, and development languages. I remember this came up in an I3P workshop back in 2002. There were some CSO’s of big IT companies (you correctly ask yourself, as I did, what I was doing there) sitting around the table and their eyes were literally gleaming talking about source coding auditing tools were going to solve the problem. Sigh.

Still this technology is available now to do this. No need to wait.

2010-2015 - Develop firewalls, gateways, IDS , and other security technology for control system environment?

Hmm… Last year maybe? This is not a long term research problem. But maybe it is this far out because finally then there will be a “business case!” (Inside joke!)