InfraGard is a nice event because it offers the opportunity to go outside the SCADA security silo. Sometimes hearing problems and solutions in other areas can break limiting and rigid thought patterns.

There are security tracks on GIS, Gangs, Critical Communication, Homeland Security, Cyber Security, Computer Forensics, Financial Industry, Regulatory Compliance, Water Security, Food and Agriculture, Buisness Continuity Planning, and SCADA.

Tommy Thompson Keynote - Pandemic Response Planning

Tommy Thompson, ex-HHS Secretary, was the lead keynote and spoke on Pandemic Response Planning. SARS, which was hard to transmit compared to the flu spread to 3000 people in 17 countries in 45 days. The Secretary focused on the H5N1 as an example and discussed mutation and lack of immunity. Analogies can be made to the effectiveness of a computer virus.

Perhaps most applicable was the discussion of continuity planning and the economic impact of the very limited SARS and a potential pandemic. SCADA and DCS vendors have many contingency plans for chemical spills, hurricanes, fires, etc., but should you have a plan to deal with keeping the control system running in a pandemic? How will you keep the power and water running if no one can or will come to work? Many hospitals closed down during SARS because workers refused to come to work. “Reduced reliability in communications, power, water, fuel availability, transportation service” is an expected effect of a pandemic.

A lot of effort and money is spent on a backup control center, but should some of that effort be spent on a distributed backup control capability. What about stores of food and other supplies, sleeping arrangements, and other logistics for those individuals willing to live at the control center for weeks at a time.

Is this FUD? Well there have been 5 pandemics in the last 300 years and Tommy Thompson said it may not be H5N1, but there will be another pandemic.

Robert Hoffman and Robert Polk, INL

Idaho National Labs (INL) is teaching their half day SCADA Security Course this morning and Thursday morning. About 50 people are registered for the first class.

Franciso Ramirez, DHS/NCSD

Cisco went over the vulnerability disclosure process at US CERT, a frequent topic on this blog. The issue always raises my blood pressure a bit, but some good discussions.

Joanne Ashland, Dyonyx

Joanne is talking about reconnaissance information on SCADA systems that is generally available. Listing lots of places where information is available in public records, permits, press releases and awards, patents, job postings, …

Comment - clearly you want to limit information, but I’m not sure how many of these examples can be avoided. Security should not rely on obscurity, but we do want to limit any help we give attackers. Also, it is helpful to know what the attackers may have at their disposal.

End of day one.