UPDATE: 6:30PM, Dale

Final Thoughts

PCSF is not perfect, but it is my favorite event in the control system security space by far. One main reason is the number, variety and quality of attendees. The lunch, evening, break discussions were highly interesting and even three days had me scrambling to talk with all the people I’d like to. The venue and schedule helped maximize opportunities for these discussions.

The program was mixed. I was not a big fan of the all day plenary session on Tuesday. Some of the panels had format challenges. The quality of the sessions may have been down slightly, but that is subjective. There were some very strong sessions, and I even missed some of the more highly reviewed sessions, and the days when there were 3 or 4 tracks usually meant something interesting was going on. There may be a need to spice up the next events, more shorter presentations, perhaps PCSF classic presentations for newcomers, more livelier debate and discussion sessions, etc.

I believe it is essential that PCSF continue and grow mainly because there isn’t a good alternative and starting over would be difficult. The information exchange and education at PCSF is needed. 200 people from 17 countries with little notice the week before Labor Day is impressive. Four tracks on Wednesday; three tracks on Thursday that were easily filled as submissions exceeded time. Hopefully whatever issue prevented DHS from attending will be resolved, and whatever format PCSF ends up in the future can focus on how to make this annual event and other events even stronger.

——-
UPDATE: 6PM, Dale

The Vulnerability Disclosure Workshop followed up the panel. There is never a shortage of opinions on this subject. Not sure we made any progress. It was interesting that Daniel and I from Digital Bond were the only ones in the room that would disclose a vuln to anyone besides the vendor [we disclose to US-CERT and Core had left].

Back to the Plenary to wrap up. A report by PCSF Brazil - - not directly affiliated with PCSF, but there have been interesting discussions about PCSF Europe and other international locations.

——-
Home stretch.

Jason Holcomb, Bandolier

I started the morning going to Jason’s Bandolier presentation at 8AM for support. Nice job and the presentation will be posted on our site shortly.

Included in the presentation is the updated list of planned Bandolier security audit files. It is great that we were able to add Areva, Emerson Ovation and others to the list. We will update the SCADApedia page shortly.

Vendor Panel

I moved over to the vendor panel in progress, interesting group with smart guys and gals from ABB, Emerson, Honeywell, Invensys, Siemens, Telvent, and Yokogawa. Doing a little liveblogging during the Q&A

- Love the point of needing to move by Secure by Default from the ABB rep
- The Honeywell rep indicated the lifecycle may need to be reduced from 15 years to 10 years.
- Maybe it is no longer realistic to expect to have a control system with equipment and applications from 20 different vendors, Invensys rep.
- Don’t touch your switches, update IOS after installed and working??? Hello, McFly, won’t attribute that comment.
- Interesting comment from Telvent that some of the customers have them physically disable, burn out, the USB ports and other unused ports so they can never be used even if enabled in software.
- Discussion on encryption, not sure why because as one of the panelists noted integrity is much
- They asked my question “Do vendors have any obligation to provide security vulnerability mitigation for customers who do not have a current support contract?” Invensys says definitely. Siemens frames it well, out of warranty, no support contract, not current contact info . . . talks about User Group, we will always help them in an emergency - - vague but it sounds like they will help on a time and materials basis or some other cost basis. They move on to the next question.
- Do you have 3, 5, 10 year plan? Telvent focused on 5 year plans and defined a bit. Interesting they have a plan on how to bolster legacy systems until they are replaced.