Last week I was up in DC for a semi-annual project review meeting for our DHS funded project to create security events for legacy PLC’s [Quickdraw]. At this meeting you learn about the other research projects funded through the same vehicles. Two had potential interesting application for control system security.

First, ITT has a project called DocuMACS for document-based management, access control and security. The idea is this product will control who can see all or part of the document, prevent copying or editing and even limit access to a certain time period. We hear a lot of questions and concern from control system asset owners on how to control access to the sensitive documents they have to make available for procurement bids. Today’s solutions are primarily procedural with encryption in transit. Being able to provide limited information for a limited time would be useful. Of course, this also is applicable to the information requirements in the NERC CIP regulations.

Second, information sharing is something almost everyone wants, but no one wants to contribute too - - just look at the ’success’ of the ISAC’s and others in this area. The big fear in contributing is your organization will get a black eye. So most would like to look at others info, but not share any. Fabian Monrose and a team at University of North Carolina has a project to test the effectiveness of data anonymization algorithms. The bad news is the current solutions often don’t do that great of a job, but if the community can get objective testing and recommendations for data anonymization perhaps we will be a step closer to information sharing.