Comment from Ron Southworth
Time: May 10, 2010, 10:36 pm

Hi Dale,

unfortunately I was not able to attend the ICSJWG conference though I would have really liked to be there. Still looking for my long lost rich uncle to remember me and look after my continuing education nd travel expenses (sigh). I was lecturing a new course that I helped create from the ground up, as such maybe I am a bit more optomistic about what is available as resources and I have a greater idea of what can be acheived based upon what I what I was able to put together (with a fair bit of effort I will admit but also all in my spare time over the last 6 months.) – link below for those interested in finding out more about the course.

I do think that with belts being tightened in industry how such courses are made available especially in North America will require the approach of “taking it to the people” however with a more distributed model there can also be a few improvements in how collaboration, information sharing and analasys can be leveraged. I do think that this needs to be part of the way forward in improving awareness and to gain a change in the base level education of our colleagues working in the control systems space. I am certain there is a need for more centres of excellence something that I will be promoting at every opportunity moving forward as it seems to me to be one way to improve the situation.

Industry is crying out for prescriptive guidance resources and this too is something that will help to make a serious impact. So something more than just mailing out 800-82 is being asked for people need to know how to impliment the standard or standards not just a copy of the standard.

Another element is the great work you guys have been doing with the credentialed testing tools have been creating Dale I am glad that this is receiving some much needed applause and is certainly a great step forward towards improving baseline security postures.

In order for any of this to be realised funding has to be found from somewhere to support such programs in order for such changes to be facillitated and this is where thngs can get stallled. Investment in this sort of space traditionally comes form government or larger enterprise benefactors. I cannot see any other way of it being acheiveable. Glad to hear alternate views.

Ron

http://www.unisanet.unisa.edu.au/courses/course.asp?Course=COMP5062&Year=2010

Comment from é
Time: May 11, 2010, 4:48 am

Thanks for this post Dale, it is quite relevant for me, and has got me thinking. I might change my mind a few times over the next week or so, but I’m taking this one to heart. After 20 mins pondering over coffee, I’d say:

1) Cost some incidents. If we can see the money from failure, a lot of people will start paying attention. Alternatively, prove that there is a value add at the procurement stage of adopting ’security requirements’, and testing at the SAT/FAT handovers.

2) Outreach to university students. Send the computer security folks to the engineering depts, and give networking classes to engineering students. Listen to the engineering Depts too. It needs greater collaboration.

3) Start teaching security professionals about industrial systems. Talk about experiences of security in these industries, and try to make sure they understand their basic skillset is valued here, but they can’t just cut and paste solutions from other industries. In hacking challenges, always try to include a ‘kinetic element’ in the simulation/scenario/challenge. Get the point across that we are now interfacing with a *real world* and not just manipulating data.

Comment from Ralph Langner
Time: May 11, 2010, 6:30 am

As someone who teaches industrial cyber security for years, I’m afraid I have to confirm é’s first observation. An organization gets hit by malware, and suddenly there is awareness and funding, then there is training.

It’s just the way it is, and I believe it’s our own fault. As long as we stress the risk paradigm which centers around incident cost, we shouldn’t complain if people who have never seen incidents (especially big ones) in real life don’t take cyber security very seriously. Remember, engineers have lots of other things to do, especially in a tough economy.

In order to change the picture, I believe it is high time for the scientific community to think out of the box. It’s time for some new concepts and methods which are better suited to engineers than speculations about hypothetical attackers that cannot be backed by any statistically meaningful evidence.

Comment from bryan owen
Time: May 12, 2010, 12:07 pm

Let’s just springboard from the reader poll on white listing.

In 2-3 years it should be possible to establish concensus on white listing approach as the most appropriate engineering practice for industrial control systems.

This is an area where all stakeholders should be able to find common ground. Everyone has a role to play and can contribute.