Monday, October 28, 2013

Wrap Up: The 13th Annual ICS Cybersecurity Conference

Another Industrial Control Systems Cybersecurity conference is behind us and, as usual, as documented by founder Joe Weiss, there were signs of a slow awakening to the importance of this topic, mixed with persistent inertia.

You can read highlights from first two days HERE, and Joe's final day summary HERE.

It was nice to hear that my friend (and very good guy) Johan Rambi from large utility Alliander (based in The Netherlands) was playing such an active role.  And this note below reminds everyone that ICS security is not only an energy or power sector problem.  As Joe tells it:
Jeffrey Smith from American Axle gave a great presentation about how they have secured (or very significantly improved security) in their factories world-wide. What I felt was so important is their focus was on productivity and worker safety. Security was simply a threat that needed to be addressed so they could operate safely and efficiently.
This is reminiscent of others who point to the two goals one finds most highly valued in a power co, reliability and safety, and urge the security community to tie physical and cybersecurity tightly to those domains from messaging and business case perspectives.

Security practices are funded and run not merely to check compliance boxes, but to give businesses and government orgs Confidentiality, Integrity, and Availability (CIA) for their systems, networks, apps and data ... so they can continue to pursue their missions with confidence and efficiency.

Or to call out a potential ICS-specific update to the perennial security triad the conference produced: adding O for Operational Controls.  For this very important and highly specialized domain, it might make sense to reverse the prioritized order of CIA and get the O in there too: AIOC.  Ayy-Awk.

No comments: