There still are a tremendous amount of wasted cycles in the community discussing and arguing that control system security is different than IT security. So what? Who cares? Isn’t almost everything different?

  • Water (canal) SCADA is different than pipeline SCADA is different than electric transmission SCADA
  • Signature based IDS is different than anomaly detection IDS
  • Emerson Ovation is different than ABB Ranger is different than Areva e-terra
  • Linux is different than Windows
  • ISA is different than NIST is different than PCSF
  • TCP is different than UDP
  • I’m different than I was two years ago
  • EtherNet/IP is different CC-Link is different than DNP3

I’m not sure any general statements that two different things are different are worthwhile. If the point is a professional should have knowledge on the work he or she is about to perform – – is anyone really going to argue against that premise? We would be much better off having substantive arguments about the use of specific security technologies, administrative controls, secure development practices, and even other information technology in control systems. For example, the IBM paper on anomaly detection at S4 and the PI Netflow (data from Cisco equipment) and Packet Capture interfaces have us looking at the real possibility of using existing deployed PI servers to identify changes in communication patterns in control system LAN’s that could be signs of an attack.

I almost fell into the trap of responding to one of those general IT vs. Operations threads, but fearing a smack in the head I avoided it. Hopefully we can all move to more fruitful discussions.