Almost everyone in the community, even the optimists like myself who have seen impressive progress by some vendors and owner / operators, bemoan the pace of improved security postures across the control system community. And we try to figure out why this is and how to correct it.
So enter a conversation between Bill Simmons, the Sports Guy, and author Malcolm Gladwell.
What we’re talking about is what are called capitalization rates, which refers to how efficiently any group makes use of its talent. So, for example, sub-Saharan Africa is radically undercapitalized when it comes to, say, physics: There are a large number of people who live there who have the ability to be physicists but never get the chance to develop that talent. Canada, by contrast, is highly capitalized when it comes to hockey players: If you can play hockey in Canada, trust me, we will find you. One of my favorite psychologists, James Flynn, has looked at capitalization rates in the U.S. for various occupations: For example, what percentage of American men who are intellectually capable of holding the top tier of managerial/professional jobs actually end up getting a job like that. The number is surprisingly low, like 60 percent or so. That suggests we have a lot of room for improvement.
So what is the capitalization of potential SCADA security talent in the control system community? The cyber security in control systems is often said to be 5, 10, 15 years behind the corporate / IT security. Basically control systems are dealing with problems that corporate IT departments dealt with in the 90’s and earlier this decade. But is this because we lack the talent to do better and catch up in the community? Lack the will? Lack the incentive? something else?
Having been in the SCADA security world for almost ten years now, I can tell you that one think that most newcomers from IT underestimate is how sophisticated the software is that allows a large, critical system to be reliable monitored and controlled by a couple of operators. The IT “interlopers” see a Windows NT system, old style displays on HMI’s, old hardware, … and underestimate the technical feat that has been accomplished. The skills and effort required to develop, customize, deploy and maintain a control system dwarves putting together an effective patch management system, creating firewall rulesets, and even monitoring networks and detecting attacks.
So in my estimation, we have a very low capitalization rate of control system cyber security talent in the control system community. I’ll blog later this week on why I think this has happened, and I’d be interested in your views, loyal blog readers, on the capitalization rate and reasons.
Actually what we see happening more often is IT security talent is being introduced into the control system environment. This has been helpful in many cases, and we could also look at the capitalization rate of potential SCADA security talent in the IT security community.