Happy New Year to all our loyal blog readers with special thanks to those that contributed through the comments last year.
I enter the year with a strong feeling of optimism for the control system community. There are not an irrefutable, or even compelling, set of facts and logical conclusions that I can point to as a source of the optimism, but let me try to point to a few non-obvious reasons:
- New systems are being deployed with dramatically stronger security. Vendors are getting it, and some of their customers are demanding it. Bandolier gives us a front row seat to this – – and a way to help. In some cases it is new security features. This includes providing capabilities that should have been designed in years ago, but in other cases it is advanced features such as host IPS and component to component encryption as the default. Bandolier and other efforts are identifying the optimal security configuration for the hundreds of settings and vendors are actually adding verification of security configuration to FAT and SAT.
- NERC CIP meets the law of unintended consequences. There are a large number of frustrated control system security professionals about to be unleashed on the community. Every electric utility has been forced to grow a few professionals with control system and security expertise. Some of these came from the IT side; others came from the control system side. Many have been battling with their organizations to do the right thing in terms of security and the spirit, rather than the letter of compliance. Not a small number have been losing to the approach of finding ways to severely limit the cost and corresponding security effectiveness of NERC CIP regulations. These people are and will be looking for work in 2010. When they land in an organization that cares about security we should see a significant improvement in security posture. This may be related to the capitalization of talent.
- The world is more engaged in control system security. Asia saw a big uptick last year and activity in Europe continued its gains from 2008. In our own little statistic, we have seen an increase in international S4 attendance the last two years. For this January’s S4, 25% of the attendees are from overseas.
- The community is starting to fight back a bit on FUD and unproductive mandates, while importantly not proclaiming everything is fine. It is finding that balance that will be key, and the community is just starting to find it. If we pretend everything is fine then the community will deservedly see more regulation, more hyper scare stories and inefficient allocation of resources. But if we don’t push back when having to report back to a regulatory agency on how a single security patch has been applied or answering a congressional question “are you secure?”, then the community will deserve what it gets.
There are still huge challenges and many efforts stuck in the mud, such as field device security, but it is often better to focus and throw efforts behind potential successes. More than anything the time just feels right for much more than incremental improvement in 2010.
Best of luck to all in the new year.