I’m about to touch the 3rd rail of control system security – – Joe Weiss. I can’t tell how many times at industry events, dinners, conference calls or any other gathering in the community people, a portion of the conversation turns to griping about Joe.
The catalyst for this blog entry is Joe’s recent interview with Cnet. I must admit I opened it up and expected to be shaking my head a lot, but I actually agreed with much of it. The sections on anti-virus, passwords, patching and anything technology related were quite wrong in my opinion. Not that they haven’t caused problems, but vendors and asset owners that care have mostly solved the problems he raises. And there is the glass is half full or almost empty difference – – but it is actually a good article with some quality answers that you could give to a C-level executive with a bit of preface.
But as a control system community we have to admit, like it or not, Joe is the loudest and most widely heard voice outside the community. He whispers in a congressional reps’ ears, and you hear his voice thought come out of their mouths. He is often the sole control system person at a security event, like the recent East-West Institute (EWI) First World-Wide Cyber Security Summit. And not being shy, Joe will stand up and explain the control system security situation as he sees it. Check out his Unfettered Blog, and you will see a long list of these events, meetings, documents, committees … where he is representing the control system community.
Realize what this means. Many in the government, industry and other areas outside of direct involvement in control systems are getting their first impression and main or even sole source of information from Mr. Joe Weiss.
And good for him. I like Joe. Disagree with him on a lot, but I like him personally and enjoy talking control system security with him. He has been kind enough to be on my podcast a few times, and twice he invited me to speak at his annual event. Joe was clearly the Paul Revere of control system security from 2000 to 2005, and he still has a passion for the topic. I really admire the passion and energy he brings. He should be out there shouting from the rooftops what he believes, and he does, and he is effective. My argument here is not with Joe.
My argument is with the rest of the industry. We need to stop being so reticent. We need to stop being so cautious. We need vendors and asset owners and consultants and industry representatives to speak up in public, on the record, and not in safe and happy talk statements that put people to sleep. And we need to be talking to people outside the community in a way that gets their attention.
I will throw Digital Bond and myself into fire as well. We are not shy, and there are probably a few gripe sessions about something I/we wrote. But we have never made an effort to go outside the community. Basically we have been trying to pass technically detailed fact, analysis and opinion to the control system owner/operators, vendors and other interested parties. But we have specifically avoided communicating outside the community. This will now change, and I encourage you to revisit this as well.