Screen Shot 2015-02-13 at 8.09.39 AM

The ARC Advisory Group invited me to participate in one of the security panels at the annual ARC Forum this week in Orlando. It’s an event I always wanted to check out so I spoke and attended. Here are some brief thoughts from the event.

  • The best part of the event is the large number of ICS owner/operators that attend. This includes many higher level attendees, people that can drive strategy and decisions.
  • Some of the asset owner attendees presented great case studies. Nothing related to security, but as an example Pitney Bowes talked about their Big Data efforts, setbacks and successes in the last ten months.
  • The only useful case study on security I attended was from Tyler Williams of Shell. They have been working on security for years and have a program now focused on 11 controls they can measure.
  • In a continuing regrettable string of events, Gregory Touhill from DHS missed or passed on another opportunity to tell this audience their ICS are insecure and need to be upgraded or replaced. Instead he just gave pablum, cyber watch, here are DHS programs, … He’s a good speaker and could have delivered an important and powerful message, but it appears DHS is happy with the status quo as long as we share information better.
  • The vendor exhibits were quite interesting to me as I hadn’t seen some of the newer versions or offerings, such as Bedrock Automation new controller, the progress made in the GUI and capabilities in Industrial Defenders ASM, the NextNine solution that is powering the Yokogawa/Cisco/Shell support, and PAS application for change control + security.
  • What ARC calls the Industrial Internet of Things (IIoT) was part of almost every session. They are calling existing ICS and ICS functions as IIoT. It’s almost impossible to talk about security of IIoT in a productive manner when everything is IIoT, “everything will communicate with everything” is the main description, and there is no taxonomy or organized set of use cases to discuss specific security needs. I saw very little value in the discussions of securing the IIoT at the event, including my contribution in the panel.
  • The pronouncements on what the IIoT would and should allow or look like were frightening, especially during an ARC keynote on Tuesday. There was about 5 minutes when my jaw was on the floor.

I need at least five long blogs to discuss the IoT issues and what ARC calls the IIoT. I’ll develop those over the next few weeks.

Image by ARC Advisory Group