Meetings with DOD and Congress on SCADA Security

Monday, April 09, 2012

Joe Weiss


I met from March 26-29, 2012 with DOD and have two new definitions to add to the list of confusing terms. 

The first is "data center".  DOD is in the process of consolidating their data centers. Consequently, I asked what is a data center.  Apparently any location with a server and a database can be considered a data center.

Several weeks ago, I visited a utility as part of a kick-off meeting on an Aurora hardware demonstration project (the first). As part of a tour we were shown the substation building that housed the IEDs as well as a Micro SCADA (a server).

Does this mean that a substation building would be considered a "data center"? The second definition that leads to confusion is Information Assurance- IA.  In the IT world, IA makes sense. In the industrial control system world, the concern is SYSTEM Assurance".

How can we be sure the system (be it a power plant, substation, pipeline, etc) is secure? That is, how do we prevent another San Bruno natural gas pipeline rupture, 2008 Florida outage, Hatch nuclear plant shutdown, etc? None of these would have been prevented by a traditional IA program.

The other point that came up was how do you get senior management to understand the difference between IT and control systems?  In the meeting DOD used the terms IT and OT (Operational Technology).

Senior management wants to apply IT rules of engagement and IT security approaches to any computer system without understanding the negative impacts IT approaches could have on control systems (OT).

This same question arose when I met with Senate staffers later that afternoon. This confusion should not be new to any of us working in control system cyber security. The question is what does it take to get senior management in any organization to understand the unique needs of OT.

I was asked by DOD how do you get an organization to address OT security.  I believe the only chance for OT security to succeed is if senior management drives it. As best as I can tell, there are only a few utilities whose senior management has mandated (actions not words) they be secure, not just compliant.  What a sorry commentary.

I also had an opportunity to meet with several DOD/government cyber policy organizations. The need to understand ICS-unique issues was also prevalent.

Even though I did not attend, there were Senate Armed Services hearings on cyber security Tuesday March 27th. From the questions from many of the senators, they also did not understand the unique issues with ICSs.

There certainly is an opportunity for education, hopefully before it is too late.

Cross-posted from's Unfettered Blog - copyright 2012 and ff by Putman Media Inc. All rights reserved.

Possibly Related Articles:
Industrial Control Systems
SCADA Utilities DoD Cyber Security Infrastructure Data Center Congress National Security Industrial Control Systems Operational Technology
Post Rating I Like this!
Michael Thibodeaux Interesting posting...finally the DoD has perked up their ears. I have not found any instructions pertaining to ICS. Actaully my last attempt was to call the US Cyber Command to ask questions about this issue and they refered me to the DHS.

This was great as the DoD does not even recognize that they are using ICS.

The views expressed in this post are the opinions of the Infosec Island member that posted this content. Infosec Island is not responsible for the content or messaging of this post.

Unauthorized reproduction of this article (in part or in whole) is prohibited without the express written permission of Infosec Island and the Infosec Island member that posted this content--this includes using our RSS feed for any purpose other than personal use.