As some may have previously noted, I was able to participate in the Automation Federation’s first annual fly-in to Washington DC in May of 2008. The meeting was a sound success, with a number of follow-up’s scheduled as a result of our meetings. The first of these follow-up’s came last week as a sub-team comprised of Ernic Rakacszky from Invensys, Eric Cosman from Dow, Johan Nye from Exxon Mobile, Michael Marlowe from the Automation Federation, and myself.
During this visit, we specifically came back to meet with staffers from several senator’s that are looking into the issues of cyber security for SCADA and process control systems, as well as members from the House Homeland Security Committee. The main topics of discussion were around:
- Why industrial cyber security has been such a challenging issue to address
- What industry, specifically groups like ISA-99, Automation Federation, ASCI, PCSF, NERC, and others have been doing to address these challenges
- Where has the US government been effective in encouraging progress
- What more can government do to support and drive such efforts
There were some very interesting messages that came out. There definitely seems to be growing frustration that industry is not moving along fast enough to address what the government sees as a looming threat. Of course the dilemma is that threat information that the government and defense agencies sees is typically very sensitive, classified, and doesn’t make it far down into the hands of industry. The government has done some things to help the process, including providing clearance to select people in various companies to try and increase information sharing. The problem here is that if there is a big wall between industry and government, disseminating information to only a select few people, and placing heavy restrictions on what they do with this information, only serves to knock out a few bricks of that wall, or at best move it a ways from center.
With GAO reports such as the one concerning TVA recently, and more coming, is it clear the the US government is taking the issue of SCADA and process control security seriously, and starting to hold operators of infrastructure accountable. Another example includes the FERC (the regulatory arm of NERC guidance), which is lobbying for increased authority and many in government are supporting this action as well to help drive effective security policies. With over 70% of the nation’s critical infrastructure held in private industries, it is clear to all that in order for real improvement to occur, the government is going to have to get involved and increase sharing and dissemination.
This visit is sure to generate more traction, and meetings such as these have already been very instrumental in knocking down barriers, such as the fact that I now sit on the NERC SAR team for the next revision of the CIP documents as one of the chair’s of ISA-99, and inclusion of such fine individuals as Keith Stouffer from NIST, to help increase industry collaboration and improve information sharing. A CLEAR message from the government is that we asked for more involvement, and now we are getting it, so don’t drop the ball.
I left DC very encouraged by the process. No, it isn’t perfect, yes it is slow, but two things are VERY clear:
- The government is indeed here to help, and they are paying very close attention
- Despite being an election year, there is considerable pressure and support from both candidates that this will be a hot button item a the executive branch as well as legislative branches from now on
For the rest of us, it is also clear: This issue is not going away, and the luxury of doing nothing, for those that made that choice, is no longer an option.
To read up on my initial visit and/or learn more about the Automation Federation, please see my part 1 of my posts
here.