Coming to work on a Monday and finding an email outlining the report of a major cyber security breach affecting an important supplier and its customers is never a good way to start the week. But that's what happened this morning. Late last week and into the weekend, reports began trickling out about a piece of malware apparently targeted at Siemens systems.

The CIPAG Metrics Workgroup for Water was convened by the Water Sector Coordinating Council and Government Coordinating Council to develop a national performance measurement system for the water sector. Consequently, they issued “Recommendations of the CIPAC Metrics Work Group for Water” dated June 2008. It is an extremely disappointing document. The document itself is 76 pages. The term “SCADA” is used 3 times.

I was asked by CSIS, the Center for Strategic and International Studies to prepare a white paper for them as part of their charter to produce recommendations for the non-partisan Blue Ribbon Commission on Cyber Security to present to the next administration, regardless of who wins the November election in the United States.

The white paper, with permission of CSIS, is posted here.

Overall ACS Conference Observations

After a grueling week, I had a chance to collect my thoughts and have the following observations:
- The attendees felt the Conference was a major success and want it to continue.
- People will come if they think there is information of value. Despite the plethora of conferences including PCSF being 3 weeks away and Black Hat being the same week, there were almost 100 attendees representing 9 countries. Industries present included water, electric transmission,...

2008 Applied Control Solutions Conference Blog - Thursday

Here is the Thursday agenda:

• Lessons Learned from Vendor Implementations
• Control System Forensics
• Cyber Threats to Critical Infrastructure-A Different Perspective
• Nuclear Plant Cyber Security Issues

The Thursday highlights included the FBI presentation that included the “Cone of Silence”. This led a very lively discussion on whether the FBI was actually a help or a hindrance as they go a...

2008 Applied Control Solutions Conference Blog - Wednesday

Enclosed is the Wednesday agenda:

• Operations Data Network: How We Did It!
• Patching Issues with Modern and Legacy Control Systems
• Zoning Principals in a Production and Distribution Environment
• AMI Standards and Cyber Security
• Secure Network Architecture for Control Systems
• Cyber Security in the Chemical Sector: Implications for Process Automation
• Reboot Issues

2008 Applied Control Solutions Conference Blog - Tuesday

Here is the Tuesday agenda:

• Congressional Welcome
• Industry Status
• Enabling Control System Security and CIP through Trusted Partnership Between Industry and Government
• Towards a CERT Coordination Center for Control Systems
• Cyber Security Issues with IEDs
• Status of REID Relay for Aurora
• Renewable Energy Power Systems Awareness
• Malicious Control System Cyber Secu...
  

2008 Applied Control Solutions Conference Overview

August 4-7 marked the Eighth Control System Cyber Security Conference.

Times have certainly changed. When this Conference began in 2002, it was the only conference dedicated to control system cyber security, and conferences like Black Hat did not address control system topics.

This year’s attendance was impacted by the proximity of other conferences such as Black Hat (slightly) and PCSF (significantly).

However, there were still approximatel...

Congressman James Langevin, (D) Rhode Island, keynotes the 2008 ACS Cybersecurity Conference....

Congressman Jim Langevin, (D) Rhode Island, because he does not travel much, recorded his keynote on video.  Langevin is the first quadriplegic to serve in the U.S. House of Representatives. At the age of 16, Langevin was injured while working with the Warwick Police Department in the Boy Scout Explorer program.  A gun accidentally discharged and a bullet struck Langevin, leaving him paralyzed.  The tremendous outpouring of support from his community inspired Langevin to give something back and ...