IDC Technology is hosting a conference and two half-day workshops in Edmonton later this month with workshops presented by both Paul Gruhn on Safety system and John Cusimano on "Assessing the Security of Industrial Control Systems Using Threat Modeling" Tuesday November 27. This is followed by a 2 day conference that has 17 different presentations, including two by myself but also a veritable "who's who of the safety industry in Western Canada including Ken Bingham from ACM Automation.

How far should we go in adopting IT type rules for the management of cybersecurity on control systems. Will treating a control system as just another set of PCC's (from the IT perspective) cause more problems?

This was originally posted in "The Process Automation Usability Project" by the Gary Law. See the responses he got there and contribute with your own here.

MIT issued the report, "The Future of the Electric Grid – An Interdisciplinary MIT Study." Chapter 9 is "Data Communications, Cybersecurity, and Information Privacy." According to the report, the U.S. should implement standards to reduce the risk of cyber attacks on the electricity grid and should designate one agency responsible for overseeing grid cybersecurity. I had an opportunity to both read Chapter 9 and discuss the section with the author Jerrold Gorchow.

My blog on the Illinois water hack was directly based on a formal disclosure announcement by the Illinois State Terrorism and Intelligence Center - STIC (Note: My blog did not identify the state involved. That disclosure came from DHS). The STIC disclosure was made on November 10; my blog was on November 17 after numerous water organizations told me they were unaware of the disclosure.

Per the WaterISAC portal, the WaterISAC (Information Sharing and Analysis Center) is a community of water sector professionals who share a common purpose: to protect public health and the environment. The WaterISAC provides email notifications about threats and any incidents demanding immediate attention. Consequently, one of the driving reasons for writing the blog on the Illinois water system hack Thursday was the WaterISAC had not yet notified the water utilities.

Last week, a disclosure was made about a public water district SCADA system hack. There are a number of very important issues in this disclosure:

The industry uses the general term "threat information," but during more detailed discussions, it seems that the information companies seek is more like the traditional military concept of "tactical information."

Read this article and let us know if you agree.

The December issue of IEEE Spectrum had a small lead about the following Open Source attempt to hack the GSM phone system. The full article can be found at http://spectrum.ieee.org/telecom/wireless/open-source-effort-to-hack-gsm/0.

This item appeared on Raw Story this afternoon. 

Walt posted this story on Unfettered this morning. Seems like the Solons over at the Wall Street Journal have finally noticed the electrical grid issue. Good for them. Maybe if this story goes mainstream, more pressure to do something will get applied. On the other hand, I'm beginning to think that at least some of the resistance to more cybersecurity measures is not going to come from reluctant utilities or corporate beancounters.