As you've probably noticed, the ControlGlobal site has been having issues. Here on the home front, we call them code salad. Click on the link to an article you want to read, and the first thing you see is line after line of impenetrable code that to the uninitiated makes absolutely no sense. It's really annoying. We know. We apologize.

It's not you. It's us--and our infrastructure. The provider promises the coders are "working on it." Meanwhile, here's a couple of things you should know that might help deal with the worst of it.

Critical infrastructures include water, oil/gas, pipelines, chemicals, manufacturing, telecommunications, transportation, etc. Their continued operation requires the electric utility industry to be available. However, the electric utility industry is also a cyber threat to all of those end-users. That threat is Aurora. As a result, Aurora throws the traditional concept of interdependencies on its ear.

Mark Sparkman is a former senior officer with the CIA's National Clandestine Service, and is now a senior international affairs analyst with the RAND Corporation. He wrote this article: The Real Cyber Threat, for CNN http://www.rand.org/commentary/2013/05/21/CNN.html.

May 8, 2013 Cheri McGuire, Symantec's Vice President, Global Government Affairs & Cybersecurity Policy testified to the Senate Judiciary Subcommittee on Crime and Terrorism hearing. She stated: "In my testimony today, I will provide the Subcommittee with our latest analysis of the threat landscape as detailed in the just-released Symantec Internet Security Threat Report (ISTR), Volume 18. Last year, we saw a significant increase in targeted attacks - up 42 percent from 2011, and it is almost certain that this trend will continue in the coming years.

December 2011, I attended the POLCYB meeting in Los Angeles. A major pharmaceutical manufacturer attended. The pharmaceutical representative mentioned they had not addressed ICS cyber security as they had simply not considered it and there was no regulatory driver.

SELLERSVILLE, PA (May 9, 2013) --exida, an accredited global Certification Body, has discovered a counterfeit certificate falsely claiming that a product meets the functional safety requirements for Safety Integrity Level (SIL) 3 capable per IEC 61508.

Dale Peterson wrote a blog at www.digitalbond.com stating that "People Are Not THE Answer" to ICS cyber security. I disagree with Dale and have frequently stated that the 75% silver bullet for ICS cyber security is appropriate policies, procedures, training, and architecture. I believe the culture clash between IT and Operations is still the number one ICS cyber security problem. Relying on technology can actually exacerbate ICS cyber security problems and reinforce the cultural divide between IT and Operations.

Last week, the utility met with one of their major ICS vendors to determine if the vendor would be willing to support the utility's test bed concept. The purpose of the test bed is to maintain or improve reliability with security being a potential impact on reliability not the traditional security for the sake of security paradigm. The attendees at the meeting were the utility's Operational Technology (OT) manager, a utility engineering supervisor, the ICS vendor's security manager (not an ICS expert), and myself.

I attended the San Francisco Electronic Crimes Task Force Medical Device Security Conference. If they didn't continue to repeat the words "medical device", the conference could have been an electric, water, chemical, mass transit, manufacturing, etc control system cyber security conference. The issues presented were:
- Culture (engineers not addressing security)
- Legacy vs future devices (old devices are not secure - not clear new devices are)
- Organizational hand-off (silos)
- System of systems (more than just looking at an individual device)

Even though we are just in the preliminary stages, there have been a number of interesting findings:
- Even though there are a plethora of cyber security solution providers, very few actually understand the unique needs of the ICS community.
- Many of the non-ICS technologies, though not developed for reliability, can provide benefits to the ICS community with "minor" modifications.