Mark Sparkman is a former senior officer with the CIA's National Clandestine Service, and is now a senior international affairs analyst with the RAND Corporation. He wrote this article: The Real Cyber Threat, for CNN http://www.rand.org/commentary/2013/05/21/CNN.html.

May 8, 2013 Cheri McGuire, Symantec's Vice President, Global Government Affairs & Cybersecurity Policy testified to the Senate Judiciary Subcommittee on Crime and Terrorism hearing. She stated: "In my testimony today, I will provide the Subcommittee with our latest analysis of the threat landscape as detailed in the just-released Symantec Internet Security Threat Report (ISTR), Volume 18. Last year, we saw a significant increase in targeted attacks - up 42 percent from 2011, and it is almost certain that this trend will continue in the coming years.

December 2011, I attended the POLCYB meeting in Los Angeles. A major pharmaceutical manufacturer attended. The pharmaceutical representative mentioned they had not addressed ICS cyber security as they had simply not considered it and there was no regulatory driver.

SELLERSVILLE, PA (May 9, 2013) --exida, an accredited global Certification Body, has discovered a counterfeit certificate falsely claiming that a product meets the functional safety requirements for Safety Integrity Level (SIL) 3 capable per IEC 61508.

Dale Peterson wrote a blog at www.digitalbond.com stating that "People Are Not THE Answer" to ICS cyber security. I disagree with Dale and have frequently stated that the 75% silver bullet for ICS cyber security is appropriate policies, procedures, training, and architecture. I believe the culture clash between IT and Operations is still the number one ICS cyber security problem. Relying on technology can actually exacerbate ICS cyber security problems and reinforce the cultural divide between IT and Operations.

Last week, the utility met with one of their major ICS vendors to determine if the vendor would be willing to support the utility's test bed concept. The purpose of the test bed is to maintain or improve reliability with security being a potential impact on reliability not the traditional security for the sake of security paradigm. The attendees at the meeting were the utility's Operational Technology (OT) manager, a utility engineering supervisor, the ICS vendor's security manager (not an ICS expert), and myself.

I attended the San Francisco Electronic Crimes Task Force Medical Device Security Conference. If they didn't continue to repeat the words "medical device", the conference could have been an electric, water, chemical, mass transit, manufacturing, etc control system cyber security conference. The issues presented were:
- Culture (engineers not addressing security)
- Legacy vs future devices (old devices are not secure - not clear new devices are)
- Organizational hand-off (silos)
- System of systems (more than just looking at an individual device)

Even though we are just in the preliminary stages, there have been a number of interesting findings:
- Even though there are a plethora of cyber security solution providers, very few actually understand the unique needs of the ICS community.
- Many of the non-ICS technologies, though not developed for reliability, can provide benefits to the ICS community with "minor" modifications.

About a month ago, I issued a call for control system cyber security solutions to be evaluated by an electric utility in an actual utility setting. The utility has power plants, electric distribution and low level transmission, SCADA, Smart Grid, etc. The purpose of the project is to find solutions that cannot only provide security, but more importantly, maintain or improve system reliability. To date, I have received about 15-20 responses. Considering how many solutions providers claim to be able to help secure control systems, where are the rest?

Industrial control systems (ICSs) were designed for reliability and safety and to enable system operability and functionality. Many ICSs were originally designed before networking was commonplace. Consequently, cyber security was not a design consideration. There actually were many design features that would enable the systems to be more operator-friendly and functional, but with networking these features can be exploited and turned into vulnerabilities.