Monday, January 5, 2009
Control System Security is Not IT Security
Joe Weiss has an interesting blog posting over on the ControlGlobal.com web site that briefly discusses the difference between Control System Security and IT Security. It notes that corporate information technology systems are not the same thing as process control systems. Unfortunately, the people addressing cyber security tend to lump these two disparate systems under the ‘Cyber’ heading. This could be clearly seen in the Draft Guidance for the Risk-Based Performance Standards that DHS issued earlier this year. They assumed that what they had learned about security for IT systems was directly translatable to control systems. I recommend that anyone that is looking at security for automated control systems at high-risk chemical facilities should look at the ISA99 Committee on Industrial Systems Security comments submitted on the Draft Guidance Document. They provide a pretty decent discussion about some of the differences between IT and Control Systems security. I took a stab at looking at the requirements for control systems security last spring in a series of blogs that I did on the Federal Energy Regulatory Commission’s Final Rule on their “Mandatory Reliability Standards for Critical Infrastructure Protection”. I’m afraid that my coverage of the FERC standards was less than adequate when it came to the discussion of technical details. I would like to see some more people like Joe Weiss address this issue in more detail. I was a control system user, not a programmer or system engineer. I understood the DCS system that I used just enough to get the information out of it I needed for my process improvement work. The engineers who understand the internal workings of those systems are the ones that need to explain to the rest of the chemical security community what we need to do to secure those systems without seriously upsetting them.