Answers to Security Questions

Back at the end of February I did a brief posting about a then upcoming article in Control magazine that was going to look at two questions, or aspects of control system security. The Editor of the magazine was asking for answers to two questions that would then be used as a jumping off point to look at SCADA security and compliance. Those questions were:

How much security do you need to be really secure? What’s the difference between "compliance" and "security"?

Well, last week the article (A Distinction with a Difference in Functional Security, pgs 37-9) came out in the April issue of the print magazine. The article is also available at ControlGlobal.com. Additionally, the editors posted a separate listing of answers that they received to their query on the web site that is not available in the print addition (space limitations are not as important on the web). While the article is certainly well worth the read (I recommend it highly), the actual responses they received from their wide cast net is even more instructive. The responses from a wide variety of experts in the field (though they did include my response and I am hardly a SCADA expert) show a surprising consensus on the distinction between compliance and security. As the chemical security community waits for the release of the Risk-Based Performance Standards Guidance document and the opening of the Site Security Plan Tool on CSAT, this would be a good time for security managers to read both documents on the ControlGlobal.com web site. As facilities begin to respond to their compliance duties with the next phase of CFATS, it would be good to be reminded that CFATS compliance does not insure adequate security. Both security and compliance need to be addressed during the development of the Site Security Plan.