A reader of this blog, Ragnar Schierholz, added a comment to my recent post about the publication of the NIST ICS Security Guide. He noted, as have some bloggers, that the recently published version of the Guide is little different from the draft of the document that was published about three years ago. He then asked if I had noted the very close similarity in the two versions.
I’m sorry Ragnar, I didn’t. The reason is that I never saw the draft document. Three years ago my understanding of ICS security issues was much narrower than it is today. Like much of the user community, I was essentially unaware of the multitude of cybersecurity issues that we recognize as being important today. Three years ago readers of this blog would have read about physical security measures for control rooms and vague suggestions that complete isolation of control systems was ‘becoming difficult’.
My appreciation for the complexities of control system security issues has changed over time and this has led to increased coverage of those issues in this blog. Hopefully, this has helped to increase awareness in the user community on these issues.
As a number of bloggers have noted, if the user community does not demand increased security in their systems, vendors will likely remain reactive to security vulnerabilities rather than proactively designing more secure systems (I almost wrote ‘secure systems’ there, a misnomer if ever there was one). That demand can only be made if there is an increased understanding of the problem.
So, while the newly released security guide may be little changed from the draft, it is a new document to many of us in the chemical security community. That makes it a valuable addition to any chemical security library.
On a personal note, questions like this one posed by Ragnar make me wonder what security issue I’m overlooking today due to the limits of my knowledge. Hopefully my readers are standing by to help identify those issues for me.