Wednesday, June 15, 2011

Reader Comment – NIST ICS Security Guide

A reader of this blog, Ragnar Schierholz, added a comment to my recent post about the publication of the NIST ICS Security Guide. He noted, as have some bloggers, that the recently published version of the Guide is little different from the draft of the document that was published about three years ago. He then asked if I had noted the very close similarity in the two versions.

I’m sorry Ragnar, I didn’t. The reason is that I never saw the draft document. Three years ago my understanding of ICS security issues was much narrower than it is today. Like much of the user community, I was essentially unaware of the multitude of cybersecurity issues that we recognize as being important today. Three years ago readers of this blog would have read about physical security measures for control rooms and vague suggestions that complete isolation of control systems was ‘becoming difficult’.

My appreciation for the complexities of control system security issues has changed over time and this has led to increased coverage of those issues in this blog. Hopefully, this has helped to increase awareness in the user community on these issues.

As a number of bloggers have noted, if the user community does not demand increased security in their systems, vendors will likely remain reactive to security vulnerabilities rather than proactively designing more secure systems (I almost wrote ‘secure systems’ there, a misnomer if ever there was one). That demand can only be made if there is an increased understanding of the problem.

So, while the newly released security guide may be little changed from the draft, it is a new document to many of us in the chemical security community. That makes it a valuable addition to any chemical security library.

On a personal note, questions like this one posed by Ragnar make me wonder what security issue I’m overlooking today due to the limits of my knowledge. Hopefully my readers are standing by to help identify those issues for me.


Ragnar Schierholz said...

Hi PJ,

Just to make this clear, my intention was not to point out a lack of understanding on your end. I monitor your blog, because I feel you have something valuable to add. If you still feel you're new to the ICS security community: welcome :-).

I totally agree with your assessment, I very much welcome that this document is finally officially approved by NIST. This does have an impact on its weight - a draft that hasn't been touched nor released for three years feels a bit awkward to refer to. And if this raises the attention to the document for those people who joined our community in the past two or three years, that is only good.

While I do see many vendors (at least the bigger ones that I have contacts with, including my employer ABB) are spending significant efforts and are making good progress, I do agree that without customer pull, this is very hard if at all possible to pull off. If you want to justify efforts in a corporate environment, nothing beats customer demand. And we do see quite a heterogeneous mix of customers' security demands across the globe and across the different domains we're supplying to. North America and the Energy, Oil&Gas and Chemical sectors are at the high end of that spectrum, I'd say.



PJCoyle said...

No, I understood the point you were making. I just thought that it was a good launch point about the changing focus on cyber security on the chemical security front.
Thanks for the follow-up comments, too.

/* Use this with templates/template-twocol.html */