the ICS Security Conference
Yesterday's ICS Cybersecurity Conference highlights included the annual State of the State address by ICS thought leader Joe Weiss, of Applied Control Solutions. He sees widespread challenges in the industrial control system security field as a whole. In particular, he deplored the ways in which IT security has taught the ICS community lessons he believes can be more misleading than helpful. "Our challenge isn't information assurance; it's mission assurance." The engineer's job is safety and availability. Fundamentally the engineer doesn't care whether a disruption arises from malice, error, or act of God: as long as it disrupts operations or affects safety, it must be dealt with. The consequences of failing to do so can be not only expensive, but in the worst cases lethal.
A brief excursus on Purdue's ICS reference architecture. If you're like most of us, you may not have given much thought to the security of Level 0 or Level 1, those closest to the physical processes in plants, but rest assured, others have. Weiss shared yesterday a "like" he'd received on LinkedIn for a DefCon presentation on ICS issues. It came from an Iranian water supply system manager. What does this mean? (Apart from telling us that Joe is huge in Tehran, which anyone might have guessed.) Iranian water utilities certainly have as legitimate an interest in protecting their operation as anyone else, but it also suggests that unaddressed ICS vulnerabilities haven't escaped the attention of nation-state adversaries.
You'll find our continuing coverage of the ICS Cybersecurity Conference here.