the ICS Cybersecurity Conference
The ICS Cybersecurity Conference closed yesterday. We link to a few articles below likely to be of interest to those who attended, and we'll be publishing more of our own accounts of the proceedings over the course of next week. In the meantime, a few quick reflections on the conference are in order.
The operators of industrial systems continue to believe that cybersecurity remains too IT-centric. This is natural: the cybersecurity sector emerged largely from the larger IT sector, and it brought with it concerns about privacy and information assurance. But the problem the plant operators see is that a fixation on information tends to lead to a disregard of physics, and here they mean the actual physical operation of industrial systems, and the actual physical consequences of system failure ("kinetic consequences," if you wish to borrow common military language). As one of the speakers put it in a bit of quick advice to the security community, "Please forget fail fast. There is no agile. Failure is not an option."
But perhaps some of the usual tropes about mutual misunderstanding between those concerned with IT and those concerned with OT are simply misguided. By yesterday afternoon as the event wrapped up, there was an emerging consensus that way to understand the issue is in terms of before-and-after: "before the packet" and "after the packet." What goes on physically before the packet is where the systems' ground truth is to be found, and it's there that one finds the unaddressed security (and safety) issues.