Mark Weatherford, Under Secretary for Cybersecurity at the Department of Homeland Security, offered comments as the morning keynote speaker on the second day of the Industrial Control System Joint Working Group (ICSJWG). Weatherford is the former Chief Security Officer at the North American Electric Reliability Corporation (NERC) and therefore has some knowledge of control system and their security vulnerabilities. Mr. Weatherford stressed a theme of partnerships and information sharing between industry and government, noting that nearly 85% of the critical infrastructures in the US are owned by the private sector. He stated the we need to raise the nation’s cybersecurity IQ, not only with the general public but also with regulators and Congress. He also acknowledged that cybercrime nets more money for criminals than the cocaine, heroin and marijuana industries combined, worldwide. Mr. Weatherford also pointed to the inter-dependencies with the critical infrastructures in the US. Security in the electric sector cannot be accomplished without considering the communications that link electric system devices.

Regarding legislation currently before Congress on this issue, Mr. Weatherford stated that there is a place for government enforcing cybersecurity standards, but the government should not presume that they can write these standards for control systems. Government must still rely on industry for standards and best practices. When asked if vendors should be held accountable for insecure products, Mr. Weatherford responded that industry is making great strides in delivering secure systems, but industry is still accountable for deploying and correctly configuring these systems. If security settings are turned off because they are inconvenient, then the user is to blame, not the vendor.

The Industrial Control Systems Joint Working Group (ICSJWG) has created a consolidated document; a sector independent roadmap. This Cross-Sector Roadmap was conceived and developed over the last two years by industry and government thought leaders that saw the need for a unifying Roadmap to secure control systems across all critical sectors. Version 3 of the consolidated roadmaps is available for download. The document aids entities in creating a cybersecurity plan that incorporates the unique environment of control systems. The document is an excellent addition to a utility’s cybersecurity reference library and is available here.
  Read more »

UTC will again be attending a face-to-face meeting of the Industrial Control System Joint Working Group (ICSJWG) in early October in Long Beach. The group falls under the Department of Homeland Security and is working on sector specific security issues, while merging security roadmaps into a single control system security document.

The draft meeting agenda can be found at the following web site; board members with specific interests, questions or concerns on these topics should contact Klaus Bender prior to October 1 and we will raise those issues at the meeting: http://www.us-cert.gov/control_systems/icsjwg/ICSJWG-2011-Fall-Conference_Agenda_7Sept2011_DRAFT.pdf