One of our goals for the first Gathering is to foster better connections for building security features into industrial control systems. We’re not unique this way; PCSF did it before us, as did (and continue to do) other numerous alphabet soup groups. Key among these groups is the social aspect of who is doing what and where these days. People are building connections and, yes, we will continue to foster this growth.
So, the connections are growing. Now what? It would be nice if people thought ahead and worked toward a few common goals, wouldn’t it? That’s one of things that will make this Gathering different. The technical sides to the control systems security problem are being identified and dealt with. But for the most part, we’re still stumbling around in the dark.
Let’s shine some light on the issue…
First, we need better intelligence. I’m not talking about the hush-hush secret decoder ring stuff. I’m talking about the sorts of things we can learn by sharing public information. Most intelligence agencies get a great deal of traction simply by reading newspapers from around the world, looking at what books are in the libraries, studying what the schools are teaching; and by studying the backgrounds of leaders, both current as well as up and coming. It’s not espionage, it’s simply a matter of understanding who the people are in the country, what motivates them, and what resources they have.
So when I say that we need intelligence, I’m not talking about espionage. What I’m talking about is an open source data gathering methodology. What are the jobs that each critical infrastructure sector has? What proportions of staff are used for what? What resources do they use to get those jobs done? What problems do they have, and who is busy working on them, and what are they bringing to the table?
I’m also talking about studying incidents (and learning from them). Whether these incidents were control systems related or not, they still bear some level of study. It shows us who is working on what equipment, what training they have, what mistakes were made (design, operation, installation, etc.) and what the consequences are. At the end of the day it will enable engineers to design better control systems with more useful human interfaces.
Second, we need to get the group to integrate this data into useful, actionable information. This requires many talents; more talents than one person is likely to have. That is where the connections fit in. We want to encourage people to recognize each other’s experience, strengths, and training. By that, I’m not talking about certificates, or graduation from some school, but real hard nosed experience from real-life situations. So if you’re a senior plant operator with a 15 year history on the floor of a facility, we want to hear what you have to say. If you’re a security researcher who has found numerous problems in embedded software, we want you too. If you’re an embedded systems programmer who knows the ins and outs of using embedded ‘C’ on various micro-controller platforms, we want you too. If you’re an integrator or OEM who has installed numerous control systems, we need to hear from you too. And if you’re not on this list and still think you have something to contribute, by all means come along and introduce yourself. If at all, perhaps, you may meet people who are in the same boat as you.
The point is to get people together and talking to each other so that we can make the most sense of what we’re going to find. That’s the first goal.
The second goal is to start conducting our own research. I’m not interested in the specifics of each and every flaw that we find, I’m interested in categorizing them and finding common solutions to them. Most of you probably know that office IT models often do not fit well on a plant floor. We may be able to learn a thing or two from the office IT experience, but we’re still going to have to start from scratch.
Some of this research will involve gathering anonymized traffic samples from various industrial network equipment. Some of this research will involve testing older products such as obsolete programmable logic controllers, newer products, such as an ultrasonic level gauge, as well as brand new prototypes, such as an industrialized firewall.
Some of the research may include the testing of tactics. For example, if we install a deliberate bandwidth throttle and an intrusion detection system, is it reasonable to expect someone to act in time to prevent an attack against the control system?
There are many other ideas to be researched. What we’re trying to do is to build a group of people who can help themselves build better more useful, and more secure control systems for our critical infrastructure.
And that’s the second goal of the Gathering.
Of course, the third goal is obvious: you never know what might come from the casual sharing of a war story or three at this Gathering, so I encourage you to bring a few good ones with you. If our President can forge new understanding over a few beers, I think we ought to do the same.