What to ask for  

A number of PCSF sessions focused on security activities involving the energy sector. One presentation that drew high levels of interest, for example, came from Gary Finco, SCADA security researcher at the Idaho National Laboratory, Idaho Falls, Idaho. Finco described the development of common procurement language that electric power generators and others can use in requests for proposals, to ensure that security is integrated into control systems that they acquire. “A lot of end-users want to have secure systems, but they really don’t know what to ask for,” said Finco. “So what we were trying to do was give them some ideas.”  

The procurement language project began last March, said Finco. A draft document Version 1.5 was completed last November and is on the Web site of the federal Multi-State Information Sharing and Analysis Center, at www.msisac.org/scada. “We’ve had almost 5,000 downloads of the document since November,” Finco said. The project team is currently taking comments from electric utility asset owners and vendors for suggested changes and revisions to the language, said Finco. The Lab is also working with vendors to develop procurement language that is appropriate to other industry segments, he added, because “one size doesn’t fit all. Oil and gas will be different from power, or from refineries, or from chemical.”  

One electric industry-specific session provided a status report on OPSAID, a joint government/industry project to develop an interoperable open system security architecture for potential use by all of the nation’s 3,000 electric utility companies. OPSAID, which stands for Open PCS (Process Control System) Security Architecture for Interoperable Design, is one of various projects of the Department of Energy’s (DOE) National SCADA (Supervisory Control and Data Acquisition) Test Bed. The OPSAID initiative is led by Sandia Laboratories, in Albuquerque, N.M., and includes participation by Entergy Corp., New Orleans, the nation’s fifth largest power utility. The nine-month old effort, which is using Linux software, has already produced some early deliverables, said Sandia’s Jason Stamp, the project principal investigator.  

Push or pull?  

Many sessions covered specific PCSF interest group topics. The “Anti-Virus (A/V) Software on Control Systems Interest Group” meeting produced a lively discussion, as vendors and end-user representatives alike debated the best way to deal with A/V software. The merits of “push” versus “pull” models on the control side got plenty of discussion. And some friction between end-user information technology (IT) and control system departments was evident. “We’d rather not run A/V in our control systems, but we have to. IT puts everybody in the same shoe box, and we haven’t had a lot of success with that,” complained a control systems engineer from one major chemical company.  

A variety of new products aimed at control systems security were also discussed at the PCSF event. For example, Nate Kube, chief technology officer at Wurldtech, a SCADA security firm based in Vancouver, British Columbia, Canada, and Dale Peterson, director of network security practice for Digital Bond, Sunrise, Fla.-based network security consultants, discussed Wurldtech’s Achilles offering. The ...