More than a year into a program dedicated to bolstering the security of control systems in the United States, a group within the Department of Homeland Security (DHS) is intensifying efforts to round out the field of participants.
The Control Systems Cyber Security Vendors Forum was launched in November 2005 by the Control Systems Security Program, which is housed in the DHS under the National Cyber Security Division.
Members of the program gather on a monthly conference call for an open discussion of the topics that concern the security of the control systems they sell and install. "The invitation is open to all vendors of control systems," explained Jeff Hahn, who handles industry outreach for Idaho National Laboratory, which Hahn characterized as the "managing arm" of the Control Systems Security Program. While the forums have proved successful thus far, Hahn told Managing Automation, "there's a lot of vendors out there that we don't interact with frequently."
Participation is on a volunteer basis, program officials explained. Current members form a who's who of process control vendors, including ABB, Emerson Process Systems and Solutions, OSIsoft, Rockwell Automation, Schneider Electric, Siemens, and Invensys's Wonderware unit, among numerous others.
One of the most oft-discussed topics in the forums, Hahn said, is the issue of communication among the vendors and the government agencies dedicated to the security of the country's infrastructure.
The country, he explained, has 13 critical industry sectors, which range from energy (including electrical and oil and gas), to chemicals, to transportation. When it comes to providing homeland security for these sectors, Hahn said, most have a crucial link: Information Sharing and Analysis Centers (ISACs). If the government needs to provide security information to a given sector, it uses the ISAC to disseminate that information.
"Control systems vendors don't have anything like that," Hahn said. They're looking for an avenue to channel important information, he explained, and finding such a conduit has been foremost in the monthly forums.
The task of providing security among control systems has been largely a volunteer effort to date, and venues like the Control Systems Cyber Security Vendors Forum are helping to lead the charge in the absence of government mandates. "We're really at the forefront of trying to solve this cyber issue," said Ethan Hoffman, a public affairs representative for the Idaho National Laboratory.
Hahn said the forum has not yielded any technology transfer among vendors. "They're still competitors, and that's very apparent, but there are places where we need to work together," he explained.
Marty Edwards, industry liaison lead for the Idaho National Laboratory, echoed Hahn's assessment. "Even though you have competitors, they still understand that this is such an important issue that they're willing to get together and discuss topics related to cyber security for control systems," he said.
One outgrowth of the forum Hahn points to is the evolution of the CS2SAT, or Control System Cyber Security Self-Assessment Tool, a program the Control Systems Security Program has been working on for the past two or so years. The CS2SAT tool comprises a series of questionnaires that a plant manager, for instance, can use to evaluate the level of security present in that plant.
The Control Systems Security Program has used the vendor forum to vet the tool against the security offerings that the vendors can provide, as well as what they may not have factored into their systems, Hahn said.
Another example of a topic discussed is a so-called "procurement language" that the Control Systems Security Program has developed around cyber security issues in various plants. The concept behind the procurement language, according to Hahn, is that a plant operator can use standardized terms developed by the Control Systems Security Program when creating a request for proposal that will go out to multiple vendors. Through the forum, he said, the agency was able to gather input on that language from the vendors, so that when the vendors respond to these RFPs, they understand the plant operator's requests.
The benefit that the monthly forum provides the end users of these control systems, according to Edwards, is the enhanced security of their assets. He said that forum discussions include specifics such as: "this type of system is being targeted, this type of system is vulnerable." When vendors share that information, program officials said, the end result is a stronger defense against threats.
Threats include hackers, terrorists, and insiders looking to cripple vital elements of the country's infrastructure -- and in a cyber environment, officials said, the possibilities for harm abound. The overall objective is to "secure the control systems that play a major role in controlling our critical infrastructure," Edwards said. "The vendors, once they learn of the problem, can also provide the mitigation that needs to be put in place."
The program focuses on guidelines, he noted, not standards.
Initial indications are that the forum is having a positive impact, Hahn said. "We've had a lot of participation," and the numbers have grown. Attendance on the monthly conference calls is typically 15-20 vendors, Edwards estimated. Some participate "very actively," others less so.
Hahn said the Control Systems Security Program is planning a full-day, face-to-face meeting in the early part of March for all who want to attend.
There is no termination date for the forum program, all involved said. One of the most prominent factors in all efforts at cyber security, Edwards said, is that the threat is constantly evolving. "This is something that we're going to have to continue to evaluate and continue to make progress on. There is no end state."